pikabot | 50bb5620a6fc53335c175ae74a6e5b5f63b2b3f64d459a17fe190e4e00ead36a

Analysis

max time kernel
159s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06-03-2024 15:47

Target

launcher.bat
Size

70B
MD5

70c96b6b962525522af80754c7bcd149
SHA1

53f0dfda950efc0accdf179c43df49ffc1709787
SHA256

98bb57008710d6606f39855433c3f080921cddcd23efa6862208fd8749258976
SHA512

830468a2ed9d2334a73381b833e6bbe2de79482efc20cb8e2af36522df57295e88efabe66e3b8b5310338eca44429817570220d7d5cf32285a05fb9d1a5a7dfb

Score

10^/10

pikabot botnet

Family

pikabot

154.53.55.165

158.247.240.58

154.12.236.248

PikaBot
PikaBot is a botnet that is distributed similarly to Qakbot and written in c++.
botnet pikabot

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1204 set thread context of 1980	1204	rundll32.exe	94

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1204	rundll32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

pid	Process
1204	rundll32.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 1104	5092	cmd.exe	89
PID 5092 wrote to memory of 1104	5092	cmd.exe	89
PID 1104 wrote to memory of 1204	1104	rundll32.exe	90
PID 1104 wrote to memory of 1204	1104	rundll32.exe	90
PID 1104 wrote to memory of 1204	1104	rundll32.exe	90
PID 1204 wrote to memory of 1980	1204	rundll32.exe	94
PID 1204 wrote to memory of 1980	1204	rundll32.exe	94
PID 1204 wrote to memory of 1980	1204	rundll32.exe	94
PID 1204 wrote to memory of 1980	1204	rundll32.exe	94
PID 1204 wrote to memory of 1980	1204	rundll32.exe	94
PID 1204 wrote to memory of 1980	1204	rundll32.exe	94
PID 1204 wrote to memory of 1980	1204	rundll32.exe	94
PID 1204 wrote to memory of 1980	1204	rundll32.exe	94

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\launcher.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Windows\system32\rundll32.exe
  rundll32.exe 3290.png.dll,GetModuleProp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe 3290.png.dll,GetModuleProp
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of WriteProcessMemory
    PID:1204
  - - C:\Windows\SysWOW64\ctfmon.exe
      "C:\Windows\SysWOW64\ctfmon.exe -p 1234"
      4⤵
      PID:1980

memory/1204-0-0x00000000012E0000-0x0000000001316000-memory.dmp

Filesize
216KB

Download
memory/1204-9-0x00000000012E0000-0x0000000001316000-memory.dmp

Filesize
216KB

Download
memory/1980-1-0x0000000000160000-0x0000000000179000-memory.dmp

Filesize
100KB

Download
memory/1980-6-0x0000000000160000-0x0000000000179000-memory.dmp

Filesize
100KB

Download