{
	"id": "841478cc-6924-434c-aa43-6fed3d782263",
	"created_at": "2026-04-10T03:21:39.836871Z",
	"updated_at": "2026-04-10T03:22:18.30812Z",
	"deleted_at": null,
	"sha1_hash": "84780244e8ffffed3ca8e8360e2885d77334a4b7",
	"title": "A Deep Dive into Brute Ratel C4 payloads – Part 2 – CYBER GEEKS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 7339019,
	"plain_text": "A Deep Dive into Brute Ratel C4 payloads – Part 2 – CYBER\r\nGEEKS\r\nPublished: 2023-09-27 · Archived: 2026-04-10 02:17:45 UTC\r\nSummary\r\nBrute Ratel C4 is a Red Team \u0026 Adversary Simulation software that can be considered an alternative to Cobalt\r\nStrike. In this blog post, we’re presenting a technical analysis of a Brute Ratel badger/agent that doesn’t\r\nimplement all the recent features of the framework. There aren’t a lot of Brute Ratel samples available in the wild.\r\nThis second part of the analysis presents the remaining commands executed by the agent. The commands include:\r\nuser impersonation, inject shellcode into processes, create and stop processes, extract information about the\r\nprocesses and services, create TCP listeners, block keyboard and mouse input events, extract Windows registry\r\nkeys and values, and others. You can consult the first part of the analysis here.\r\nTechnical analysis\r\nSHA256: d71dc7ba8523947e08c6eec43a726fe75aed248dfd3a7c4f6537224e9ed05f6f\r\nWe continue to describe the commands that can be used by the Brute Ratel agent.\r\n0x0703 ID – Stop the current process\r\nThe malware stops the current process by calling the ExitProcess API:\r\nFigure 1\r\n0x6BAE/0x6F39 ID – User impersonation\r\nThe binary retrieves a pseudo handle for the current process using GetCurrentProcess:\r\nFigure 2\r\nOpenProcessToken is utilized to open the access token associated with the process (0x28 =\r\nTOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY):\r\nFigure 3\r\nThe process extracts the locally unique identifier (LUID) for the “SeDebugPrivilege” privilege (Figure 4).\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/\r\nPage 1 of 19\n\nFigure 4\r\nThe executable enables the above privilege via a function call to AdjustTokenPrivileges:\r\nFigure 5\r\nThe running processes are enumerated using the Process32FirstW and Process32NextW functions:\r\nFigure 6\r\nFigure 7\r\nThe agent is looking for the “LogonUI.exe”, “winlogon.exe”, and “lsass.exe” processes:\r\nFigure 8\r\nIt opens the first process found using the OpenProcess method (0x400 =\r\nPROCESS_QUERY_INFORMATION):\r\nFigure 9\r\nImpersonateLoggedOnUser is used to impersonate the security content of the user extracted from the process\r\nidentified above:\r\nFigure 10\r\nIn order to confirm that the operation was successful, the malware calls the GetUserNameW API (see Figure 11).\r\nFigure 11\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/\r\nPage 2 of 19\n\nThe message displayed in Figure 12 will be sent to the C2 server:\r\nFigure 12\r\nOn another branch, the binary calls the DuplicateTokenEx method in order to duplicate the access token extracted\r\nfrom “winlogon.exe” or “lsass.exe”. Finally, a new process is created using CreateProcessWithTokenW.\r\n0xA86A ID – Inject code into a remote process\r\nThe malicious executable converts the process ID passed as a parameter using atoi:\r\nFigure 13\r\nThe shellcode to be executed is Base64-decoded by calling the CryptStringToBinaryA API (0x1 =\r\nCRYPT_STRING_BASE64):\r\nFigure 14\r\nThe badger opens the target process using OpenProcess (0x1F0FFF = PROCESS_ALL_ACCESS):\r\nFigure 15\r\nVirtualAllocEx is utilized to allocate a new memory area in the remote process (0x3000 = MEM_COMMIT |\r\nMEM_RESERVE, 0x4 = PAGE_READWRITE):\r\nFigure 16\r\nThe malware writes the shellcode to the above area via a function call to WriteProcessMemory, as shown in\r\nFigure 17.