njrat | ac2633a4308a31c9a156f564c02c35776627233fdfde5bfc3336f2e8cea65ed0

General

Target

bc28c34b6ba7a0341e1604509d756afc.exe
Size

303KB
MD5

bc28c34b6ba7a0341e1604509d756afc
SHA1

fc3188751db9814d68861d6930fc05192afb8fe3
SHA256

ac2633a4308a31c9a156f564c02c35776627233fdfde5bfc3336f2e8cea65ed0
SHA512

55b403a4b4e470df53d7880e4c2409b6819319f7dbfed09c7a8bfc5c1d05448baaa6b9ddc58a14c1a882d310ac5309388db0fc416c15c64a681c880dae0f74f4
SSDEEP

6144:FjT5Zh17eWxoG/+ov/2OIQ4wW3OBsCeAWtPNfvbTEY:FRZ+IoG/n9IQxW3OBseclvbTEY

Score

10^/10

njrat бебрусик evasion trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

Бебрусик

C2

6.tcp.eu.ngrok.io:10291

Mutex

34df59c30ceddf261b28ec307d4bd4f7

Attributes

reg_key
34df59c30ceddf261b28ec307d4bd4f7
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 2 IoCs

pid	Process
1960	UlraBebrus.exe
4704	GigaNige.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
328	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	UlraBebrus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	bc28c34b6ba7a0341e1604509d756afc.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	GigaNige.exe
File opened for modification	C:\autorun.inf	GigaNige.exe
File created	D:\autorun.inf	GigaNige.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	4704	GigaNige.exe
Token: 33	4704	GigaNige.exe
Token: SeIncBasePriorityPrivilege	4704	GigaNige.exe
Token: 33	4704	GigaNige.exe
Token: SeIncBasePriorityPrivilege	4704	GigaNige.exe
Token: 33	4704	GigaNige.exe
Token: SeIncBasePriorityPrivilege	4704	GigaNige.exe
Token: 33	4704	GigaNige.exe
Token: SeIncBasePriorityPrivilege	4704	GigaNige.exe
Token: 33	4704	GigaNige.exe
Token: SeIncBasePriorityPrivilege	4704	GigaNige.exe
Token: 33	4704	GigaNige.exe
Token: SeIncBasePriorityPrivilege	4704	GigaNige.exe
Token: 33	4704	GigaNige.exe
Token: SeIncBasePriorityPrivilege	4704	GigaNige.exe
Token: 33	4704	GigaNige.exe
Token: SeIncBasePriorityPrivilege	4704	GigaNige.exe
Token: 33	4704	GigaNige.exe
Token: SeIncBasePriorityPrivilege	4704	GigaNige.exe
Token: 33	4704	GigaNige.exe
Token: SeIncBasePriorityPrivilege	4704	GigaNige.exe
Token: 33	4704	GigaNige.exe
Token: SeIncBasePriorityPrivilege	4704	GigaNige.exe
Token: 33	4704	GigaNige.exe
Token: SeIncBasePriorityPrivilege	4704	GigaNige.exe
Token: 33	4704	GigaNige.exe
Token: SeIncBasePriorityPrivilege	4704	GigaNige.exe
Token: 33	4704	GigaNige.exe
Token: SeIncBasePriorityPrivilege	4704	GigaNige.exe
Token: 33	4704	GigaNige.exe
Token: SeIncBasePriorityPrivilege	4704	GigaNige.exe
Token: 33	4704	GigaNige.exe
Token: SeIncBasePriorityPrivilege	4704	GigaNige.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 1960	3540	bc28c34b6ba7a0341e1604509d756afc.exe	83
PID 3540 wrote to memory of 1960	3540	bc28c34b6ba7a0341e1604509d756afc.exe	83
PID 3540 wrote to memory of 1960	3540	bc28c34b6ba7a0341e1604509d756afc.exe	83
PID 1960 wrote to memory of 4704	1960	UlraBebrus.exe	89
PID 1960 wrote to memory of 4704	1960	UlraBebrus.exe	89
PID 1960 wrote to memory of 4704	1960	UlraBebrus.exe	89
PID 4704 wrote to memory of 328	4704	GigaNige.exe	92
PID 4704 wrote to memory of 328	4704	GigaNige.exe	92
PID 4704 wrote to memory of 328	4704	GigaNige.exe	92

