BRUTERATEL AVAILABLE COMMANDS
updated 27/04/2025
Context
BruteRatel SHA256 : d8080b4f7a238f28435649f74fdd5679f7f7133ea81d12d9f10b05017b0897b1
Sample Source :
bazaar.abuse.ch
VirusTotal :
VirusTotal
Network / C2 :
http://tiguanin[.]com/bazar.php:8041
http://tiguanin[.]com/admin.php:8041
http://bazarunet[.]com/admin.php:8041
http://bazarunet[.]com/bazar.php:8041
http://greshunka[.]com/bazar.php:8041
http://greshunka[.]com/admin.php:8041
| Command ID | Description | Parameter |
|---|---|---|
| “\x9f\x3c” | GetCurrentDirectory | NA |
| “\x3f\xd5” | GetIpTable | NA |
| “\xfe\x4f” | GetAccountPrivileges | NA |
| “\x91\x03” | LockWorkStation | NA |
| “\x09\x06” | GetLogicalDrives | NA |
| “\x01\x0a” | GetSystemUptime | NA |
| “\x06\x0b” | GetLastInputInfo | NA |
| “\x03\x07” | ExitProcess | NA |
| “\x05\x06” | RevertToSelf | NA |
| “\x05\x01” | GetClipBoardData | NA |
| “\x44\xc1” | EnumDevicesDrivers | NA |
| “\x41\x9c” | Screenshot | NA |
| “\xcb\xe3” | GetDomainControlerInfo | NA |
| “\x16\xf6” | GetNetworkAdaptersInfo | NA |
| “\x03\x08” | ExitThread | NA |
| “\x34\x49” | GetMemoryDump | $processname |
| “\x39\xb3” | GetTcpUdpTables | NA |
| “\x1a\xd4” | GetIpForwardTable | NA |
| “\x9a\xbe” | QuerySessionInformation | NA |
| “\xb7\x38” | GetDnsCacheDataTable | NA |
| “\x48\x52” | Fingerprint | NA |
| “\x35\x61” | EnumWindows | NA |
| “\xe8\x73” | GetInstalledProgramsList | NA |
| “\xa3\xd9” | RegisterSessionPowerSettingNotification | NA |
| “\x59\xd3” | recv | $label $hostname $port |
| “\x59\xd4” | sendto | $label $hostname $port $b64_data |
| “\x60\xd4” | send | $socket, $b64_data |
| “\x59\xd9” | closesocket | $socket |
| “\xa1\x2d” | start_keylogging | NA |
| “\x29\x21” | update_sleep_conf | $int1, $int2 |
| “\x39\x11” | SetCurrentDirectory | $dir_path |
| “\x05\xa9” | CopyFileW | $src, $dst |
| “\x05\xa9” | MoveFileW | $src, $dst |
| “\x93\xe9” | DeleteFileSecure | $dos_path, $secure_erase |
| “\x61\x3f” | CreateDirectoryW | $dir_path |
| “\x40\x8f” | RemoveDirectoryW | $dir_path |
| “\x32\x0a” | listdir | $dir_path |
| “\x59\xa9” | NetInfo | $option, $parameters |
| “\x84\xf5” | CreateProcessWithLogon | $domain $username $password $AppName $CommandLine |
| “\x99\xf9” | LogonUserW | $type, $domain, $username, $password |
| “\xb0\xe9” | CreateProcessA | $process_path |
| “\xc0\xeb” | TerminateProcess | $pid |
| “\xd0\xbe” | ShellExecuteExA | $verb, $file, $parameters |
| “\xe0\x9d” | ListActiveProcess | NA |
| “\xae\x6b” | ImpersonateSystem | NA |
| “\x39\x6f” | ImpersonateSystem2 | NA |
| “\xd9\xf3” | CreateProcessGetPidTid | $p1, $p2 |
| “\xd4\x3f” | CreateProcessGetPidTid2 | $p1, $p2 |
| “\x74\x2c” | ReadFileW | $filename, $size_in_KB |
| “\x36\x6c” | RegEnumKeyA | $hKey, $SubKey |
| “\x58\xb4” | QueryServiceConfig | $MachineName, $p2, $ServiceName |
| “\xea\xe2” | test_base64_decode | $p1 |
