MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70b12617dbbaf60b6a169797cc016eda12b0b18766b6ae48b469b0aed3e73892. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pikabot


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 70b12617dbbaf60b6a169797cc016eda12b0b18766b6ae48b469b0aed3e73892
SHA3-384 hash: 9cce3eb2a6b0dc39558abd7b03e5c53acb4860485e56540f315f816d2165ab9f528f799e3ad64abbd06ded74b55f307a
SHA1 hash: de19e4bb427b9a2010a77e64b84204dbed76db16
MD5 hash: ff29edd54636011dc4c1c4bddb96041c
humanhash: juliet-angel-ohio-high
File name:tmp96E1.dll
Download: download sample
Signature Pikabot
Create hunting rule
File size:738'304 bytes
First seen:2023-12-06 18:30:36 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash d8324b593d5f5831c7f1b8def978c0a7 (1 x Pikabot)
ssdeep 12288:K5IGPsCLbMhP8NDIPQzRNODZ63o2nMAEAW+MiyjPDdUYioDvgrlQGcMoRa9CuArc:KnPsQ67IzRNYZcE++dQoDvgW/MI2crW6
TLSH T1A2F4C0064E312BC9CE9E28F5C4D81604F9411F3F5B9131E71FD80CE96AE6D4B866F2A6
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter pr0xylife
Tags:dll Pikabot SOFT BLANKET LTD

Intelligence

File Origin
# of uploads :
1
# of downloads :
338
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/462991/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm packed
Link:
https://www.filescan.io/uploads/6570bdeada3178d99cda5185/reports/e6386e6e-d443-4f6d-b72e-79e5c6f700f6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/70b12617dbbaf60b6a169797cc016eda12b0b18766b6ae48b469b0aed3e73892
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ebff57f9-26b2-4a23-b46d-3350583223c9
Result
Threat name:
PikaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1354865
Signature
Antivirus detection for URL or domain
Contains functionality to check for running processes (XOR)
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Sample uses process hollowing technique
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected PikaBot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1354865 Sample: tmp96E1.dll Startdate: 06/12/2023 Architecture: WINDOWS Score: 84 37 Snort IDS alert for network traffic 2->37 39 Antivirus detection for URL or domain 2->39 41 Yara detected PikaBot 2->41 9 loaddll32.exe 1 2->9         started        process3 process4 11 rundll32.exe 9->11         started        14 rundll32.exe 9->14         started        16 cmd.exe 1 9->16         started        18 conhost.exe 9->18         started        signatures5 45 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 11->45 47 Found API chain indicative of debugger detection 11->47 49 Sample uses process hollowing technique 11->49 20 SearchFilterHost.exe 11->20         started        51 Writes to foreign memory regions 14->51 22 SearchFilterHost.exe 12 14->22         started        25 rundll32.exe 16->25         started        process6 dnsIp7 28 WerFault.exe 23 20 20->28         started        35 154.61.75.156, 2078, 49713 INTECHONLINE-INIntechOnlinePrivateLimitedIN United States 22->35 43 Sample uses process hollowing technique 25->43 30 SearchFilterHost.exe 25->30         started        signatures8 process9 signatures10 53 Contains functionality to check for running processes (XOR) 30->53 33 WerFault.exe 2 18 30->33         started        process11
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/70b12617dbbaf60b6a169797cc016eda12b0b18766b6ae48b469b0aed3e73892
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/70b12617dbbaf60b6a169797cc016eda12b0b18766b6ae48b469b0aed3e73892/
Threat name:
Win32.Trojan.PikaBot
Create hunting rule
Status:
Malicious
First seen:
2023-12-06 18:31:02 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
15 of 22 (68.18%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ocysmf63xl3aw2qws6l4yalo3ijlbmmhm23k4sfungyk5u7hhcja._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
dave
Link:
https://tria.ge/reports/231206-w55kkagc7z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Dave packer
Unpacked files
SH256 hash:
fae3127416910fa5eadde9518566d8632b80fd73ce3d2a33fcc1d4aa0b5c32dc
MD5 hash:
69c053684365c57dc63c5f4fa5681fa9
SHA1 hash:
dfd3cb8070999ddc09e87d1603bbdc0bb79c34f5
Detections:
win_pikabot_a0
Create hunting rule
Link:
https://www.unpac.me/results/251f57e4-e92c-4524-b827-289d4087180a/
Parent samples :
2a387ad304d7278ddc83b6a5238cba3106f4474b7fa67972b6cec167422e7756
70b12617dbbaf60b6a169797cc016eda12b0b18766b6ae48b469b0aed3e73892
SH256 hash:
b5d4f82362dc4830e1ffd58d5cd529c692562317e617c5ff93e1125aad1388c5
MD5 hash:
f042844e4fdd4bdbc86c67ba02b1aeff
SHA1 hash:
56d5a4d018769feed834b18d0186cd030c1e4223
Detections:
win_pikabot_a0
Create hunting rule
Link:
https://www.unpac.me/results/251f57e4-e92c-4524-b827-289d4087180a/
SH256 hash:
70b12617dbbaf60b6a169797cc016eda12b0b18766b6ae48b469b0aed3e73892
MD5 hash:
ff29edd54636011dc4c1c4bddb96041c
SHA1 hash:
de19e4bb427b9a2010a77e64b84204dbed76db16
Link:
https://www.unpac.me/results/251f57e4-e92c-4524-b827-289d4087180a/
Malware family:
PikaBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/70b12617dbba/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/70b12617dbbaf60b6a169797cc016eda12b0b18766b6ae48b469b0aed3e73892

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/462991/

Comments