pikabot

Sharing

Copy URL

Twitter E-mail

General

Target

h4.zip
Size

4.3MB
Sample

230629-1vqqwagb4s
MD5

028621ae475fd3af1a60284f084124d9
SHA1

c18e6adf2c75f108a1bf98d534068ec424acc964
SHA256

feef7c585a67e368ce1a514158d6abc280e502b0408ad8b589d83687360ff11f
SHA512

e671e9998d8f3b938084e4cb0fed175c7f3ac009917989cace6af1c7a512ff207793534c1b03cc220f5da4173bc084ee508c5ac7e6154c4bc9a285a6974ecdc2
SSDEEP

98304:YfFBwV9Z9WRhoq9BQFSyd+doJTTL/alHFBwV9AfYbSdxHHkF:aebaT9kIonL/KeWfYmdxkF

Score

10^/10

Malware Config

Targets

- Target
  
  00ad95ca939f4fbb3452ea300bb919ef18cbde843604d7148fa165b645c3030e
- Size
  
  60KB
- MD5
  
  4baa7505a1c6206660f2504c19502990
- SHA1
  
  b88dcf1b25814cdfae56dd659ceb63c5fdc56acb
- SHA256
  
  00ad95ca939f4fbb3452ea300bb919ef18cbde843604d7148fa165b645c3030e
- SHA512
  
  eda94fe7dd400f9ea4d438ccbe08f8aa2a8dcfdb4bfa4f69ba535012ed1188b23468522c3cff5ec7fcc443252c42ed82f8a853e996e793059ba9259115440d01
- SSDEEP
  
  768:AUmggYEOf6hfc/gWBfRoCT4IU9mSCXsGs8SKyblnOVhUTPySdUNexpRAhFr:+ggV+5TkIU9VgsGsZxOV+TPy6CF
Score

3^/10
behavioral1 behavioral2
- Target
  
  05d1b791865c9551ed8da6a170eb6f945a4d1e79cb70341f589cc47bacf78cc3
- Size
  
  28KB
- MD5
  
  4b532d1f869f1f91e3d5aca3133463b2
- SHA1
  
  e554c15efdd96bd12c4143efd406d222df8266bc
- SHA256
  
  05d1b791865c9551ed8da6a170eb6f945a4d1e79cb70341f589cc47bacf78cc3
- SHA512
  
  955fec31c475660eeb2ea325fc16c35d6f5e5029cbef83fffe4994236340271bf30a4f7f9ff7e8ccfa62ce26cc6aff94b5f1554cec61ca281e2b216b850feaba
- SSDEEP
  
  192:Ykz0+lD+GrfDtmiQy9XzDQgaeD2ra7oSCEPhQs8WOQUbS3TwaADn:amjDsad9bqra7oSjMvIwpn
Score

1^/10
behavioral3 behavioral4
- Target
  
  2411b23bab7703e94897573f3758e1849fdc6f407ea1d1e5da20a4e07ecf3c09
- Size
  
  473KB
- MD5
  
  3d051c701fbdf002650f8f90267ee16d
- SHA1
  
  e835e5d57c769cb86e9e61ff8e28d7bad1421cdb
- SHA256
  
  2411b23bab7703e94897573f3758e1849fdc6f407ea1d1e5da20a4e07ecf3c09
- SHA512
  
  4018efc79da22eb577a889b608c662ae5d59fc6c8dead939fd814675c08fdd0ac372aa132357451fe4231f592a13ad9b3dfca0f2a12ef9946601a277c18a7dde
- SSDEEP
  
  6144:nYGKcdvv6azsXOkDriqiN0DaSCrIB28UJ1F5FRpS0Xu0X:YGKKDADhi+Da3rIByJ13pRxX
Score

6^/10

persistence
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  31d025c022dfa29f0d953d477a5cefebe91bf28e60fa771b407cc0b25dd65355
- Size
  
  455KB
- MD5
  
  8e692f5c57cd81e94e3c0982b5f91f74
- SHA1
  
  e0085dee4adb2299f1807ff39847852ce578ef1d
- SHA256
  
  31d025c022dfa29f0d953d477a5cefebe91bf28e60fa771b407cc0b25dd65355
- SHA512
  
  d62860682ea77e44bd397e9475bc62f6372d5932ef807f9263682517a5bc7ba3935c81a98fcef5954bcea09cc5acec47f328da86ebf998146f80daba6cdafbbd
- SSDEEP
  