C:\Users\Admin\AppData\Local\Temp\bc28c34b6ba7a0341e1604509d756afc.exe
"C:\Users\Admin\AppData\Local\Temp\bc28c34b6ba7a0341e1604509d756afc.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Users\Admin\AppData\Local\Temp\UlraBebrus.exe
  "C:\Users\Admin\AppData\Local\Temp\UlraBebrus.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Users\Admin\AppData\Local\Temp\GigaNige.exe
    "C:\Users\Admin\AppData\Local\Temp\GigaNige.exe"
    3⤵
    - Executes dropped EXE
    - Drops autorun.inf file
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4704
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\GigaNige.exe" "GigaNige.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GigaNige.exe

Filesize
37KB

MD5
8b1e3959382b8dbca197ed7eced1ba14

SHA1
78cdca26a61599e2794ce98cf6f3d764905e03da

SHA256
3b848bd82542c2212729e544b5dc59cece5c1798cf2a4f76f481570f0e84821e

SHA512
722c009a87dc37aa889506f0da6365235529d307c7f175072d4291dea48dd73ebafd997d34cc641c55d0480d7cb02a3f99bfcfa9aa084c3ab468b8d53425b965

Download Submit
C:\Users\Admin\AppData\Local\Temp\GigaNige.exe

Filesize
37KB

MD5
8b1e3959382b8dbca197ed7eced1ba14

SHA1
78cdca26a61599e2794ce98cf6f3d764905e03da

SHA256
3b848bd82542c2212729e544b5dc59cece5c1798cf2a4f76f481570f0e84821e

SHA512
722c009a87dc37aa889506f0da6365235529d307c7f175072d4291dea48dd73ebafd997d34cc641c55d0480d7cb02a3f99bfcfa9aa084c3ab468b8d53425b965

Download Submit
C:\Users\Admin\AppData\Local\Temp\UlraBebrus.exe

Filesize
37KB

MD5
8b1e3959382b8dbca197ed7eced1ba14

SHA1
78cdca26a61599e2794ce98cf6f3d764905e03da

SHA256
3b848bd82542c2212729e544b5dc59cece5c1798cf2a4f76f481570f0e84821e

SHA512
722c009a87dc37aa889506f0da6365235529d307c7f175072d4291dea48dd73ebafd997d34cc641c55d0480d7cb02a3f99bfcfa9aa084c3ab468b8d53425b965

Download Submit
C:\Users\Admin\AppData\Local\Temp\UlraBebrus.exe

Filesize
37KB

MD5
8b1e3959382b8dbca197ed7eced1ba14

SHA1
78cdca26a61599e2794ce98cf6f3d764905e03da

SHA256
3b848bd82542c2212729e544b5dc59cece5c1798cf2a4f76f481570f0e84821e

SHA512
722c009a87dc37aa889506f0da6365235529d307c7f175072d4291dea48dd73ebafd997d34cc641c55d0480d7cb02a3f99bfcfa9aa084c3ab468b8d53425b965

Download Submit
memory/1960-135-0x0000000072B20000-0x00000000730D1000-memory.dmp

Filesize
5.7MB

Download
memory/1960-139-0x0000000072B20000-0x00000000730D1000-memory.dmp

Filesize
5.7MB

Download
memory/4704-140-0x0000000072B20000-0x00000000730D1000-memory.dmp

Filesize
5.7MB

Download
memory/4704-142-0x0000000072B20000-0x00000000730D1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads