MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89dc50024836f9ad406504a3b7445d284e97ec5dafdd8f2741f496cac84ccda9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Pikabot

Vendor detections: 11

Intelligence 11 IOCs YARA 10 File information Comments

SHA256 hash:	89dc50024836f9ad406504a3b7445d284e97ec5dafdd8f2741f496cac84ccda9
SHA3-384 hash:	5676c43bc335fa48f12bbb0198dc04c6d22509f3f60760e1916d6f91a1ec56399d5d8153f22e4b483b3371621c31ddf1
SHA1 hash:	bbe00380a62900c286d8506a040d99718dfd8932
MD5 hash:	f316f291a2998d6bbce2674c8aa3f349
humanhash:	crazy-alpha-potato-arkansas
File name:	Ngjhjhjda.exe
Download:	download sample
Signature	Pikabot Create hunting rule
File size:	3'407'968 bytes
First seen:	2024-02-22 12:31:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5e4731b579fcbf2ee2d5b665a7fef172 (2 x Pikabot, 1 x RiseProStealer)
ssdeep	49152:DCXtvRXOhEc2MgyyuTEGQp8EamZaFChW7ZaxJmLufu4a:DCxRXOhEc2MgJHTp+isLf
TLSH	T15EF54C647D8FC1ABF2C20231CDA4A76D11A89EB81B3142FBF69B770B69549D05B33721
TrID	68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 12.5% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.4% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	4141692931514141 (2 x Pikabot, 1 x DCRat, 1 x RiseProStealer)
Reporter	pr0xylife
Tags:	exe Pikabot signed

Code Signing Certificate

Organisation:	A.P.Hernandez Consulting s.r.o.
Issuer:	SSL.com EV Code Signing Intermediate CA RSA R3
Algorithm:	sha256WithRSAEncryption
Valid from:	2024-01-25T16:51:40Z
Valid to:	2025-01-24T16:51:40Z
Serial number:	2941d5f8758501f9dbc4ba158058c3b5
Intelligence:	2 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:	This certificate is on the Cert Central blocklist
Thumbprint Algorithm:	SHA256
Thumbprint:	a982917ba6de9588f0f7ed554223d292524e832c1621acae9ad11c0573df54a5
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

445

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/477408/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Сreating synchronization primitives

Connection attempt to an infection source

Sending a TCP request to an infection source

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug fingerprint keylogger lolbin msiexec overlay packed shell32

Link:

https://www.filescan.io/uploads/65d73ecdb7fbcf60a476a1e6/reports/dd67fdf7-9fae-4def-9748-730edd453adf/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/89dc50024836f9ad406504a3b7445d284e97ec5dafdd8f2741f496cac84ccda9

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/c4915ef4-198f-4aba-81ed-81b29cd4dce6

Result

Threat name:

n/a

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1396924

Signature

Antivirus detection for URL or domain

Connects to many ports of the same IP (likely port scanning)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Detected unpacking (creates a PE file in dynamic memory)

Multi AV Scanner detection for domain / URL

Snort IDS alert for network traffic

Behaviour

Behavior Graph:

Download SVG

Score:

Verdict:

Benign

File Type:

Link:

https://malprob.io/report/89dc50024836f9ad406504a3b7445d284e97ec5dafdd8f2741f496cac84ccda9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/89dc50024836f9ad406504a3b7445d284e97ec5dafdd8f2741f496cac84ccda9/

Threat name:

Win32.Trojan.Pikabot

Status:

Malicious

First seen:

2024-02-22 10:40:41 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rhofaasig3422qdfasr3orc5fbhjp3c5v7oy6j2b6slmvscmzwuq._file

Verdict:

malicious

Result

Malware family:

pikabot

Score:

10/10

Tags:

family:pikabot botnet dave

Link:

https://tria.ge/reports/240222-pqlqkshb2w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

PikaBot

Malware Config

C2 Extraction:

141.95.106.106
104.129.55.106
104.129.55.105
23.226.138.161
145.239.135.24
85.239.243.155
23.226.138.143
57.128.165.176
178.18.246.136

Unpacked files

SH256 hash:

c3cadc1fc02024ebdca7e49d95236da7fa996c5c1aaed6732b5ce0838fa8bf0d

MD5 hash:

009e53058ed0fe86015504faca92f0a5

SHA1 hash:

f43b1ef302b4c1538179b04ce767424719094c16

Link:

https://www.unpac.me/results/a4b222dc-c8b7-4c4a-b989-6c94720bac38/

SH256 hash:

89dc50024836f9ad406504a3b7445d284e97ec5dafdd8f2741f496cac84ccda9

MD5 hash:

f316f291a2998d6bbce2674c8aa3f349

SHA1 hash:

bbe00380a62900c286d8506a040d99718dfd8932

Link:

https://www.unpac.me/results/a4b222dc-c8b7-4c4a-b989-6c94720bac38/

Malware family:

Pikabot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/89dc50024836/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.95

Link:

https://yomi.yoroi.company/submissions/89dc50024836f9ad406504a3b7445d284e97ec5dafdd8f2741f496cac84ccda9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_OLE_file_magic_number Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Windows_Generic_Threat_1417511b Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/477408/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample