pikabot | 8910550c45d5943d4d61d94ac4747b6f2a8a910e8c37dc480598686e3dcbad78

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-03-2024 20:49

Target

8910550c45d5943d4d61d94ac4747b6f2a8a910e8c37dc480598686e3dcbad78.dll
Size

840KB
MD5

d8272db8c4ced8f2c40ae46090c421bb
SHA1

3b919ca191958e0001fcf9c9e82fd55f093f8496
SHA256

8910550c45d5943d4d61d94ac4747b6f2a8a910e8c37dc480598686e3dcbad78
SHA512

29312268a357bc76962b1cbd75ddb6fd48e4b122635f472c9266cfde0064916381f7ccee0b56213fb06bc7b220240132ab520ee11f27f15c5eb1298afae7bcf4
SSDEEP

24576:je9nfmpSVmL+Cf72yb1SFEtEfPmY4uRD7HpUMhOw8ghE:qBmpSVmLfCDfPJ4cDFPhmghE

Score

10^/10

pikabot botnet

Family

pikabot

154.53.55.165

158.247.240.58

154.12.236.248

PikaBot
PikaBot is a botnet that is distributed similarly to Qakbot and written in c++.
botnet pikabot

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2396 set thread context of 1724	2396	rundll32.exe	93

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4868	2396	WerFault.exe	89

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2396	rundll32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

pid	Process
2396	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 2396	5012	rundll32.exe	89
PID 5012 wrote to memory of 2396	5012	rundll32.exe	89
PID 5012 wrote to memory of 2396	5012	rundll32.exe	89
PID 2396 wrote to memory of 1724	2396	rundll32.exe	93
PID 2396 wrote to memory of 1724	2396	rundll32.exe	93
PID 2396 wrote to memory of 1724	2396	rundll32.exe	93
PID 2396 wrote to memory of 1724	2396	rundll32.exe	93
PID 2396 wrote to memory of 1724	2396	rundll32.exe	93
PID 2396 wrote to memory of 1724	2396	rundll32.exe	93
PID 2396 wrote to memory of 1724	2396	rundll32.exe	93
PID 2396 wrote to memory of 1724	2396	rundll32.exe	93

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8910550c45d5943d4d61d94ac4747b6f2a8a910e8c37dc480598686e3dcbad78.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\8910550c45d5943d4d61d94ac4747b6f2a8a910e8c37dc480598686e3dcbad78.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SysWOW64\ctfmon.exe
    "C:\Windows\SysWOW64\ctfmon.exe -p 1234"
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 636
    3⤵
    - Program crash
    PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2396 -ip 2396
1⤵
PID:5044

memory/1724-1-0x0000000000660000-0x0000000000679000-memory.dmp

Filesize
100KB

Download
memory/1724-6-0x0000000000660000-0x0000000000679000-memory.dmp

Filesize
100KB

Download
memory/2396-0-0x0000000002E10000-0x0000000002E46000-memory.dmp

Filesize
216KB

Download
memory/2396-12-0x0000000002E10000-0x0000000002E46000-memory.dmp

Filesize
216KB

Download