pikabot | b025e37611168c0abcc446125a8bd7cb831625338434929febadfcc9cc4c816e

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2024 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xjgkkltfdhdfhfjg.exe
Size

3.3MB
MD5

2a3a840641803b101b86e0c321b0a5fe
SHA1

52bc3e121f44c4f9e71b43110f468886294c7fc2
SHA256

b025e37611168c0abcc446125a8bd7cb831625338434929febadfcc9cc4c816e
SHA512

00e9064564b7ff3acd0f76194dca7aa3d7124ff66b28fa2711908f6a1c013de781b89f6d8878f7f71e0176a3e4eee5b90a25e8338154ee580381741617464e57
SSDEEP

49152:zCXtvRXOhEc2MgyyuTEGQp8EamZaFChW7ZaxJmLufu4I:zCxRXOhEc2MgJHTp+isL1

Score

10^/10

pikabot botnet

Malware Config

Extracted

Family

pikabot

141.95.106.106

104.129.55.106

104.129.55.105

23.226.138.161

145.239.135.24

85.239.243.155

23.226.138.143

57.128.165.176

178.18.246.136

Signatures

PikaBot
PikaBot is a botnet that is distributed similarly to Qakbot and written in c++.
botnet pikabot

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5036 set thread context of 2552	5036	Xjgkkltfdhdfhfjg.exe	89

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe
5036	Xjgkkltfdhdfhfjg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5036	Xjgkkltfdhdfhfjg.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

pid	Process
5036	Xjgkkltfdhdfhfjg.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 2552	5036	Xjgkkltfdhdfhfjg.exe	89
PID 5036 wrote to memory of 2552	5036	Xjgkkltfdhdfhfjg.exe	89
PID 5036 wrote to memory of 2552	5036	Xjgkkltfdhdfhfjg.exe	89
PID 5036 wrote to memory of 2552	5036	Xjgkkltfdhdfhfjg.exe	89
PID 5036 wrote to memory of 2552	5036	Xjgkkltfdhdfhfjg.exe	89
PID 5036 wrote to memory of 2552	5036	Xjgkkltfdhdfhfjg.exe	89
PID 5036 wrote to memory of 2552	5036	Xjgkkltfdhdfhfjg.exe	89
PID 5036 wrote to memory of 2552	5036	Xjgkkltfdhdfhfjg.exe	89

C:\Users\Admin\AppData\Local\Temp\Xjgkkltfdhdfhfjg.exe
"C:\Users\Admin\AppData\Local\Temp\Xjgkkltfdhdfhfjg.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Windows\SysWOW64\ctfmon.exe
  "C:\Windows\SysWOW64\ctfmon.exe -p 1234"
  2⤵
  PID:2552

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2552-1-0x00000000009E0000-0x00000000009F8000-memory.dmp

Filesize
96KB

Download
memory/2552-7-0x00000000009E0000-0x00000000009F8000-memory.dmp

Filesize
96KB

Download
memory/5036-0-0x00000000025A0000-0x00000000025D4000-memory.dmp

Filesize
208KB

Download
memory/5036-4-0x00000000025A0000-0x00000000025D4000-memory.dmp

Filesize
208KB

Download