njrat | ac2633a4308a31c9a156f564c02c35776627233fdfde5bfc3336f2e8cea65ed0

General

Target

bc28c34b6ba7a0341e1604509d756afc.exe
Size

303KB
MD5

bc28c34b6ba7a0341e1604509d756afc
SHA1

fc3188751db9814d68861d6930fc05192afb8fe3
SHA256

ac2633a4308a31c9a156f564c02c35776627233fdfde5bfc3336f2e8cea65ed0
SHA512

55b403a4b4e470df53d7880e4c2409b6819319f7dbfed09c7a8bfc5c1d05448baaa6b9ddc58a14c1a882d310ac5309388db0fc416c15c64a681c880dae0f74f4
SSDEEP

6144:FjT5Zh17eWxoG/+ov/2OIQ4wW3OBsCeAWtPNfvbTEY:FRZ+IoG/n9IQxW3OBseclvbTEY

Score

10^/10

njrat бебрусик evasion trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

Бебрусик

C2

6.tcp.eu.ngrok.io:10291

Mutex

34df59c30ceddf261b28ec307d4bd4f7

Attributes

reg_key
34df59c30ceddf261b28ec307d4bd4f7
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 2 IoCs

pid	Process
976	UlraBebrus.exe
564	GigaNige.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
396	netsh.exe

Loads dropped DLL 4 IoCs

pid	Process
852	bc28c34b6ba7a0341e1604509d756afc.exe
852	bc28c34b6ba7a0341e1604509d756afc.exe
852	bc28c34b6ba7a0341e1604509d756afc.exe
976	UlraBebrus.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	GigaNige.exe
File opened for modification	C:\autorun.inf	GigaNige.exe
File created	D:\autorun.inf	GigaNige.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	564	GigaNige.exe
Token: 33	564	GigaNige.exe
Token: SeIncBasePriorityPrivilege	564	GigaNige.exe
Token: 33	564	GigaNige.exe
Token: SeIncBasePriorityPrivilege	564	GigaNige.exe
Token: 33	564	GigaNige.exe
Token: SeIncBasePriorityPrivilege	564	GigaNige.exe
Token: 33	564	GigaNige.exe
Token: SeIncBasePriorityPrivilege	564	GigaNige.exe
Token: 33	564	GigaNige.exe
Token: SeIncBasePriorityPrivilege	564	GigaNige.exe
Token: 33	564	GigaNige.exe
Token: SeIncBasePriorityPrivilege	564	GigaNige.exe
Token: 33	564	GigaNige.exe
Token: SeIncBasePriorityPrivilege	564	GigaNige.exe
Token: 33	564	GigaNige.exe
Token: SeIncBasePriorityPrivilege	564	GigaNige.exe
Token: 33	564	GigaNige.exe
Token: SeIncBasePriorityPrivilege	564	GigaNige.exe
Token: 33	564	GigaNige.exe
Token: SeIncBasePriorityPrivilege	564	GigaNige.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 976	852	bc28c34b6ba7a0341e1604509d756afc.exe	28
PID 852 wrote to memory of 976	852	bc28c34b6ba7a0341e1604509d756afc.exe	28
PID 852 wrote to memory of 976	852	bc28c34b6ba7a0341e1604509d756afc.exe	28
PID 852 wrote to memory of 976	852	bc28c34b6ba7a0341e1604509d756afc.exe	28
PID 976 wrote to memory of 564	976	UlraBebrus.exe	29
PID 976 wrote to memory of 564	976	UlraBebrus.exe	29
PID 976 wrote to memory of 564	976	UlraBebrus.exe	29
PID 976 wrote to memory of 564	976	UlraBebrus.exe	29
PID 564 wrote to memory of 396	564	GigaNige.exe	30
PID 564 wrote to memory of 396	564	GigaNige.exe	30
PID 564 wrote to memory of 396	564	GigaNige.exe	30
PID 564 wrote to memory of 396	564	GigaNige.exe	30

C:\Users\Admin\AppData\Local\Temp\bc28c34b6ba7a0341e1604509d756afc.exe
"C:\Users\Admin\AppData\Local\Temp\bc28c34b6ba7a0341e1604509d756afc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:852
- C:\Users\Admin\AppData\Local\Temp\UlraBebrus.exe
  "C:\Users\Admin\AppData\Local\Temp\UlraBebrus.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Users\Admin\AppData\Local\Temp\GigaNige.exe
    "C:\Users\Admin\AppData\Local\Temp\GigaNige.exe"
    3⤵
    - Executes dropped EXE
    - Drops autorun.inf file
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:564
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\GigaNige.exe" "GigaNige.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GigaNige.exe

Filesize
37KB

MD5
8b1e3959382b8dbca197ed7eced1ba14

SHA1
78cdca26a61599e2794ce98cf6f3d764905e03da

SHA256
3b848bd82542c2212729e544b5dc59cece5c1798cf2a4f76f481570f0e84821e

SHA512
722c009a87dc37aa889506f0da6365235529d307c7f175072d4291dea48dd73ebafd997d34cc641c55d0480d7cb02a3f99bfcfa9aa084c3ab468b8d53425b965

Download Submit
C:\Users\Admin\AppData\Local\Temp\GigaNige.exe

Filesize
37KB

MD5
8b1e3959382b8dbca197ed7eced1ba14

SHA1
78cdca26a61599e2794ce98cf6f3d764905e03da

SHA256
3b848bd82542c2212729e544b5dc59cece5c1798cf2a4f76f481570f0e84821e

SHA512
722c009a87dc37aa889506f0da6365235529d307c7f175072d4291dea48dd73ebafd997d34cc641c55d0480d7cb02a3f99bfcfa9aa084c3ab468b8d53425b965

Download Submit
C:\Users\Admin\AppData\Local\Temp\UlraBebrus.exe

Filesize
37KB

MD5
8b1e3959382b8dbca197ed7eced1ba14

SHA1
78cdca26a61599e2794ce98cf6f3d764905e03da

SHA256
3b848bd82542c2212729e544b5dc59cece5c1798cf2a4f76f481570f0e84821e

SHA512
722c009a87dc37aa889506f0da6365235529d307c7f175072d4291dea48dd73ebafd997d34cc641c55d0480d7cb02a3f99bfcfa9aa084c3ab468b8d53425b965

Download Submit
C:\Users\Admin\AppData\Local\Temp\UlraBebrus.exe

Filesize
37KB

MD5
8b1e3959382b8dbca197ed7eced1ba14

SHA1
78cdca26a61599e2794ce98cf6f3d764905e03da

SHA256
3b848bd82542c2212729e544b5dc59cece5c1798cf2a4f76f481570f0e84821e

SHA512
722c009a87dc37aa889506f0da6365235529d307c7f175072d4291dea48dd73ebafd997d34cc641c55d0480d7cb02a3f99bfcfa9aa084c3ab468b8d53425b965

Download Submit
\Users\Admin\AppData\Local\Temp\GigaNige.exe

Filesize
37KB

MD5
8b1e3959382b8dbca197ed7eced1ba14

SHA1
78cdca26a61599e2794ce98cf6f3d764905e03da

SHA256
3b848bd82542c2212729e544b5dc59cece5c1798cf2a4f76f481570f0e84821e

SHA512
722c009a87dc37aa889506f0da6365235529d307c7f175072d4291dea48dd73ebafd997d34cc641c55d0480d7cb02a3f99bfcfa9aa084c3ab468b8d53425b965

Download Submit
\Users\Admin\AppData\Local\Temp\UlraBebrus.exe

Filesize
37KB

MD5
8b1e3959382b8dbca197ed7eced1ba14

SHA1
78cdca26a61599e2794ce98cf6f3d764905e03da

SHA256
3b848bd82542c2212729e544b5dc59cece5c1798cf2a4f76f481570f0e84821e

SHA512
722c009a87dc37aa889506f0da6365235529d307c7f175072d4291dea48dd73ebafd997d34cc641c55d0480d7cb02a3f99bfcfa9aa084c3ab468b8d53425b965

Download Submit
\Users\Admin\AppData\Local\Temp\UlraBebrus.exe

Filesize
37KB

MD5
8b1e3959382b8dbca197ed7eced1ba14

SHA1
78cdca26a61599e2794ce98cf6f3d764905e03da

SHA256
3b848bd82542c2212729e544b5dc59cece5c1798cf2a4f76f481570f0e84821e

SHA512
722c009a87dc37aa889506f0da6365235529d307c7f175072d4291dea48dd73ebafd997d34cc641c55d0480d7cb02a3f99bfcfa9aa084c3ab468b8d53425b965

Download Submit
\Users\Admin\AppData\Local\Temp\UlraBebrus.exe

Filesize
37KB

MD5
8b1e3959382b8dbca197ed7eced1ba14

SHA1
78cdca26a61599e2794ce98cf6f3d764905e03da

SHA256
3b848bd82542c2212729e544b5dc59cece5c1798cf2a4f76f481570f0e84821e

SHA512
722c009a87dc37aa889506f0da6365235529d307c7f175072d4291dea48dd73ebafd997d34cc641c55d0480d7cb02a3f99bfcfa9aa084c3ab468b8d53425b965

Download Submit
memory/396-69-0x0000000000000000-mapping.dmp

Download
memory/564-64-0x0000000000000000-mapping.dmp

Download
memory/564-68-0x0000000073520000-0x0000000073ACB000-memory.dmp

Filesize
5.7MB

Download
memory/564-71-0x0000000073520000-0x0000000073ACB000-memory.dmp

Filesize
5.7MB

Download
memory/852-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/976-62-0x0000000073010000-0x00000000735BB000-memory.dmp

Filesize
5.7MB

Download
memory/976-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads