MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30db7abf0363af237d64843c95e9bf79f35919e6297f3d5d13acd3a89ab1443f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pikabot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30db7abf0363af237d64843c95e9bf79f35919e6297f3d5d13acd3a89ab1443f
SHA3-384 hash: 0ba8940e665d05c3528939b1198b2db75229b888d9084add59dda8b65d1397e268068f7ebb4c66c2be75538e05d2240d
SHA1 hash: 5d0c65e44f77da0e9dc42448b6b46d8d64fb40fb
MD5 hash: f582fa17542fc2b5257f8d3e50eb6231
humanhash: seven-bulldog-india-mountain
File name:exotericallyPalfgeys.dll
Download: download sample
Signature Pikabot
Create hunting rule
File size:1'342'224 bytes
First seen:2023-03-16 12:58:22 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 15405e513d1c533451036a01b9a6e33b (5 x Pikabot)
ssdeep 12288:zNfg7ayYgZHRXnW0liwD8L9GlB/TSJRBzfVE/+AqD0eBkvkJl6h4MEFvhAkRoAG5:zRTyV2ZxybQvh9RoOUzux82V8P
TLSH T1BF550909EEC5BF5BD852A4BF990B9127948BCD051780DB23934DEAB3312573C1FEA891
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter pr0xylife
Tags:dll Pikabot

Intelligence

File Origin
# of uploads :
1
# of downloads :
277
Origin country :
RU RU
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/374769/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6413129971b58075e0261767/reports/19bff462-34cf-4a0f-b210-ae3bf1c0ff3a/overview
Verdict:
Malicious
Labled as:
Trojan.Agent
Link:
https://www.hybrid-analysis.com/sample/30db7abf0363af237d64843c95e9bf79f35919e6297f3d5d13acd3a89ab1443f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ca8f00dd-835b-4ced-bde8-38378dd0bd91
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1194943
Signature
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 827844 Sample: exotericallyPalfgeys.dll Startdate: 16/03/2023 Architecture: WINDOWS Score: 76 28 Multi AV Scanner detection for submitted file 2->28 30 Machine Learning detection for sample 2->30 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 conhost.exe 8->17         started        signatures5 38 Contains functionality to inject code into remote processes 10->38 40 Writes to foreign memory regions 10->40 42 Allocates memory in foreign processes 10->42 46 2 other signatures 10->46 19 WWAHost.exe 10->19         started        21 rundll32.exe 13->21         started        44 Injects a PE file into a foreign processes 15->44 24 WWAHost.exe 15->24         started        process6 signatures7 32 Writes to foreign memory regions 21->32 34 Allocates memory in foreign processes 21->34 36 Injects a PE file into a foreign processes 21->36 26 WWAHost.exe 21->26         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/30db7abf0363af237d64843c95e9bf79f35919e6297f3d5d13acd3a89ab1443f/
Threat name:
Win32.Trojan.Pikabot
Create hunting rule
Status:
Malicious
First seen:
2023-03-16 12:59:08 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gdnxvpydmoxsg7leqq6jl2n7phzvsgpgff7t2xitvtj2rgvriq7q._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230316-p73enadb61/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
da4995b36e54d196dc81597805755864db079f182aae10669b23de4e37439457
MD5 hash:
19bac15e861239376dc6b63d41930fae
SHA1 hash:
c2802e9e6de2c64d65c18509f874358dc06d24f3
Link:
https://www.unpac.me/results/094f9c22-248c-4c69-835f-299010840604/
SH256 hash:
1f1120329383a1dcbc4502e9701d1ac023059ca8985bee0ec0289ae836b38a97
MD5 hash:
2103e727c6b76dadc7a5b354ecae749b
SHA1 hash:
c062b568ecb8242813bfcf4ba2891146b8ce1fec
Link:
https://www.unpac.me/results/094f9c22-248c-4c69-835f-299010840604/
SH256 hash:
30db7abf0363af237d64843c95e9bf79f35919e6297f3d5d13acd3a89ab1443f
MD5 hash:
f582fa17542fc2b5257f8d3e50eb6231
SHA1 hash:
5d0c65e44f77da0e9dc42448b6b46d8d64fb40fb
Link:
https://www.unpac.me/results/094f9c22-248c-4c69-835f-299010840604/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Qakbot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/30db7abf0363af237d64843c95e9bf79f35919e6297f3d5d13acd3a89ab1443f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/374769/

Comments