\r\nFigure 17\r\nThe page’s protection is changed using the VirtualProtectEx API (0x20 = PAGE_EXECUTE_READ):\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/\r\nPage 3 of 19\n\nFigure 18\r\nFinally, the binary creates a thread in the remote process that executes the shellcode:\r\nFigure 19\r\n0xE9B0 ID – Create a process and read its output via a pipe\r\nThe agent creates an anonymous pipe using the CreatePipe method:\r\nFigure 20\r\nThe pipe is set to be inherited via a call to SetHandleInformation (0x1 = HANDLE_FLAG_INHERIT):\r\nFigure 21\r\nThe malicious executable creates a process specified by the C2 server using the CreateProcessA API, as shown in\r\nthe figure below.\r\nFigure 22\r\nThe process’ output that resides in the anonymous pipe is copied into a buffer by calling PeekNamedPipe (Figure\r\n23).\r\nFigure 23\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/\r\nPage 4 of 19\n\nThe output is read using ReadFile and then transmitted to the C2 server:\r\nFigure 24\r\n0x91B3 ID – Inject code into the current process\r\nThe CryptStringToBinaryA method is utilized to decode from Base64 the shellcode that will be executed:\r\nFigure 25\r\nThe agent creates a named pipe (0x80000003 = FILE_FLAG_WRITE_THROUGH |\r\nPIPE_ACCESS_DUPLEX):\r\nFigure 26\r\nA new thread is created using the CreateThread function. In this thread, the malware connects to the pipe and\r\nreads data using the ConnectNamedPipe and ReadFile methods:\r\nFigure 27\r\nFigure 28\r\nVirtualAllocEx is used to allocate a new memory area in the current process:\r\nFigure 29\r\nThe shellcode is copied into the new area and its page is made executable, as highlighted below:\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/\r\nPage 5 of 19\n\nFigure 30\r\nA new thread runs the shellcode copied earlier:\r\nFigure 31\r\n0x1719 ID – Enable SeDebugPrivilege\r\nThe malicious process calls the LookupPrivilegeValueA function with the “SeDebugPrivilege” parameter:\r\nFigure 32\r\nThe PrivilegeCheck API is utilized to determine if the above privilege is enabled in the access token:\r\nFigure 33\r\nThe message displayed in Figure 34 will be sent to the C2 server as a confirmation.\r\nFigure 34\r\n0x4FFE ID – Extract the status of the token’s privileges\r\nThe badger obtains the TOKEN_PRIVILEGES structure that contains the privileges of the token using\r\nGetTokenInformation (see Figure 35).\r\nFigure 35\r\nIt retrieves the name of the privileges represented by a locally unique identifier (LUID) via a function call to\r\nLookupPrivilegeNameW:\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/\r\nPage 6 of 19\n\nFigure 36\r\nThe list of privileges and their status is written in the memory. The following statuses can be specified: “[+]\r\n%-50ls Enabled (Default)”, “[+] %-50ls Enabled (Adjusted)”, “[+] %-50lsDisabled\\n”, “[+] Elevated”, or “[+]\r\nRestricted”.\r\nFigure 37\r\n0x9DE0 ID – Extract Username, PPID, PID, and Executable path for every running process\r\nThe binary obtains a snapshot of all processes in the system using CreateToolhelp32Snapshot. It enumerates them\r\nusing the Process32FirstW and Process32NextW methods:\r\nFigure 38\r\nFigure 39\r\nThe agent tries to open the local process object using OpenProcess (0x410 =\r\nPROCESS_QUERY_INFORMATION | PROCESS_VM_READ):\r\nFigure 40\r\nFor each of the access token extracted from the processes, the executable calls the GetTokenInformation function\r\nand retrieves the user account of the token (Figure 41).\r\nFigure 41\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/\r\nPage 7 of 19\n\nThe malware extracts the name of the account for the security identifier (SID) and the first domain on which the\r\nSID is found:\r\nFigure 42\r\n0xEBC0 ID – Kill processes\r\nThe target process is opened via a function call to OpenProcess (0x1 = PROCESS_TERMINATE):\r\nFigure 43\r\nThe process is killed using the TerminateProcess API:\r\nFigure 44\r\n0xF584 ID – Create a new process using the Domain, Username, and Password received from the C2 server\r\nThe binary spawns a new process using the CreateProcessWithLogonW method. The parameters are modified\r\naccording to the command’s arguments:\r\nFigure 45\r\n0xBED0 ID – Execute the “open”, “runas”, or “print” command\r\nThe first parameter is compared with the above commands, as shown in Figure 46.