| “\xa1\x13” | WriteFile | $filename, $data |
| “\x9a\x69” | listen | $label, $port |
| “\x4d\x3c” | pipe_com_todo | $PipeName $p2 |
| “\x37\xfe” | install_as_service | $MachineName, $serviceName, $payload |
| “\xe9\x97” | createService | $MachineName, $serviceName, $path |
| “\x73\xfa” | deleteService | $MachineName, $serviceName |
| “\x3e\x3b” | changeServiceConfig | $MachineName, $serviceName, $BinaryPathName |
| “\x62\xc6” | GetProcessInfo | $processName |
| “\x91\xe5” | port_scan | $hostname, $ports |
| “\x81\x98” | DCSync | $Admin, $DomainName |
| “\x53\x49” | netshareenum | $servername, $level |
| “\x13\x52” | ExecWQLQuery | $query |
| “\xe7\x81” | GetAccountSidFromPid | $pid |
| “\x56\xf8 | unknown | $p1 |
| “\x46\xcb” | unknown2 | $p1 |
| “\x32\x49” | unknown3 | NA |
| “\x92\x64” | EnumProcessModules | $pid |
| “\x48\x73” | CreateProcessSuspended | $processPath |
| “\x44\x80” | LoadManagedCode64 | $binary |
| “\x56\x34 | StartService | $MachineName, $ServiceName |
| “\x8E\xB9 | NetSessionEnum | $ServerName |
| “\x79\x75” | IDirectorySearch | $HostName, $SearchFilter, $AttributeNames |
| “\x9a\xb9” | NetUserModalsGet | $ServerName |
| “\x9a\xb6” | GetScheduledTask | $serverName |
| “\xb3\x29” | netshareenum2 | $servername |
| “\xa9\xe4” | InjectProcessShellcode | $pid |
| “\xf3\xd8” | WtsEnumProcessA | $RDServerName |
| “\xbf\xb” | UpdateConfig | $config |
| “\xa9\xb3” | count_exec_cmd | $count, $sleep, $cmd |
| “\x9a\xe1” | GetFullPathNameW | $filename |
| “\x57\xa6” | inet_ntoa | $host |
| “\xf1\xa5” | dump_process_from_pid | $pid |
| “\x63\xd1” | adjustTokenPrivilege | $privilege |
| “\x3a\xe5” | GetFileTimeStamp | $filename |
| “\xd3\xb1” | WbemCreateProcess | $CommandLine |
| “\x3e\xf8” | listdir2 | $dir_path |
| “\xb9\xe4” | GetDelegationToken | $TargetName |
| “\x3a\xb9” | ping | $host |
| “\x9c\xda” | GetCredentialsFromUiPrompt | $CaptionText |
| “\xe4\xcd” | GetThreadsInfo | $pid |
| “\xba\xe1” | InjectSetContext | $pid, $tid |
| “\xed\xf2” | connect_localhost_global_struct | $index |
| “\xd8\x3b” | WriteMemory | $address, $data |
| “\x3b\xa2” | GetUsersPwdHashes | NA |
| “\xd2\xe3” | CreateProcessSuspendedInjectThread | |
| “\xd9\xa7” | unknown_update_global_struct | TODO |
| “\xb3\xd2” | StopService | $MachineName, $ServiceName |
| “\x9a\x6c” | DelayCmdExec | $delay |
| “\xd1\xf3” | unknown_network | $ip, $port, $unknown, $unknown2 |
| “\x8C\xED” | ReflectiveDllLoading | $dll |
| “\x8X\x9D” | ReflectiveDllLoading2 | $dll |
| “\x3B\x2D” | SekurLsaPTH | $unknown, $domain, $user_name, $ntlm_hash, $command_line |
| “\x9C\xE2” | HttpGet | $opt, $ServerName, $port, $ObjectName |
| “\x2B\xEF” | GetFileSecurity | $file_name |
| “\xB3\xD1” | GlobalStructControl17 | $code, $value |
| “\xE2\xF1” | GlobalStructFree10 | $code |
| “\xA9\xC3” | GlobalStructControl15 | $code, $value |
| “\x41\x9D” | record_screen_jpg | $p1, $duration |