SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pikabot (Back to overview)

Pikabot


Introducing Pikabot, an emerging malware family that comprises a downloader/installer, a loader, and a core backdoor component. Despite being in the early stages of development, it already demonstrates advanced techniques in evasion, injection, and anti-analysis. Notably, the loader component incorporates an array of sophisticated anti-debugging and anti-VM measures inspired by the open-source Al-Khaser project, while leveraging steganography to conceal its payload. Additionally, Pikabot utilizes a proprietary C2 framework and supports a diverse range of commands, encompassing host enumeration and advanced secondary payload injection options.

References
2023-11-19OALabsOALabs
@online{oalabs:20231119:pikabot:321bcd8, author = {OALabs}, title = {{PikaBot Is Back With a Vengeance - Part 2}}, date = {2023-11-19}, organization = {OALabs}, url = {https://research.openanalysis.net/pikabot/debugging/string%20decryption/emulation/memulator/2023/11/19/new-pikabot-strings.html}, language = {English}, urldate = {2023-11-27} } PikaBot Is Back With a Vengeance - Part 2
Pikabot
2023-11-12OALabsOALabs
@online{oalabs:20231112:pikabot:c0db27d, author = {OALabs}, title = {{PikaBot Is Back With a Vengeance}}, date = {2023-11-12}, organization = {OALabs}, url = {https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html}, language = {English}, urldate = {2023-11-27} } PikaBot Is Back With a Vengeance
Pikabot
2023-10-03Malware Traffic AnalysisBrad Duncan
@online{duncan:20231003:20231003:83035de, author = {Brad Duncan}, title = {{2023-10-03 (Tuesday) - PikaBot infection with Cobalt Strike}}, date = {2023-10-03}, organization = {Malware Traffic Analysis}, url = {https://www.malware-traffic-analysis.net/2023/10/03/index.html}, language = {English}, urldate = {2023-11-13} } 2023-10-03 (Tuesday) - PikaBot infection with Cobalt Strike
Cobalt Strike Pikabot
2023-09-21Security OnionSecurity Onion
@online{onion:20230921:quick:0827096, author = {Security Onion}, title = {{Quick Malware Analysis: PIKABOT INFECTION WITH COBALT STRIKE pcap from 2023-05-23}}, date = {2023-09-21}, organization = {Security Onion}, url = {https://blog.securityonion.net/2023/09/quick-malware-analysis-pikabot.html}, language = {English}, urldate = {2023-11-13} } Quick Malware Analysis: PIKABOT INFECTION WITH COBALT STRIKE pcap from 2023-05-23
Pikabot
2023-07-31d01aMohamed Adel
@online{adel:20230731:pikabot:8393b59, author = {Mohamed Adel}, title = {{Pikabot deep analysis}}, date = {2023-07-31}, organization = {d01a}, url = {https://d01a.github.io/pikabot/}, language = {English}, urldate = {2023-08-01} } Pikabot deep analysis
Pikabot QakBot
2023-06-12SophosKarl Ackerman
@online{ackerman:20230612:deep:895f24c, author = {Karl Ackerman}, title = {{Deep dive into the Pikabot cyber threat}}, date = {2023-06-12}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2023/06/12/deep-dive-into-the-pikabot-cyber-threat/}, language = {English}, urldate = {2023-11-13} } Deep dive into the Pikabot cyber threat
Pikabot
2023-05-25Hive ProHive Pro
@techreport{pro:20230525:pikabot:460f4b0, author = {Hive Pro}, title = {{Pikabot A Stealthy Backdoor with Ingenious Evasion Tactics}}, date = {2023-05-25}, institution = {Hive Pro}, url = {https://www.hivepro.com/wp-content/uploads/2023/05/Pikabot-A-Stealthy-Backdoor-with-Ingenious-Evasion-Tactics_TA2023246.pdf}, language = {English}, urldate = {2023-11-13} } Pikabot A Stealthy Backdoor with Ingenious Evasion Tactics
Pikabot
2023-05-24ZscalerBrett Stone-Gross, Nikolaos Pantazopoulos
@online{stonegross:20230524:technical:0fd35e0, author = {Brett Stone-Gross and Nikolaos Pantazopoulos}, title = {{Technical Analysis of Pikabot}}, date = {2023-05-24}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/technical-analysis-pikabot}, language = {English}, urldate = {2023-05-26} } Technical Analysis of Pikabot
Pikabot
2023-02-26OALabsSergei Frankoff
@online{frankoff:20230226:pikabot:5e4a367, author = {Sergei Frankoff}, title = {{PikaBot Tiny loader that seems very familiar}}, date = {2023-02-26}, organization = {OALabs}, url = {https://research.openanalysis.net/pikabot/yara/config/loader/2023/02/26/pikabot.html}, language = {English}, urldate = {2023-11-13} } PikaBot Tiny loader that seems very familiar
Pikabot
2023-02-13Minerva LabsNatalie Zargarov
@online{zargarov:20230213:beepin:d15807c, author = {Natalie Zargarov}, title = {{Beepin’ Out of the Sandbox: Analyzing a New, Extremely Evasive Malware}}, date = {2023-02-13}, organization = {Minerva Labs}, url = {https://minerva-labs.com/blog/beepin-out-of-the-sandbox-analyzing-a-new-extremely-evasive-malware/}, language = {English}, urldate = {2023-02-21} } Beepin’ Out of the Sandbox: Analyzing a New, Extremely Evasive Malware
Pikabot
2023-02-10DCSOJohann Aydinbas, Axel Wauer
@online{aydinbas:20230210:shortandmalicious:c26d7a5, author = {Johann Aydinbas and Axel Wauer}, title = {{#ShortAndMalicious — PikaBot and the Matanbuchus connection}}, date = {2023-02-10}, organization = {DCSO}, url = {https://medium.com/@DCSO_CyTec/shortandmalicious-pikabot-and-the-matanbuchus-connection-5e302644398}, language = {English}, urldate = {2023-02-15} } #ShortAndMalicious — PikaBot and the Matanbuchus connection
Pikabot
Yara Rules
[TLP:WHITE] win_pikabot_auto (20230715 | Detects win.pikabot.)
rule win_pikabot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.pikabot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pikabot"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? ffd0 c9 c3 55 }
            // n = 5, score = 800
            //   e8????????           |                     
            //   ffd0                 | call                eax
            //   c9                   | leave               
            //   c3                   | ret                 
            //   55                   | push                ebp

