MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b1c5147c903892f8888f91c98097c89e419ddcc89958a33e294e6dd192b6d4e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pikabot


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b1c5147c903892f8888f91c98097c89e419ddcc89958a33e294e6dd192b6d4e
SHA3-384 hash: d9937f87fe8a23c79761a7778ee753bbe38cabb21f57588c1390c7491cee9644de9f504d1e2bb4d03d1dffb0bf0d69cb
SHA1 hash: 98f371d5bb067d6b7df902b10957fb01ca711468
MD5 hash: 8cca982603318de80b079f064ffbe5f1
humanhash: butter-maine-floor-helium
File name:163520.png
Download: download sample
Signature Pikabot
Create hunting rule
File size:489'984 bytes
First seen:2024-02-13 22:05:54 UTC
Last seen:2024-02-13 23:22:53 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 370ebde54530b2016d14ffc9556403dc (5 x Pikabot)
ssdeep 12288:5+PBp4JFF6iIJoLjIE5fMc/PrTLVo4mdFw:5bJaKEw7PrTL246Fw
TLSH T126A4BF557983C4B6D9BF04306534A769C52D79349FA0CDCFA3A0396A0E362C19B31BBB
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter pr0xylife
Tags:dll Pikabot

Intelligence

File Origin
# of uploads :
2
# of downloads :
417
Origin country :
DE DE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/476054/
Detection(s):
SecuriteInfo.com.Malware-Cryptor.Grygoryi.3.23351.262.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
explorer fingerprint lolbin masquerade packed regsvr32 shell32
Link:
https://www.filescan.io/uploads/65cbe7ce54f1a1b63b6d74fc/reports/e2d4278f-335b-452b-b183-46e0ffe6b70b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/7b1c5147c903892f8888f91c98097c89e419ddcc89958a33e294e6dd192b6d4e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c0b01046-ef34-494c-ad67-2ff6e735d1fe
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1391795
Signature
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Sigma detected: Execute DLL with spoofed extension
Sigma detected: Register DLL with spoofed extension
Snort IDS alert for network traffic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1391795 Sample: 163520.png.dll Startdate: 13/02/2024 Architecture: WINDOWS Score: 80 42 Snort IDS alert for network traffic 2->42 44 Antivirus detection for URL or domain 2->44 46 Sigma detected: Register DLL with spoofed extension 2->46 48 2 other signatures 2->48 8 loaddll32.exe 1 2->8         started        process3 signatures4 50 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 8->50 11 regsvr32.exe 8->11         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 4 other processes 8->17 process5 process6 19 ctfmon.exe 11->19         started        22 rundll32.exe 13->22         started        24 WerFault.exe 2 16 15->24         started        26 ctfmon.exe 15->26         started        28 ctfmon.exe 17->28         started        30 ctfmon.exe 17->30         started        dnsIp7 36 37.60.242.86, 2967, 49755 SINGLEHOP-LLCUS Bulgaria 19->36 38 103.82.243.5, 13785, 49753 EXBCOID-AS-APPTEXABYTESNETWORKINDONESIAID Indonesia 19->38 40 7 other IPs or domains 19->40 32 WerFault.exe 20 18 22->32         started        34 ctfmon.exe 22->34         started        process8
Score:
59%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/7b1c5147c903892f8888f91c98097c89e419ddcc89958a33e294e6dd192b6d4e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7b1c5147c903892f8888f91c98097c89e419ddcc89958a33e294e6dd192b6d4e/
Threat name:
Win32.Trojan.Pikabot
Create hunting rule
Status:
Malicious
First seen:
2024-02-13 18:26:24 UTC
File Type:
PE (Dll)
Extracted files:
2
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pmofcr6jaoes7cei7eojqcl4rhsbtxomrgkyum7csttn2gjlnvha._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240213-1z3agaab3y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
7b1c5147c903892f8888f91c98097c89e419ddcc89958a33e294e6dd192b6d4e
MD5 hash:
8cca982603318de80b079f064ffbe5f1
SHA1 hash:
98f371d5bb067d6b7df902b10957fb01ca711468
Link:
https://www.unpac.me/results/08cf9ee8-797e-4ace-a68a-460c5acf9610/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7b1c5147c903892f8888f91c98097c89e419ddcc89958a33e294e6dd192b6d4e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/476054/

Comments