{
	"id": "ebcd0dc0-6ecd-4065-8485-1b56d73755dd",
	"created_at": "2026-04-06T00:21:08.119517Z",
	"updated_at": "2026-04-10T03:24:24.727684Z",
	"deleted_at": null,
	"sha1_hash": "c203fc2ef4b7f0e85c08c0e8e5c3bf65fd4988cf",
	"title": "A Deep Dive into Brute Ratel C4 payloads – CYBER GEEKS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5287752,
	"plain_text": "A Deep Dive into Brute Ratel C4 payloads – CYBER GEEKS\r\nPublished: 2023-08-31 · Archived: 2026-04-05 20:01:13 UTC\r\nSummary\r\nBrute Ratel C4 is a Red Team \u0026 Adversary Simulation software that can be considered an alternative to Cobalt\r\nStrike. In this blog post, we’re presenting a technical analysis of a Brute Ratel badger/agent that doesn’t\r\nimplement all the recent features of the framework. There aren’t a lot of Brute Ratel samples available in the wild.\r\nThe malware implements the API hashing technique and comes up with a configuration that contains the C2\r\nserver, the user-agent used during the network communications, a password used for authentication with the C2\r\nserver, and a key used for encrypting data transmitted to the C2 server. The badger takes control of the infected\r\nmachine by executing 63 different commands issued by the C2 server. The first 20 commands will be described in\r\nthis blog post, while the rest of them will be detailed in an upcoming blog post.\r\nTechnical analysis\r\nSHA256: d71dc7ba8523947e08c6eec43a726fe75aed248dfd3a7c4f6537224e9ed05f6f\r\nThis is a 64-bit executable. The malware pushes the code to be executed on the stack in order to evade Antivirus\r\nand EDR software:\r\nFigure 1\r\nIt implements the API hashing technique, which uses the “ROR EDI,0xD” instruction to compute 4-byte hashes\r\nthat are compared with pre-computed ones (Figure 2).\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/\r\nPage 1 of 17\n\nFigure 2\r\nThe VirtualAllocEx API is used to allocate a new memory area that will store a DLL file (0x3000 =\r\nMEM_COMMIT | MEM_RESERVE, 0x40 = PAGE_EXECUTE_READWRITE):\r\nFigure 3\r\nThe Brute Ratel C4 configuration is stored in clear text however, in recent versions, the config is encrypted and\r\nBase64-encoded. It contains the C2 IP address and port number, the user-agent used during the network\r\ncommunications, a password used to authenticate with the C2 server, a key used to encrypt data transmitted to the\r\nC2 server, and the URI:\r\nFigure 4\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/\r\nPage 2 of 17\n\nFigure 5\r\nA thread that executes the entry point of the new DLL is created via a function call to CreateRemoteThread:\r\nFigure 6\r\nThe process extracts a pointer to the PEB from gs:[0x60] and another one to the PEB_LDR_DATA structure\r\n(+0x18), which contains information about the loaded DLLs. The InMemoryOrderModuleList doubly-linked list\r\ncontains the loaded DLLs for the current process:\r\nFigure 7\r\nThe malicious binary allocates new memory for another DLL that implements the main functionality using\r\nVirtualAlloc:\r\nFigure 8\r\nLoadLibraryA is utilized to load multiple DLLs into the address space of the current process:\r\nFigure 9\r\nThe malware retrieves the address of relevant functions by calling the GetProcAddress method:\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/\r\nPage 3 of 17\n\nFigure 10\r\nThe binary flushes the instruction cache for the current process using the NtFlushInstructionCache function (see\r\nFigure 11).\r\nFigure 11\r\nFinally, the malware passes the execution flow to the newly constructed DLL:\r\nFigure 12\r\nAs we can see below, one of the export functions of the DLL is called “badger_http_1”, which reveals a Brute\r\nRatel agent/badger.\r\nFigure 13\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/\r\nPage 4 of 17\n\nFigure 14\r\nThe FreeConsole method is used to detach the process from its console:\r\nFigure 15\r\nThe DLL repeats the process of finding functions address, as highlighted in Figure 16.\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/\r\nPage 5 of 17\n\nFigure 16\r\nThe process extracts the system time and passes the result to the srand function:\r\nFigure 17\r\nThe atoi method is utilized to convert the port number to integer:\r\nFigure 18\r\nThe malicious process creates an unnamed mutex object by calling the CreateMutexA API, as displayed in Figure\r\n19.