        $sequence_1 = { 88440de4 41 83f90c 7cf0 }
            // n = 4, score = 700
            //   88440de4             | mov                 byte ptr [ebp + ecx - 0x1c], al
            //   41                   | inc                 ecx
            //   83f90c               | cmp                 ecx, 0xc
            //   7cf0                 | jl                  0xfffffff2

        $sequence_2 = { 64a130000000 8b4068 83e070 8945fc }
            // n = 4, score = 600
            //   64a130000000         | mov                 eax, dword ptr fs:[0x30]
            //   8b4068               | mov                 eax, dword ptr [eax + 0x68]
            //   83e070               | and                 eax, 0x70
            //   8945fc               | mov                 dword ptr [ebp - 4], eax

        $sequence_3 = { 8945f8 8b4510 8945f4 8b4510 48 }
            // n = 5, score = 600
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   48                   | dec                 eax

        $sequence_4 = { 894510 837df400 741a 8b45fc 8b4df8 }
            // n = 5, score = 600
            //   894510               | mov                 dword ptr [ebp + 0x10], eax
            //   837df400             | cmp                 dword ptr [ebp - 0xc], 0
            //   741a                 | je                  0x1c
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]

        $sequence_5 = { 88440de8 41 83f909 7cf0 }
            // n = 4, score = 600
            //   88440de8             | mov                 byte ptr [ebp + ecx - 0x18], al
            //   41                   | inc                 ecx
            //   83f909               | cmp                 ecx, 9
            //   7cf0                 | jl                  0xfffffff2

        $sequence_6 = { 7ce9 8b4214 2b420c 5f }
            // n = 4, score = 600
            //   7ce9                 | jl                  0xffffffeb
            //   8b4214               | mov                 eax, dword ptr [edx + 0x14]
            //   2b420c               | sub                 eax, dword ptr [edx + 0xc]
            //   5f                   | pop                 edi

        $sequence_7 = { 88440dec 41 83f908 7cf0 }
            // n = 4, score = 600
            //   88440dec             | mov                 byte ptr [ebp + ecx - 0x14], al
            //   41                   | inc                 ecx
            //   83f908               | cmp                 ecx, 8
            //   7cf0                 | jl                  0xfffffff2

        $sequence_8 = { f30f7e05???????? 660fefc8 0f57c0 660f60c8 }
            // n = 4, score = 600
            //   f30f7e05????????     |                     
            //   660fefc8             | pxor                xmm1, xmm0
            //   0f57c0               | xorps               xmm0, xmm0
            //   660f60c8             | punpcklbw           xmm1, xmm0

        $sequence_9 = { 8945f8 ebd3 8b4508 c9 c3 }
            // n = 5, score = 600
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   ebd3                 | jmp                 0xffffffd5
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   c9                   | leave               
            //   c3                   | ret                 

        $sequence_10 = { c20c00 33c0 c3 33c0 c3 33c0 c3 }
            // n = 7, score = 500
            //   c20c00               | ret                 0xc
            //   33c0                 | xor                 eax, eax
            //   c3                   | ret                 
            //   33c0                 | xor                 eax, eax
            //   c3                   | ret                 
            //   33c0                 | xor                 eax, eax
            //   c3                   | ret                 

        $sequence_11 = { 885de8 46 8d55d4 8bce e8???????? ffd0 0fb7c0 }
            // n = 7, score = 500
            //   885de8               | mov                 byte ptr [ebp - 0x18], bl
            //   46                   | inc                 esi
            //   8d55d4               | lea                 edx, [ebp - 0x2c]
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   ffd0                 | call                eax
            //   0fb7c0               | movzx               eax, ax

        $sequence_12 = { 33c0 64a130000000 8b4002 25ff000000 8945fc }
            // n = 5, score = 500
            //   33c0                 | xor                 eax, eax
            //   64a130000000         | mov                 eax, dword ptr fs:[0x30]
            //   8b4002               | mov                 eax, dword ptr [eax + 2]
            //   25ff000000           | and                 eax, 0xff
            //   8945fc               | mov                 dword ptr [ebp - 4], eax

        $sequence_13 = { f644240101 7502 eb07 c745fc01000000 }
            // n = 4, score = 500
            //   f644240101           | test                byte ptr [esp + 1], 1
            //   7502                 | jne                 4
            //   eb07                 | jmp                 9
            //   c745fc01000000       | mov                 dword ptr [ebp - 4], 1

    condition:
        7 of them and filesize < 961536
}
Download all Yara Rules