MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a387ad304d7278ddc83b6a5238cba3106f4474b7fa67972b6cec167422e7756. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pikabot


Vendor detections: 12


Intelligence 12 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a387ad304d7278ddc83b6a5238cba3106f4474b7fa67972b6cec167422e7756
SHA3-384 hash: 3d4cb3fed47712cc0696d63ce09a541d8924b06c1344a403bb56c66a21aff474f84231f10044fff65f1f95be75a4b4a4
SHA1 hash: 08fc58ac9b7da11b70802fe838115e4b4d651bb9
MD5 hash: 56573f3b6ec3fc757a9586e5ff4b4fd5
humanhash: seven-item-connecticut-moon
File name:tmpE9E4.dll
Download: download sample
Signature Pikabot
Create hunting rule
File size:1'142'272 bytes
First seen:2023-12-06 17:28:28 UTC
Last seen:2023-12-06 19:18:00 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash b7f9b3fa38b50c98fdc8d1028a8df3f7 (3 x Pikabot)
ssdeep 24576:S5xTHfCIr43Hm2pDA9mtByVcNPEuXggR89:S5AFGJ9uB0cBRXf
TLSH T15F35ADF3ED80873ED16B15399837925CA8257FD0293FF47D2AA40A487E252932E3516F
TrID 52.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
16.8% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
7.5% (.EXE) OS/2 Executable (generic) (2029/13)
7.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter k3dg3___
Tags:dll Pikabot ta577 tr


Avatar
k3dg3
export=enter

Intelligence

File Origin
# of uploads :
2
# of downloads :
323
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/462975/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.27458.14371.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control greyware hook keylogger lolbin packed
Link:
https://www.filescan.io/uploads/6570af6318cffa73b1dc40f2/reports/ae423183-08fe-4479-906e-10cdbf08b2e0/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/2a387ad304d7278ddc83b6a5238cba3106f4474b7fa67972b6cec167422e7756
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a7213cc8-895e-47cd-954c-358c97eb9d30
Result
Threat name:
CryptOne, PikaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1354827
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to check for running processes (XOR)
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected PikaBot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1354827 Sample: tmpE9E4.dll Startdate: 06/12/2023 Architecture: WINDOWS Score: 100 33 Snort IDS alert for network traffic 2->33 35 Antivirus detection for URL or domain 2->35 37 Antivirus / Scanner detection for submitted sample 2->37 39 4 other signatures 2->39 8 loaddll32.exe 1 2->8         started        process3 signatures4 47 Writes to foreign memory regions 8->47 49 Sample uses process hollowing technique 8->49 51 Contains functionality to detect sleep reduction / modifications 8->51 11 cmd.exe 1 8->11         started        13 rundll32.exe 8->13         started        16 WerFault.exe 3 16 8->16         started        18 2 other processes 8->18 process5 signatures6 20 rundll32.exe 11->20         started        55 Writes to foreign memory regions 13->55 57 Sample uses process hollowing technique 13->57 23 SearchFilterHost.exe 13->23         started        process7 signatures8 41 Writes to foreign memory regions 20->41 43 Sample uses process hollowing technique 20->43 45 Contains functionality to detect sleep reduction / modifications 20->45 25 SearchFilterHost.exe 12 20->25         started        29 WerFault.exe 20 16 20->29         started        process9 dnsIp10 31 154.61.75.156, 2078, 49715 INTECHONLINE-INIntechOnlinePrivateLimitedIN United States 25->31 53 Contains functionality to check for running processes (XOR) 25->53 signatures11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2a387ad304d7278ddc83b6a5238cba3106f4474b7fa67972b6cec167422e7756
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2a387ad304d7278ddc83b6a5238cba3106f4474b7fa67972b6cec167422e7756/
Threat name:
Win32.Trojan.Pikabot
Create hunting rule
Status:
Malicious
First seen:
2023-12-06 16:53:42 UTC
File Type:
PE (Dll)
Extracted files:
36
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fi4hvuye24ty3xedw2sshdf2gedpir2lp6ths4vwz3awoqroo5la._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/231206-v2w9cabb78/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
fae3127416910fa5eadde9518566d8632b80fd73ce3d2a33fcc1d4aa0b5c32dc
MD5 hash:
69c053684365c57dc63c5f4fa5681fa9
SHA1 hash:
dfd3cb8070999ddc09e87d1603bbdc0bb79c34f5
Detections:
win_pikabot_a0
Create hunting rule
Link:
https://www.unpac.me/results/2cfb6f0d-72b3-460a-947b-ced6a7ae1ad6/
Parent samples :
2a387ad304d7278ddc83b6a5238cba3106f4474b7fa67972b6cec167422e7756
70b12617dbbaf60b6a169797cc016eda12b0b18766b6ae48b469b0aed3e73892
SH256 hash:
2a387ad304d7278ddc83b6a5238cba3106f4474b7fa67972b6cec167422e7756
MD5 hash:
56573f3b6ec3fc757a9586e5ff4b4fd5
SHA1 hash:
08fc58ac9b7da11b70802fe838115e4b4d651bb9
Link:
https://www.unpac.me/results/2cfb6f0d-72b3-460a-947b-ced6a7ae1ad6/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2a387ad304d7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Pikabot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2a387ad304d7278ddc83b6a5238cba3106f4474b7fa67972b6cec167422e7756

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Pikabot

DLL dll 2a387ad304d7278ddc83b6a5238cba3106f4474b7fa67972b6cec167422e7756

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/462975/

Comments