pikabot | 1c125a10c33d862e6179b6827131e1aac587d23f1b7be0dbcb32571d70e34de4

General

Target

XBMr.sct.dll
Size

1.3MB
MD5

30ab06a3bf1ec8ae7bd02ef4ce79719f
SHA1

9a0567614d857e13b9792a5b02b14dc95cd82c70
SHA256

1c125a10c33d862e6179b6827131e1aac587d23f1b7be0dbcb32571d70e34de4
SHA512

34e2d744e24609a2d985064b60f8cf4e96a91b4a107120e6577cd28c82298403e2de85c5ca5c316c9239b568addb892ac713793dd1a3640334fde8edb5fdf32c
SSDEEP

24576:XDOgwgfYbK9s3kW3CG3vQ3snpR7loatbEUZqHwhv642THJ1r63LSw7b8VzkPPjwm:XDOyfYbK9sZvw8V/qQeHf6JUawknjH

Score

10^/10

pikabot botnet core

Malware Config

Signatures

PikaBot
PikaBot is a botnet that is distributed similarly to Qakbot and written in c++.
botnet pikabot

pikabot_core 12 IoCs

Detects pikabot core payload

core

Processes:

resource	yara_rule
behavioral1/memory/2360-6-0x0000000000F70000-0x0000000000FBC000-memory.dmp	pikabot_core
behavioral1/memory/2360-8-0x0000000000F70000-0x0000000000FBC000-memory.dmp	pikabot_core
behavioral1/memory/2360-9-0x0000000000F70000-0x0000000000FBC000-memory.dmp	pikabot_core
behavioral1/memory/2360-10-0x0000000000F70000-0x0000000000FBC000-memory.dmp	pikabot_core
behavioral1/memory/2360-11-0x0000000000F70000-0x0000000000FBC000-memory.dmp	pikabot_core
behavioral1/memory/2360-14-0x0000000000F70000-0x0000000000FBC000-memory.dmp	pikabot_core
behavioral1/memory/2360-26-0x0000000000F70000-0x0000000000FBC000-memory.dmp	pikabot_core
behavioral1/memory/2360-38-0x0000000000F70000-0x0000000000FBC000-memory.dmp	pikabot_core
behavioral1/memory/2360-50-0x0000000000F70000-0x0000000000FBC000-memory.dmp	pikabot_core
behavioral1/memory/2360-52-0x0000000000F70000-0x0000000000FBC000-memory.dmp	pikabot_core
behavioral1/memory/2360-64-0x0000000000F70000-0x0000000000FBC000-memory.dmp	pikabot_core
behavioral1/memory/2360-66-0x0000000000F70000-0x0000000000FBC000-memory.dmp	pikabot_core

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 2448 set thread context of 2360 2448 rundll32.exe SearchProtocolHost.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exenetstat.exe

pid process

2216 ipconfig.exe
4420 netstat.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

SearchProtocolHost.exe

pid process

2360 SearchProtocolHost.exe
2360 SearchProtocolHost.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

Processes:

rundll32.exe

pid process

2448 rundll32.exe

description	pid	process	target process
PID 2448 set thread context of 2360	2448	rundll32.exe	SearchProtocolHost.exe

pid	process
2216	ipconfig.exe
4420	netstat.exe

pid	process
2360	SearchProtocolHost.exe
2360	SearchProtocolHost.exe

pid	process
2448	rundll32.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

whoami.exenetstat.exe

description	pid	process
Token: SeDebugPrivilege	2748	whoami.exe
Token: SeDebugPrivilege	2748	whoami.exe
Token: SeDebugPrivilege	2748	whoami.exe
Token: SeDebugPrivilege	2748	whoami.exe
Token: SeDebugPrivilege	2748	whoami.exe
Token: SeDebugPrivilege	2748	whoami.exe
Token: SeDebugPrivilege	2748	whoami.exe
Token: SeDebugPrivilege	2748	whoami.exe
Token: SeDebugPrivilege	2748	whoami.exe
Token: SeDebugPrivilege	2748	whoami.exe
Token: SeDebugPrivilege	2748	whoami.exe
Token: SeDebugPrivilege	2748	whoami.exe
Token: SeDebugPrivilege	2748	whoami.exe
Token: SeDebugPrivilege	2748	whoami.exe
Token: SeDebugPrivilege	2748	whoami.exe
Token: SeDebugPrivilege	2748	whoami.exe
Token: SeDebugPrivilege	2748	whoami.exe
Token: SeDebugPrivilege	2748	whoami.exe
Token: SeDebugPrivilege	2748	whoami.exe
Token: SeDebugPrivilege	2748	whoami.exe
Token: SeDebugPrivilege	2748	whoami.exe
Token: SeDebugPrivilege	2748	whoami.exe
Token: SeDebugPrivilege	2748	whoami.exe
Token: SeDebugPrivilege	2748	whoami.exe
Token: SeDebugPrivilege	2748	whoami.exe
Token: SeDebugPrivilege	2748	whoami.exe
Token: SeDebugPrivilege	2748	whoami.exe
Token: SeDebugPrivilege	4420	netstat.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1912 wrote to memory of 2448	1912	rundll32.exe	rundll32.exe
PID 1912 wrote to memory of 2448	1912	rundll32.exe	rundll32.exe
PID 1912 wrote to memory of 2448	1912	rundll32.exe	rundll32.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe
PID 2448 wrote to memory of 2360	2448	rundll32.exe	SearchProtocolHost.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\XBMr.sct.dll, Crash
1⤵
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\XBMr.sct.dll, Crash
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\SysWOW64\SearchProtocolHost.exe
    "C:\Windows\System32\SearchProtocolHost.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2360
  - - C:\Windows\SysWOW64\whoami.exe
      whoami.exe /all
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2748
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig.exe /all
      4⤵
      Gathers network information
      PID:2216
  - - C:\Windows\SysWOW64\netstat.exe
      netstat.exe -aon
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2360-11-0x0000000000F70000-0x0000000000FBC000-memory.dmp

Filesize
304KB

Download
memory/2360-26-0x0000000000F70000-0x0000000000FBC000-memory.dmp

Filesize
304KB

Download
memory/2360-6-0x0000000000F70000-0x0000000000FBC000-memory.dmp

Filesize
304KB

Download
memory/2360-8-0x0000000000F70000-0x0000000000FBC000-memory.dmp

Filesize
304KB

Download
memory/2360-9-0x0000000000F70000-0x0000000000FBC000-memory.dmp

Filesize
304KB

Download
memory/2360-10-0x0000000000F70000-0x0000000000FBC000-memory.dmp

Filesize
304KB

Download
memory/2360-66-0x0000000000F70000-0x0000000000FBC000-memory.dmp

Filesize
304KB

Download
memory/2360-64-0x0000000000F70000-0x0000000000FBC000-memory.dmp

Filesize
304KB

Download
memory/2360-50-0x0000000000F70000-0x0000000000FBC000-memory.dmp

Filesize
304KB

Download
memory/2360-38-0x0000000000F70000-0x0000000000FBC000-memory.dmp

Filesize
304KB

Download
memory/2360-14-0x0000000000F70000-0x0000000000FBC000-memory.dmp

Filesize
304KB

Download
memory/2360-52-0x0000000000F70000-0x0000000000FBC000-memory.dmp

Filesize
304KB

Download
memory/2448-0-0x0000000001260000-0x0000000001263000-memory.dmp

Filesize
12KB

Download
memory/2448-1-0x0000000002FC0000-0x0000000003090000-memory.dmp

Filesize
832KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads