Analysis Overview
SHA256
5f218a535ed51ebbc6821dc6c3777f375c2ea18ed1f9e52ca1198630b7527ae1
Threat Level: Known bad
The file BITnoStart.exe was found to be: Known bad.
Malicious Activity Summary
Bitrat family
BitRAT
UPX packed file
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-08-01 20:57
Signatures
Bitrat family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-01 20:57
Reported
2023-08-01 21:00
Platform
win7-20230712-en
Max time kernel
144s
Max time network
147s
Command Line
Signatures
BitRAT
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BITnoStart.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BITnoStart.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BITnoStart.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BITnoStart.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BITnoStart.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BITnoStart.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BITnoStart.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BITnoStart.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\BITnoStart.exe
"C:\Users\Admin\AppData\Local\Temp\BITnoStart.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | backu4734.duckdns.org | udp |
| DE | 167.235.75.225:7904 | backu4734.duckdns.org | tcp |
| DE | 167.235.75.225:7904 | backu4734.duckdns.org | tcp |
| DE | 167.235.75.225:7904 | backu4734.duckdns.org | tcp |
| DE | 167.235.75.225:7904 | backu4734.duckdns.org | tcp |
| DE | 167.235.75.225:7904 | backu4734.duckdns.org | tcp |
| US | 8.8.8.8:53 | backu4734.duckdns.org | udp |
| DE | 167.235.75.225:7904 | backu4734.duckdns.org | tcp |
| US | 8.8.8.8:53 | backu4734.duckdns.org | udp |
| DE | 167.235.75.225:7904 | backu4734.duckdns.org | tcp |
| DE | 167.235.75.225:7904 | backu4734.duckdns.org | tcp |
| DE | 167.235.75.225:7904 | backu4734.duckdns.org | tcp |
| DE | 167.235.75.225:7904 | backu4734.duckdns.org | tcp |
| US | 8.8.8.8:53 | backu4734.duckdns.org | udp |
Files
memory/2300-53-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/2300-54-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/2300-56-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/2300-57-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/2300-59-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/2300-61-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/2300-62-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/2300-64-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/2300-65-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/2300-67-0x0000000000400000-0x00000000007E4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-01 20:57
Reported
2023-08-01 21:00
Platform
win10v2004-20230703-en
Max time kernel
145s
Max time network
153s
Command Line
Signatures
BitRAT
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BITnoStart.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BITnoStart.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BITnoStart.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BITnoStart.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BITnoStart.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BITnoStart.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BITnoStart.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\BITnoStart.exe
"C:\Users\Admin\AppData\Local\Temp\BITnoStart.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | backu4734.duckdns.org | udp |
| DE | 167.235.75.225:7904 | backu4734.duckdns.org | tcp |
| DE | 167.235.75.225:7904 | backu4734.duckdns.org | tcp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| DE | 167.235.75.225:7904 | backu4734.duckdns.org | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.252.72.23.in-addr.arpa | udp |
| DE | 167.235.75.225:7904 | backu4734.duckdns.org | tcp |
| DE | 167.235.75.225:7904 | backu4734.duckdns.org | tcp |
| US | 8.8.8.8:53 | 254.109.26.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | backu4734.duckdns.org | udp |
| DE | 167.235.75.225:7904 | backu4734.duckdns.org | tcp |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| DE | 167.235.75.225:7904 | backu4734.duckdns.org | tcp |
| DE | 167.235.75.225:7904 | backu4734.duckdns.org | tcp |
| US | 8.8.8.8:53 | backu4734.duckdns.org | udp |
| DE | 167.235.75.225:7904 | backu4734.duckdns.org | tcp |
| US | 8.8.8.8:53 | backu4734.duckdns.org | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
| DE | 167.235.75.225:7904 | backu4734.duckdns.org | tcp |
Files
memory/4288-133-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/4288-134-0x0000000074630000-0x0000000074669000-memory.dmp
memory/4288-135-0x00000000749B0000-0x00000000749E9000-memory.dmp
memory/4288-136-0x00000000749B0000-0x00000000749E9000-memory.dmp
memory/4288-137-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/4288-138-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/4288-140-0x00000000749B0000-0x00000000749E9000-memory.dmp
memory/4288-141-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/4288-143-0x00000000749B0000-0x00000000749E9000-memory.dmp
memory/4288-144-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/4288-145-0x00000000749B0000-0x00000000749E9000-memory.dmp
memory/4288-146-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/4288-148-0x00000000749B0000-0x00000000749E9000-memory.dmp
memory/4288-149-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/4288-150-0x0000000074630000-0x0000000074669000-memory.dmp
memory/4288-151-0x00000000749B0000-0x00000000749E9000-memory.dmp
memory/4288-153-0x00000000749B0000-0x00000000749E9000-memory.dmp
memory/4288-154-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/4288-155-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/4288-161-0x00000000749B0000-0x00000000749E9000-memory.dmp
memory/4288-163-0x00000000749B0000-0x00000000749E9000-memory.dmp
memory/4288-164-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/4288-165-0x00000000749B0000-0x00000000749E9000-memory.dmp
memory/4288-167-0x00000000749B0000-0x00000000749E9000-memory.dmp