  6144:nYGKcdvv6azsX7kDriqiN0DaSCrIB28UJ1F5FRpS0X:YGKKDAmhi+Da3rIByJ13pR
Score

3^/10
behavioral7 behavioral8
- Target
  
  3b0dce669a07626746d3b2301607702abd3bb2cba8dcb9c8b655f246e7b8ab1d
- Size
  
  46KB
- MD5
  
  008675ad6fc2ed2b17cd19dfadc0e766
- SHA1
  
  0f1420ba4c089b7a0b07427058af8e15a4f59346
- SHA256
  
  3b0dce669a07626746d3b2301607702abd3bb2cba8dcb9c8b655f246e7b8ab1d
- SHA512
  
  ee9a455c5da82e29b3944f5d84db240e60298980311b0da09c53c50b20cfa6fa4fd9bd26562838e6a0442a5b043724351a39bc67803aa90c7f8e1330c8f84413
- SSDEEP
  
  768:DDJTV0YbZiAbYZSesRQxqz5qzGI4reLkfLe48tfpFtJoTpH6Ri:fJTV0QkNuQx252GI4ReHtLDApaE
Score

3^/10
behavioral10 behavioral9
- Target
  
  3ba484fd9430dda5ea691c86ed0cd6e95f1e401d7b444c0d6465545a03ae20b7
- Size
  
  28KB
- MD5
  
  0dea0fb13dea0ed9678178afc6d0494a
- SHA1
  
  9e72af3657e7140f00becebc228f9539e637c3d6
- SHA256
  
  3ba484fd9430dda5ea691c86ed0cd6e95f1e401d7b444c0d6465545a03ae20b7
- SHA512
  
  dd5f84150e0ef8eddd4de81611558542b78bd540fa8071177863302a57ee7f38328a4230a3a192a0ee91d0c73600f8e88d670494c7845736f1bc4409f2ca10af
- SSDEEP
  
  192:YTz0+lD+GrfDtmiQb9XzDQIw9FDeD2ra7oSCEPhQs8WOQUbS3TwaADn:rmjDsjdYmqra7oSjMvIwpn
Score

3^/10
behavioral11 behavioral12
- Target
  
  443c727f45873a83f2b236cafa7781439e0ce9a25120d01621a812af15934ffd
- Size
  
  18KB
- MD5
  
  8bc27fd9c49426a50ebc2d55e84a2ab6
- SHA1
  
  15c5ff436d2f663ff90f6e194c6b397be35952e9
- SHA256
  
  443c727f45873a83f2b236cafa7781439e0ce9a25120d01621a812af15934ffd
- SHA512
  
  6bf54dd10d675f97570789231764b38e3b641669e4f55b47074715ff7a7e5cdb47fe8282438f01e153a293278dec994ea3651e9c7681f0654dfcfba09875f34e
- SSDEEP
  
  192:Y7z0+lD+GrfDtmiQe9XzDQOrueD2ra7oSCEPhQs8WOQUbS3TwaARqRCfaU5MW:vmjDs2dBHqra7oSjMvIwveCfaU5v
Score

9^/10

evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
behavioral13 behavioral14
- Target
  
  4bc3d95ee8661f7d381b2ceb6cb4a6e9759d7d0f9d883b44528b0f9c0aa559a2
- Size
  
  726KB
- MD5
  
  09dd5cbeaaad7dbbb55247f88d8f47ff
- SHA1
  
  fefb2c4364209dd3570d567cc65748000045d889
- SHA256
  
  4bc3d95ee8661f7d381b2ceb6cb4a6e9759d7d0f9d883b44528b0f9c0aa559a2
- SHA512
  
  367481d9a0b3da881019f527117822532b97cddf648db4962bbd363e77d895a960d09c3da94cb115583b273c2bc812b5db196232c183d11e454edd466fe470cd
- SSDEEP
  
