SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pikabot (Back to overview)

Pikabot

VTCollection    

Introducing Pikabot, an emerging malware family that comprises a downloader/installer, a loader, and a core backdoor component. Despite being in the early stages of development, it already demonstrates advanced techniques in evasion, injection, and anti-analysis. Notably, the loader component incorporates an array of sophisticated anti-debugging and anti-VM measures inspired by the open-source Al-Khaser project, while leveraging steganography to conceal its payload. Additionally, Pikabot utilizes a proprietary C2 framework and supports a diverse range of commands, encompassing host enumeration and advanced secondary payload injection options.

References
2024-04-08ZscalerNikolaos Pantazopoulos
Automating Pikabot’s String Deobfuscation
Pikabot
2024-03-10KrakzPierre Le Bourhis
SysWhispers2 analysis
Pikabot
2024-02-28Security IntelligenceGolo Mühr, Ole Villadsen
X-Force data reveals top spam trends, campaigns and senior superlatives in 2023
404 Keylogger Agent Tesla Black Basta DarkGate Formbook IcedID Loki Password Stealer (PWS) Pikabot QakBot Remcos
2024-02-28VMRayVMRay Labs Team
Just Carry A Ladder: Why Your EDR Let Pikabot Jump Through
Pikabot
2024-02-26cyber5wAmr Ashraf
Pikabot Loader Detailed Analysis
Pikabot
2024-02-23ElasticDaniel Stepanic, Salim Bitam
PIKABOT, I choose you!
Pikabot
2024-02-12ZscalerNikolaos Pantazopoulos
The (D)Evolution of Pikabot
Pikabot
2024-02-05YouTube (John Hammond)John Hammond, Ryan Chapman
PikaBot Malware Analysis: Debugging in Visual Studio
Pikabot
2024-01-22PulsedivePulsedive
Pikabot distirbution methods and capabilities
Pikabot
2024-01-21YouTube (Embee Research)Embee_research
Manual Malware Decoding With Procmon - Pikabot
Pikabot
2024-01-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q4 2023
FluBot Hook FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc IcedID Lumma Stealer Meterpreter NjRAT Pikabot QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver
2024-01-09Trend MicroArianne Dela Cruz, Charles Steven Derion, Francisrey Joshua Castillo, Henry Salcedo, Ian Kenefick, John Carlo Marquez, John Rainier Navato, Joshua Aquino, Juhn Emmanuel Atanque, Raymart Yambot, Shinji Robert Arasawa
Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign
Pikabot Water Curupira
2024-01-06kienmanowar Blogm4n0w4r, Tran Trung Kien
[QuickNote] Technical Analysis of recent Pikabot Core Module
Pikabot
2023-12-26Github (VenzoV)VenzoV
Pikabot Loader analysis, round 2!
Pikabot
2023-12-15Malwarebytes LabsJérôme Segura
PikaBot distributed via malicious search ads
Pikabot
2023-11-20CofenseDylan Duncan
Are DarkGate and PikaBot the new QakBot?
DarkGate Pikabot QakBot
2023-11-19OALabsOALabs
PikaBot Is Back With a Vengeance - Part 2
Pikabot
2023-11-12OALabsOALabs
PikaBot Is Back With a Vengeance
Pikabot
2023-10-03Malware Traffic AnalysisBrad Duncan
2023-10-03 (Tuesday) - PikaBot infection with Cobalt Strike
Cobalt Strike Pikabot
2023-09-21Security OnionSecurity Onion
Quick Malware Analysis: PIKABOT INFECTION WITH COBALT STRIKE pcap from 2023-05-23
Pikabot
2023-07-31d01aMohamed Adel
Pikabot deep analysis
Pikabot QakBot
2023-06-12SophosKarl Ackerman
Deep dive into the Pikabot cyber threat
Pikabot
2023-05-25Hive ProHive Pro
Pikabot A Stealthy Backdoor with Ingenious Evasion Tactics
Pikabot
2023-05-24ZscalerBrett Stone-Gross, Nikolaos Pantazopoulos
Technical Analysis of Pikabot
Pikabot
2023-02-26OALabsSergei Frankoff
PikaBot Tiny loader that seems very familiar
Pikabot
2023-02-13Minerva LabsNatalie Zargarov
Beepin’ Out of the Sandbox: Analyzing a New, Extremely Evasive Malware
Pikabot
2023-02-10DCSOAxel Wauer, Johann Aydinbas
#ShortAndMalicious — PikaBot and the Matanbuchus connection
Pikabot
Yara Rules
[TLP:WHITE] win_pikabot_auto (20230808 | Detects win.pikabot.)
rule win_pikabot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.pikabot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pikabot"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8945f8 8b4510 8945f4 8b4510 48 }
            // n = 5, score = 900
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   48                   | dec                 eax

