pikabot | 89dc50024836f9ad406504a3b7445d284e97ec5dafdd8f2741f496cac84ccda9

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2024 12:31

Target

Ngjhjhjda.exe
Size

3.3MB
MD5

f316f291a2998d6bbce2674c8aa3f349
SHA1

bbe00380a62900c286d8506a040d99718dfd8932
SHA256

89dc50024836f9ad406504a3b7445d284e97ec5dafdd8f2741f496cac84ccda9
SHA512

84770262959e3b1470b324775e5d06665008b09f0f5de33eef02efab77a8a560b44d3a59668ab91294c79cf58ef026aa2ff5bd9b6199e6a0d5b295ff209ffe6b
SSDEEP

49152:DCXtvRXOhEc2MgyyuTEGQp8EamZaFChW7ZaxJmLufu4a:DCxRXOhEc2MgJHTp+isLf

Score

10^/10

pikabot botnet

Family

pikabot

141.95.106.106

104.129.55.106

104.129.55.105

23.226.138.161

145.239.135.24

85.239.243.155

23.226.138.143

57.128.165.176

178.18.246.136

PikaBot
PikaBot is a botnet that is distributed similarly to Qakbot and written in c++.
botnet pikabot

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5100 set thread context of 1428	5100	Ngjhjhjda.exe	89

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5100	Ngjhjhjda.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

pid	Process
5100	Ngjhjhjda.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 1428	5100	Ngjhjhjda.exe	89
PID 5100 wrote to memory of 1428	5100	Ngjhjhjda.exe	89
PID 5100 wrote to memory of 1428	5100	Ngjhjhjda.exe	89
PID 5100 wrote to memory of 1428	5100	Ngjhjhjda.exe	89
PID 5100 wrote to memory of 1428	5100	Ngjhjhjda.exe	89
PID 5100 wrote to memory of 1428	5100	Ngjhjhjda.exe	89
PID 5100 wrote to memory of 1428	5100	Ngjhjhjda.exe	89
PID 5100 wrote to memory of 1428	5100	Ngjhjhjda.exe	89

C:\Users\Admin\AppData\Local\Temp\Ngjhjhjda.exe
"C:\Users\Admin\AppData\Local\Temp\Ngjhjhjda.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Windows\SysWOW64\ctfmon.exe
  "C:\Windows\SysWOW64\ctfmon.exe -p 1234"
  2⤵
  PID:1428

memory/1428-1-0x0000000000310000-0x0000000000328000-memory.dmp

Filesize
96KB

Download
memory/1428-7-0x0000000000310000-0x0000000000328000-memory.dmp

Filesize
96KB

Download
memory/5100-0-0x00000000025E0000-0x0000000002614000-memory.dmp

Filesize
208KB

Download
memory/5100-3-0x00000000025E0000-0x0000000002614000-memory.dmp

Filesize
208KB

Download