  12288:YGKKDADhi+Da3rIByJ13pRxd1sPHyrrKHS1sPHyrW:YGKKDADh7DKrIBg1ZRxd1EHyrrKHS1EV
Score

6^/10

persistence
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral15 behavioral16
- Target
  
  4d81b964b809d1d3c642d331f17f80ee013fdd2b8bd2cffd191449313ea92353
- Size
  
  464KB
- MD5
  
  b3e9aab33e74a23796b3e442920c9b7e
- SHA1
  
  c8b8986658588fb0adb97ca8c7b8fe8f0c5a974b
- SHA256
  
  4d81b964b809d1d3c642d331f17f80ee013fdd2b8bd2cffd191449313ea92353
- SHA512
  
  c43cdf877f01603845953a384934a22d2006ac841d14d2f301c3162ff8d05723c9a722506629134b08ba5ff5f5cd940e69cf0df558db9670695f03f8c4439575
- SSDEEP
  
  6144:eH1DBotbwjld1m1kGQnNrHRoaiCrIB28UJ1F5FRpS0X:eHhBaydQxqNrxoaHrIByJ13pR
Score

1^/10
behavioral17 behavioral18
- Target
  
  4fb5b0da3a557a7dac922010a2b888a91055c4381cf494a6336a674be3bb4a45
- Size
  
  28KB
- MD5
  
  86abb01aaf21fa57b192f618aac99573
- SHA1
  
  951c8a0fb04ef95588819af63a24afaa1e4ae985
- SHA256
  
  4fb5b0da3a557a7dac922010a2b888a91055c4381cf494a6336a674be3bb4a45
- SHA512
  
  24541270b2f496123bfd539805b93bb2ab814edb81b48e00156eaa4d0ad2b592ea6468a82cd9dbb8b2f60cfa2e57aa416a5a27b3cd288c68d488a12566145629
- SSDEEP
  
  192:YQz0+lD+GrfDtmiQe9XzDQOrueD2ra7oSCEPhQs8WOQUbS3TwaADn:2mjDsWdBHqra7oSjMvIwpn
Score

3^/10
behavioral19 behavioral20
- Target
  
  50d0a3b32e813c671248f0f2fe10c3c237ee94bfa94fcaf86886fc3a64d79b88
- Size
  
  60KB
- MD5
  
  af850c572f4805830df79180b04ae52e
- SHA1
  
  8261158838f46a63ea08dd9b0b45262247c371ac
- SHA256
  
  50d0a3b32e813c671248f0f2fe10c3c237ee94bfa94fcaf86886fc3a64d79b88
- SHA512
  
  2eec61676ecd902d79a7a266893861eff5903345aa7753e94ce7c3cffa0ba08c7c386a29a8148cc4caa1c7bc7410df08d29387745f9690b9f9a617d048c7604d
- SSDEEP
  
  768:AUmQgYEOvCZf8/gGB/RQCT4Is9OqC3sGs8qSardvWNhULPyKdUNexpRYhTr:+Qgle5bkIs91gsGsBZuN+LPyCaT
Score

3^/10
behavioral21 behavioral22
- Target
  
  59f42ecde152f78731e54ea27e761bba748c9309a6ad1c2fd17f0e8b90f8aed1
- Size
  
  1.0MB
- MD5
  
  46808efd5331489a931e51792623caca
- SHA1
  
  1e7e75bcee397e9c447edb7a7a20a5c81eee8a87
- SHA256
  
  59f42ecde152f78731e54ea27e761bba748c9309a6ad1c2fd17f0e8b90f8aed1
- SHA512
  
  33fcf014dba7718a7e99a4860854b6067e525c8e1ab187dd9468fd4913fe7fe450b89beb5c915e424288857ce6137f96ef970d26b9bd061991d1d6a97e63b853
- SSDEEP
  
  24576:oYwf5ZRmacuzNSmFa10450twvOUqEB7PBd3X3m+r:WcCzNfveyUdPBdH3l
Score

10^/10

pikabot botnet evasion
- Detects PikaBot botnet
- PikaBot
  PikaBot is a botnet that is distributed similarly to Qakbot and written in c++.
  botnet pikabot
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Suspicious use of SetThreadContext
behavioral23 behavioral24
- Target
  