\r\nFigure 46\r\nWe could use the runas command to spawn a cmd.exe process:\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/\r\nPage 8 of 19\n\nFigure 47\r\nGetProcessId is utilized to obtain the PID of the newly created process:\r\nFigure 48\r\n0xE2EA ID – Copy bytes into memory\r\nThe second parameter is Base64-decoded by calling the CryptStringToBinaryA API:\r\nFigure 49\r\nThe address containing the resulting bytes is stored in a table that contains functions pointers (see Figure 50).\r\nFigure 50\r\nDepending on the number of bytes, the malware will send the “[+] Imported %d bytes” message to the C2 server:\r\nFigure 51\r\n0x6154 ID – Free the pointer storing the address of the imported bytes\r\nThe agent calls the free function with the pointer displayed in the above command. The message shown below is\r\ntransmitted to the C2 server.\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/\r\nPage 9 of 19\n\nFigure 52\r\n0x699A ID – Create a TCP listener\r\nThe process creates a new thread that is responsible for the listener creation:\r\nFigure 53\r\nIt calls the getaddrinfo method with the port number and the first parameter being NULL, which returns all\r\nregistered addresses on the local machine:\r\nFigure 54\r\nThe badger creates a TCP socket (0x2 = AF_INET, 0x1 = SOCK_STREAM, 0x6 = IPPROTO_TCP):\r\nFigure 55\r\nThe bind function is used to associate the local address with the socket, as highlighted below:\r\nFigure 56\r\nThe malware starts listening on the port specified in the command’s arguments (in our case, 8888):\r\nFigure 57\r\nFinally, the accept method is utilized to allow incoming connection attempts (Figure 58).\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/\r\nPage 10 of 19\n\nFigure 58\r\nThe IP address from the connection is converted into an ASCII string in dotted-decimal format:\r\nFigure 59\r\nA new thread that handles the receive operation is created:\r\nFigure 60\r\nFigure 61\r\n0xB458 ID – Extract information about Windows services\r\nThe binary opens the service control manager on the local machine using OpenSCManagerA (0x4 =\r\nSERVICE_QUERY_STATUS):\r\nFigure 62\r\nEnumServicesStatusW is used to enumerate all services in the database (0x30 = SERVICE_WIN32, 0x3 =\r\nSERVICE_STATE_ALL):\r\nFigure 63\r\nFor every service, the malware calls the OpenServiceW API (0x1 = SERVICE_QUERY_CONFIG):\r\nFigure 64\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/\r\nPage 11 of 19\n\nThe agent extracts the configuration parameters of the service using QueryServiceConfigW. The following fields\r\nare relevant: display name, service name, service state, service path, service user, and service type.\r\nFigure 65\r\n0xE3CB ID – Retrieve information about Domain Controllers and policies\r\nThe malicious executable obtains the name of a domain controller via a function call to DsGetDcNameW, as\r\ndisplayed in Figure 66.\r\nFigure 66\r\nThe DsGetDcOpenW API is utilized to open a new domain controller enumeration operation (0x2 =\r\nDS_NOTIFY_AFTER_SITE_RECORDS):\r\nFigure 67\r\nThe badger extracts the global password parameters and lockout information by calling the NetUserModalsGet\r\nfunction. The information is organized using the following structure:\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/\r\nPage 12 of 19\n\nFigure 68\r\n0x0105 ID – Extract data from the clipboard\r\nThe process opens the clipboard by calling the OpenClipboard method:\r\nFigure 69\r\nThe data is obtained from the clipboard in the Unicode format (0xD = CF_UNICODETEXT):\r\nFigure 70\r\n0x0B06 ID – Convert the time of the last input event in minutes\r\nThe binary obtains the number of milliseconds elapsed since the system was started using GetTickCount:\r\nFigure 71\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/\r\nPage 13 of 19\n\nGetLastInputInfo is used to retrieve the time of the last input event:\r\nFigure 72\r\n0xB63A ID – Block keyboard and mouse input events\r\nThe BlockInput method is used to perform the operation, as displayed in the figure below.\r\nFigure 73\r\n0x0391 ID – Lock the workstation’s display\r\nLockWorkStation is utilized to lock the display (see Figure 74).