\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/\r\nPage 6 of 17\n\nFigure 19\r\nGetUserNameW is used to obtain the username associated with the current thread:\r\nFigure 20\r\nGetComputerNameExW is used to obtain the NetBIOS name associated with the local machine:\r\nFigure 21\r\nThe badger retrieves a pseudo handle for the current process using GetCurrentProcess:\r\nFigure 22\r\nThe OpenProcessToken API is utilized to open the access token associated with the process (0x8 =\r\nTOKEN_QUERY):\r\nFigure 23\r\nThe malware verifies if the token is elevated using the GetTokenInformation method (0x14 = TokenElevation):\r\nFigure 24\r\nIt obtains the current process ID via a function call to GetCurrentProcessId:\r\nFigure 25\r\nGetModuleFileNameW is utilized to extract the path of the executable file of the process:\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/\r\nPage 7 of 17\n\nFigure 26\r\nThe above path is Base64-encoded using the CryptBinaryToStringW API (0x40000001 =\r\nCRYPT_STRING_NOCRLF | CRYPT_STRING_BASE64):\r\nFigure 27\r\nThe process retrieves version information about the current operating system using RtlGetVersion:\r\nFigure 28\r\nThe WSAStartup function initiates the use of the Winsock DLL by the current process:\r\nFigure 29\r\nThe badger constructs a JSON that stores the password extracted from the configuration, the computer name, the\r\nOS version, the Base64-encoded executable path, the username, and the process ID:\r\nFigure 30\r\nThe JSON is encrypted using the XOR operator (key = “abcd@123” from configuration) and transformed by other\r\noperations:\r\nFigure 31\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/\r\nPage 8 of 17\n\nFigure 32\r\nFigure 33\r\nThe user-agent passed to the InternetOpenW function seems to indicate that the product was used by Deloitte\r\nChina (Figure 34).\r\nFigure 34\r\nThe process connects to the C2 server on port 80 by calling the InternetConnectW function:\r\nFigure 35\r\nIt creates a POST request to the “/content.php” resource using HttpOpenRequestW, as displayed below.\r\nFigure 36\r\nThe security flags for the handle are changed using the InternetSetOptionW API (0x1100 =\r\nSECURITY_FLAG_IGNORE_CERT_CN_INVALID | SECURITY_FLAG_IGNORE_UNKNOWN_CA):\r\nFigure 37\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/\r\nPage 9 of 17\n\nHttpAddRequestHeadersW can be used to add one or more HTTP request headers to the handle however, the\r\nsecond parameter is NULL during malware’s execution (0x20000000 = HTTP_ADDREQ_FLAG_ADD):\r\nFigure 38\r\nThe process encodes the encrypted JSON using Base64 and exfiltrates the resulting data using\r\nHttpSendRequestW:\r\nFigure 39\r\nIt verifies whether the C2 server sends any data back via a function call to InternetQueryDataAvailable:\r\nFigure 40\r\nThe C2 server’s response is read using InternetReadFile:\r\nFigure 41\r\nThe response is Base64-decoded and decrypted using the same key that was previously mentioned. The “auth”\r\nfield is set to the decrypted information, and another request is made to the C2 server, asking for commands:\r\nFigure 42\r\nFakeNet-NG was used to simulate the network communications with the C2 server. After decoding and decrypting\r\nthe response, the first 2 bytes represent the command to be executed followed by additional parameters if\r\nnecessary. A new thread handles the commands execution:\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/\r\nPage 10 of 17\n\nFigure 43\r\nWe’ll now describe the commands that can be issued by the C2 server.\r\n0x2C74 ID – Exfiltrate file content to the C2 server\r\nThe PathFileExistsA API is utilized to confirm if the target file exists on the system:\r\nFigure 44\r\nThe file is opened via a function call to CreateFileA (0x80000000 = GENERIC_READ, 0x1 =\r\nFILE_SHARE_READ, 0x3 = OPEN_EXISTING):\r\nFigure 45\r\nThe content is read by calling the ReadFile method, as shown in Figure 46.\r\nFigure 46\r\nThe data is sent to the C2 server along with the “[+] Download complete” message or the message shown in the\r\nfigure below.\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/\r\nPage 11 of 17\n\nFigure 47\r\n0xA905 ID – Copy files\r\nThe malware copies an existing file to a new file using CopyFileA:\r\nFigure 48\r\n0x9B84 ID – Move files\r\nThe process moves an existing file to another using the MoveFileA function (Figure 49).