        $sequence_1 = { 894510 837df400 741a 8b45fc 8b4df8 8a09 }
            // n = 6, score = 900
            //   894510               | mov                 dword ptr [ebp + 0x10], eax
            //   837df400             | cmp                 dword ptr [ebp - 0xc], 0
            //   741a                 | je                  0x1c
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   8a09                 | mov                 cl, byte ptr [ecx]

        $sequence_2 = { 8b4df8 8a09 8808 8b45fc }
            // n = 4, score = 900
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   8a09                 | mov                 cl, byte ptr [ecx]
            //   8808                 | mov                 byte ptr [eax], cl
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

        $sequence_3 = { 40 8945fc 8b45f8 40 8945f8 ebd3 8b4508 }
            // n = 7, score = 900
            //   40                   | inc                 eax
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   40                   | inc                 eax
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   ebd3                 | jmp                 0xffffffd5
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_4 = { 8945f8 ebd3 8b4508 c9 c3 55 }
            // n = 6, score = 900
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   ebd3                 | jmp                 0xffffffd5
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   c9                   | leave               
            //   c3                   | ret                 
            //   55                   | push                ebp

        $sequence_5 = { 83ec0c 8b4508 8945fc 8b450c 8945f8 8b4510 }
            // n = 6, score = 900
            //   83ec0c               | sub                 esp, 0xc
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]

        $sequence_6 = { 7ce9 8b4214 2b420c 5f }
            // n = 4, score = 800
            //   7ce9                 | jl                  0xffffffeb
            //   8b4214               | mov                 eax, dword ptr [edx + 0x14]
            //   2b420c               | sub                 eax, dword ptr [edx + 0xc]
            //   5f                   | pop                 edi

        $sequence_7 = { e8???????? ffd0 c9 c3 55 8bec }
            // n = 6, score = 800
            //   e8????????           |                     
            //   ffd0                 | call                eax
            //   c9                   | leave               
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp

        $sequence_8 = { 8bfa 85c9 7436 85ff }
            // n = 4, score = 700
            //   8bfa                 | mov                 edi, edx
            //   85c9                 | test                ecx, ecx
            //   7436                 | je                  0x38
            //   85ff                 | test                edi, edi

        $sequence_9 = { 8b0cba 03ce e8???????? 8bd0 }
            // n = 4, score = 700
            //   8b0cba               | mov                 ecx, dword ptr [edx + edi*4]
            //   03ce                 | add                 ecx, esi
            //   e8????????           |                     
            //   8bd0                 | mov                 edx, eax

        $sequence_10 = { 8a1c08 8d4320 0fb6c8 8d53bf 80fa19 }
            // n = 5, score = 700
            //   8a1c08               | mov                 bl, byte ptr [eax + ecx]
            //   8d4320               | lea                 eax, [ebx + 0x20]
            //   0fb6c8               | movzx               ecx, al
            //   8d53bf               | lea                 edx, [ebx - 0x41]
            //   80fa19               | cmp                 dl, 0x19

        $sequence_11 = { 40 8945fc 3bc7 72d5 }
            // n = 4, score = 700
            //   40                   | inc                 eax
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   3bc7                 | cmp                 eax, edi
            //   72d5                 | jb                  0xffffffd7

        $sequence_12 = { 55 8bec 83ec10 53 56 8b35???????? b84d5a0000 }
            // n = 7, score = 700
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec10               | sub                 esp, 0x10
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8b35????????         |                     
            //   b84d5a0000           | mov                 eax, 0x5a4d

        $sequence_13 = { e8???????? 8bd0 e8???????? 3b45fc }
            // n = 4, score = 700
            //   e8????????           |                     
            //   8bd0                 | mov                 edx, eax
            //   e8????????           |                     
            //   3b45fc               | cmp                 eax, dword ptr [ebp - 4]

        $sequence_14 = { c3 56 8bf1 85c9 7419 85d2 7415 }
            // n = 7, score = 700
            //   c3                   | ret                 
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   85c9                 | test                ecx, ecx
            //   7419                 | je                  0x1b
            //   85d2                 | test                edx, edx
            //   7415                 | je                  0x17

        $sequence_15 = { 84c0 75f6 c60100 8bc6 5e }
            // n = 5, score = 700
            //   84c0                 | test                al, al
            //   75f6                 | jne                 0xfffffff8
            //   c60100               | mov                 byte ptr [ecx], 0
            //   8bc6                 | mov                 eax, esi
            //   5e                   | pop                 esi

        $sequence_16 = { c9 c3 64a130000000 8b4018 c3 55 }
            // n = 6, score = 600
            //   c9                   | leave               
            //   c3                   | ret                 
            //   64a130000000         | mov                 eax, dword ptr fs:[0x30]
            //   8b4018               | mov                 eax, dword ptr [eax + 0x18]
            //   c3                   | ret                 
            //   55                   | push                ebp

    condition:
        7 of them and filesize < 1717248
}
Download all Yara Rules