\r\nFigure 74\r\n0xF999 ID – Impersonate the context of a logged-on user\r\nThe badger attempts to log a user on to the local machine via a call to LogonUserA (0x2 =\r\nLOGON32_LOGON_INTERACTIVE):\r\nFigure 75\r\nThe binary impersonates the context of the above user using the ImpersonateLoggedOnUser function:\r\nFigure 76\r\n0xA959 ID – Retrieve information about users\r\nThe first parameter is compared with “user” and “users”. In the first case, the malware calls the NetUserGetInfo\r\nAPI to obtain information about the user account:\r\nFigure 77\r\nThe information is organized in the following manner:\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/\r\nPage 14 of 19\n\nFigure 78\r\nIn the second case, the agent retrieves information about all user accounts on the local computer (0x2 =\r\nFILTER_NORMAL_ACCOUNT):\r\nFigure 79\r\n0x6C36 ID – Extract registry keys and values\r\nThe first argument can be “hklm”, “hkcu”, “root”, “config”, and “users”. These are Windows registry hives.\r\nThe registry key passed as the second argument is opened using the RegOpenKeyExA method (0x20019 =\r\nKEY_READ):\r\nFigure 80\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/\r\nPage 15 of 19\n\nThe malicious process retrieves information about the registry key by calling the RegQueryInfoKeyW function:\r\nFigure 81\r\nIt enumerates the subkeys of the key using RegEnumKeyExW (Figure 82).\r\nFigure 82\r\nFor each of the subkeys, the malware calls the RegEnumValueW API in order to enumerate the registry values:\r\nFigure 83\r\nFinally, the type and data for all registry values identified are extracted:\r\nFigure 84\r\n0x9C41 ID – Take a screenshot and send it to the C2 server\r\nThe GdiplusStartup function initializes Windows GDI+ (see Figure 85).\r\nFigure 85\r\nThe agent retrieves a handle to the desktop window via a call to GetDesktopWindow:\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/\r\nPage 16 of 19\n\nFigure 86\r\nIt obtains the number of adjacent color bits for each pixel for the device context (DC) for the above window (0xC\r\n= BITSPIXEL):\r\nFigure 87\r\nThe BitBlt method is used to capture the image:\r\nFigure 88\r\nThe malware creates a Bitmap object based on a handle to a Windows GDI bitmap and a handle to a GDI palette:\r\nFigure 89\r\nThe process calls the CLSIDFromString function with the “1d5be4b5-fa4a-452d-9cdd-5db35105e7eb” CLSID –\r\nQuality field:\r\nFigure 90\r\nGdipSaveImageToStream is utilized to save the screenshot to a stream (see Figure 91). The name of the image is\r\nderived from the current date and time.\r\nFigure 91\r\n0x3C4D ID – Read content from pipe and send it to the C2 server. Write server’s response to the pipe\r\nThe agent opens an existing pipe using the CreateFileA API (0xC0000000 = GENERIC_READ |\r\nGENERIC_WRITE, 0x3 = OPEN_EXISTING):\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/\r\nPage 17 of 19\n\nFigure 92\r\nThe malware modifies the read and the blocking mode via a function call to SetNamedPipeHandleState (0x0 =\r\nPIPE_READMODE_BYTE | PIPE_WAIT):\r\nFigure 93\r\nThe pipe’s content is read using the ReadFile method:\r\nFigure 94\r\nThe content is exfiltrated to the C2 server, and the server’s response is written back to the pipe.\r\n0x2129 ID – Write two numbers into memory\r\nThe command takes two parameters and writes them in the following format:\r\nFigure 95\r\nFigure 96\r\nINDICATORS OF COMPROMISE\r\nSHA256: d71dc7ba8523947e08c6eec43a726fe75aed248dfd3a7c4f6537224e9ed05f6f\r\nC2 server: 45.77.172.28\r\nUser-agent: trial@deloitte.com.cn\r\nReferences\r\nMSDN: https://docs.microsoft.com/en-us/windows/win32/api/\r\nFakeNet-NG: https://github.com/mandiant/flare-fakenet-ng\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/\r\nPage 18 of 19\n\nUnit42: https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/\r\nMDSec: https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/\r\nSource: https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/"
	],
	"report_names": [
		"a-deep-dive-into-brute-ratel-c4-payloads-part-2"
	],
	"threat_actors": [],
	"ts_created_at": 1775791299,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/84780244e8ffffed3ca8e8360e2885d77334a4b7.pdf",
		"text": "https://archive.orkl.eu/84780244e8ffffed3ca8e8360e2885d77334a4b7.txt",
		"img": "https://archive.orkl.eu/84780244e8ffffed3ca8e8360e2885d77334a4b7.jpg"
	}
}