\r\nFigure 49\r\n0x13A1 ID – Create files and populate them with content received from the C2 server\r\nFirstly, the file is created via a function call to CreateFileA:\r\nFigure 50\r\nThe received data is Base64-decoded using CryptStringToBinaryA and written to the file:\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/\r\nPage 12 of 17\n\nFigure 51\r\n0xE993 ID – Delete files\r\nDeleteFileA is used to delete the target files, as highlighted below:\r\nFigure 52\r\n0x0605 ID – Close handles\r\nThe badger closes an object handle (i.e. file, process) using the CloseHandle API:\r\nFigure 53\r\n0x3F61 ID – Create directories\r\nThe malicious binary has the ability to create directories using the CreateDirectoryA method:\r\nFigure 54\r\n0x1139 ID – Change the current directory for the process\r\nSetCurrentDirectoryA is utilized to perform the desired operation (see Figure 55).\r\nFigure 55\r\n0x3C9F ID – Obtain the current directory for the process\r\nThe malware extracts the current directory for the process by calling the GetCurrentDirectoryW API:\r\nFigure 56\r\n0x8F40 ID – Delete directories\r\nThe process deletes a target directory only if it’s empty using RemoveDirectoryA:\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/\r\nPage 13 of 17\n\nFigure 57\r\n0x0A32 ID – Retrieve the Last-Write time for files/directories\r\nThe files are enumerated in the current directory using the FindFirstFileW and FindNextFileW functions:\r\nFigure 58\r\nFigure 59\r\nFor each of the file or directory that matches the pattern, the binary calls the CreateFileW API:\r\nFigure 60\r\nThe process retrieves the Last-Write time via a function call to GetFileTime:\r\nFigure 61\r\nThe file time is converted to system time format using FileTimeToSystemTime:\r\nFigure 62\r\nFinally, the above time is converted to the currently active time zone:\r\nFigure 63\r\n0x3D1D ID – Change the Desktop wallpaper\r\nThe malicious process opens the “TranscodedWallpaper” file that contains the Desktop wallpaper:\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/\r\nPage 14 of 17\n\nFigure 64\r\nThe above file is filled in with content received from the C2 server (Figure 65).\r\nFigure 65\r\nThe SystemParametersInfoA method is utilized to change the Desktop wallpaper (0x14 =\r\nSPI_SETDESKWALLPAPER, 0x1 = SPIF_UPDATEINIFILE):\r\nFigure 66\r\n0xD53F ID – Retrieve the username\r\nThis command is used to obtain the username associated with the current thread:\r\nFigure 67\r\n0x0609 ID – Retrieve the available disk drives\r\nThe malware extracts a bitmask that contains the available disk drives by calling the GetLogicalDrives API, as\r\nshown in Figure 68.\r\nFigure 68\r\n0xC144 ID – Extract all device drivers\r\nEnumDeviceDrivers is utilized to obtain the load address for all device drivers:\r\nFigure 69\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/\r\nPage 15 of 17\n\nUsing the above address, the process retrieves the name of the device driver by calling the\r\nGetDeviceDriverBaseNameA method:\r\nFigure 70\r\n0x0A01 ID – Compute the number of minutes that have elapsed since the system was started\r\nThe GetTickCount function is used to extract the number of milliseconds and a simple calculation is performed\r\n(see Figure 71).\r\nFigure 71\r\n0x73E6 ID – Argument Spoofing\r\nThe badger has the ability to hide the arguments by modifying the process environment block (PEB):\r\nFigure 72\r\n0x8AFA ID – Parent PID Spoofing\r\nThis command can be used to spoof the parent process ID in order to evade EDR software or other solutions:\r\nFigure 73\r\n0xC929 ID – Extract child process name\r\nThe binary could spawn multiple processes that can be displayed using this command (Figure 74).\r\nFigure 74\r\n0x9E72 ID – Display pipes name\r\nThe malware displays the name of a previously created pipe:\r\nFigure 75\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/\r\nPage 16 of 17\n\nThe other 30 relevant commands will be detailed in a second blog post.\r\nINDICATORS OF COMPROMISE\r\nSHA256: d71dc7ba8523947e08c6eec43a726fe75aed248dfd3a7c4f6537224e9ed05f6f\r\nC2 server: 45.77.172.28\r\nUser-agent: trial@deloitte.com.cn\r\nReferences\r\nMSDN: https://docs.microsoft.com/en-us/windows/win32/api/\r\nFakeNet-NG: https://github.com/mandiant/flare-fakenet-ng\r\nUnit42: https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/\r\nSource: https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/\r\nhttps://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/"
	],
	"report_names": [
		"a-deep-dive-into-brute-ratel-c4-payloads"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434868,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c203fc2ef4b7f0e85c08c0e8e5c3bf65fd4988cf.pdf",
		"text": "https://archive.orkl.eu/c203fc2ef4b7f0e85c08c0e8e5c3bf65fd4988cf.txt",
		"img": "https://archive.orkl.eu/c203fc2ef4b7f0e85c08c0e8e5c3bf65fd4988cf.jpg"
	}
}