  5a76edd4bf074cc6a66199f87896dee330a81164d112605681ccb145d64cd587
- Size
  
  47KB
- MD5
  
  2ff43050639a3a1ea5e7a84cb33d7168
- SHA1
  
  9168ce6744db8642fdfb8588c004291b4bf0e240
- SHA256
  
  5a76edd4bf074cc6a66199f87896dee330a81164d112605681ccb145d64cd587
- SHA512
  
  a978e19ca8d82e21de813cb4002eda83b173d80cab3a7f2fbf9547b119e658a2b194cc1e9b2f5c114ef440d8930754884613852760e294d514e013d9318b79ce
- SSDEEP
  
  768:AUmUgYEOLcLfk/gGB3RKmb4I+98sCPsGs08okrLO48fhUtHy4dUNexpRShTr:+UgFGRhcI+994sGsjXO7f+tHyc4T
Score

6^/10

persistence
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral25 behavioral26
- Target
  
  610e854b8c98ab9fd11985f3468eababee930d0bc695cc596f7a2b0e92b25f19
- Size
  
  464KB
- MD5
  
  da2fb4b9e371a7cd80a361a2440323a1
- SHA1
  
  a80b635c6210a0c3b76c53576a512f5bba921bb2
- SHA256
  
  610e854b8c98ab9fd11985f3468eababee930d0bc695cc596f7a2b0e92b25f19
- SHA512
  
  e5875880847b648e3d2b01e932e0b7b0f4b005b253c895657886e042386eb618aac9102f96e652572ffb0f89d72a71fa6f2bdd4b7df84e5cff54044d50e34811
- SSDEEP
  
  6144:GikDeoNuHkHd1r1kGQnNrHRoaiCrIB28UJ1F5FRpS0X:Gi2e3udpxqNrxoaHrIByJ13pR
Score

1^/10
behavioral27 behavioral28
- Target
  
  644a054d1f42e129007fbe1ed445e1f36cc84737727e1d842530e16aec7c37bc
- Size
  
  46KB
- MD5
  
  d75be3ea69eeb92f8cb8c6763907ccad
- SHA1
  
  1ec0a9544b72b275f1130f6aa4eb8f2d4a5e8b84
- SHA256
  
  644a054d1f42e129007fbe1ed445e1f36cc84737727e1d842530e16aec7c37bc
- SHA512
  
  ec9842c56e0a2f5fad94d6ed378cd0c3c2ef1cb2d8361a08d4c6b788b71da84c63cb3375456999b573e701dfe3220ca4686555453088d1adbd46489112c8e231
- SSDEEP
  
  768:DDJTV0YbZiAbYZSesRQxqz5qzGI4reLkfLe48tfpFtJoTpH6Ri:fJTV0QkNuQx252GI4ReHtLDApaE
Score

6^/10

persistence
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral29 behavioral30
- Target
  
  802a953fdb8efac8ec2a48bb8051713eb23edf962a10640d144206fea99b001f
- Size
  
  48KB
- MD5
  
  2ad7ceb9109d01f7750396e815d8aac5
- SHA1
  
  9310175104942dcfd34b8cdcdc94b2f648f1de31
- SHA256
  
  802a953fdb8efac8ec2a48bb8051713eb23edf962a10640d144206fea99b001f
- SHA512
  
  1ff923f206d2271b8e8afa2fdc550c4608b83d1d82a738489be31fb31562eb703ffdccf7789431321cc0ef8920f33cfd2c04393e2c04f22bf6f8ed8cdc9d50c1
- SSDEEP
  
  768:/0iEEBGU4Ly9RWFaoF4Vcps8etdvAgV1N:8iLBWLAWFad8eT4u1N
Score

9^/10

evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
behavioral31 behavioral32

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Remote System Discovery

T1018

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Targets

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Adds Run key to start application

Suspicious use of SetThreadContext

Detects PikaBot botnet

Suspicious use of NtCreateUserProcessOtherParentProcess

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Suspicious use of SetThreadContext

Adds Run key to start application

Drops file in System32 directory

Adds Run key to start application

Drops file in System32 directory

Identifies VirtualBox via ACPI registry values (likely anti-VM)

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32