SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pikabot (Back to overview)

Pikabot


Introducing Pikabot, an emerging malware family that comprises a downloader/installer, a loader, and a core backdoor component. Despite being in the early stages of development, it already demonstrates advanced techniques in evasion, injection, and anti-analysis. Notably, the loader component incorporates an array of sophisticated anti-debugging and anti-VM measures inspired by the open-source Al-Khaser project, while leveraging steganography to conceal its payload. Additionally, Pikabot utilizes a proprietary C2 framework and supports a diverse range of commands, encompassing host enumeration and advanced secondary payload injection options.

References
2023-05-24ZscalerBrett Stone-Gross, Nikolaos Pantazopoulos
@online{stonegross:20230524:technical:0fd35e0, author = {Brett Stone-Gross and Nikolaos Pantazopoulos}, title = {{Technical Analysis of Pikabot}}, date = {2023-05-24}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/technical-analysis-pikabot}, language = {English}, urldate = {2023-05-26} } Technical Analysis of Pikabot
Pikabot
2023-02-13Minerva LabsNatalie Zargarov
@online{zargarov:20230213:beepin:d15807c, author = {Natalie Zargarov}, title = {{Beepin’ Out of the Sandbox: Analyzing a New, Extremely Evasive Malware}}, date = {2023-02-13}, organization = {Minerva Labs}, url = {https://minerva-labs.com/blog/beepin-out-of-the-sandbox-analyzing-a-new-extremely-evasive-malware/}, language = {English}, urldate = {2023-02-21} } Beepin’ Out of the Sandbox: Analyzing a New, Extremely Evasive Malware
Pikabot
2023-02-10DCSOJohann Aydinbas, Axel Wauer
@online{aydinbas:20230210:shortandmalicious:c26d7a5, author = {Johann Aydinbas and Axel Wauer}, title = {{#ShortAndMalicious — PikaBot and the Matanbuchus connection}}, date = {2023-02-10}, organization = {DCSO}, url = {https://medium.com/@DCSO_CyTec/shortandmalicious-pikabot-and-the-matanbuchus-connection-5e302644398}, language = {English}, urldate = {2023-02-15} } #ShortAndMalicious — PikaBot and the Matanbuchus connection
Pikabot
Yara Rules
[TLP:WHITE] win_pikabot_auto (20230407 | Detects win.pikabot.)
rule win_pikabot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.pikabot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pikabot"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 660ff3d3 660febca 83ee04 0f844affffff }
            // n = 4, score = 200
            //   660ff3d3             | psllq               xmm2, xmm3
            //   660febca             | por                 xmm1, xmm2
            //   83ee04               | sub                 esi, 4
            //   0f844affffff         | je                  0xffffff50

        $sequence_1 = { 55 ff742458 e8???????? 8b74247c 8b542478 8b7c243c 880432 }
            // n = 7, score = 200
            //   55                   | push                ebp
            //   ff742458             | push                dword ptr [esp + 0x58]
            //   e8????????           |                     
            //   8b74247c             | mov                 esi, dword ptr [esp + 0x7c]
            //   8b542478             | mov                 edx, dword ptr [esp + 0x78]
            //   8b7c243c             | mov                 edi, dword ptr [esp + 0x3c]
            //   880432               | mov                 byte ptr [edx + esi], al

        $sequence_2 = { 7df0 83c610 741e 8bd6 85ff 741f f30f6f0b }
            // n = 7, score = 200
            //   7df0                 | jge                 0xfffffff2
            //   83c610               | add                 esi, 0x10
            //   741e                 | je                  0x20
            //   8bd6                 | mov                 edx, esi
            //   85ff                 | test                edi, edi
            //   741f                 | je                  0x21
            //   f30f6f0b             | movdqu              xmm1, xmmword ptr [ebx]

        $sequence_3 = { 56 8bf1 81f637170000 8d8133010000 57 3bf0 0f8faf000000 }
            // n = 7, score = 200
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   81f637170000         | xor                 esi, 0x1737
            //   8d8133010000         | lea                 eax, [ecx + 0x133]
            //   57                   | push                edi
            //   3bf0                 | cmp                 esi, eax
            //   0f8faf000000         | jg                  0xb5

        $sequence_4 = { 81f710150000 031e 2bc8 8b86a0000000 03442438 50 8b442414 }
            // n = 7, score = 200
            //   81f710150000         | xor                 edi, 0x1510
            //   031e                 | add                 ebx, dword ptr [esi]
            //   2bc8                 | sub                 ecx, eax
            //   8b86a0000000         | mov                 eax, dword ptr [esi + 0xa0]
            //   03442438             | add                 eax, dword ptr [esp + 0x38]
            //   50                   | push                eax
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]

        $sequence_5 = { a2???????? 0fb6c0 0fb63c08 8b442434 0fb63410 33d2 8b44245c }
            // n = 7, score = 200
            //   a2????????           |                     
            //   0fb6c0               | movzx               eax, al
            //   0fb63c08             | movzx               edi, byte ptr [eax + ecx]
            //   8b442434             | mov                 eax, dword ptr [esp + 0x34]
            //   0fb63410             | movzx               esi, byte ptr [eax + edx]
            //   33d2                 | xor                 edx, edx
            //   8b44245c             | mov                 eax, dword ptr [esp + 0x5c]

        $sequence_6 = { 660f6ed9 83c120 660ff3d3 660febca 83ee04 7425 b808000000 }
            // n = 7, score = 200
            //   660f6ed9             | movd                xmm3, ecx
            //   83c120               | add                 ecx, 0x20
            //   660ff3d3             | psllq               xmm2, xmm3
            //   660febca             | por                 xmm1, xmm2
            //   83ee04               | sub                 esi, 4
            //   7425                 | je                  0x27
            //   b808000000           | mov                 eax, 8

        $sequence_7 = { 2b4824 01487c 81ffa8060000 0f8c71ffffff 81f636160000 5f 8bc6 }
            // n = 7, score = 200
            //   2b4824               | sub                 ecx, dword ptr [eax + 0x24]
            //   01487c               | add                 dword ptr [eax + 0x7c], ecx
            //   81ffa8060000         | cmp                 edi, 0x6a8
            //   0f8c71ffffff         | jl                  0xffffff77
            //   81f636160000         | xor                 esi, 0x1636
            //   5f                   | pop                 edi
            //   8bc6                 | mov                 eax, esi

        $sequence_8 = { 83c420 c3 8b542438 ff0d???????? b8ffff0000 6603e8 b9e0080000 }
            // n = 7, score = 200
            //   83c420               | add                 esp, 0x20
            //   c3                   | ret                 
            //   8b542438             | mov                 edx, dword ptr [esp + 0x38]
            //   ff0d????????         |                     
            //   b8ffff0000           | mov                 eax, 0xffff
            //   6603e8               | add                 bp, ax
            //   b9e0080000           | mov                 ecx, 0x8e0

        $sequence_9 = { 5b 5f 5e c3 8da42400000000 8da42400000000 56 }
            // n = 7, score = 200
            //   5b                   | pop                 ebx
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   8da42400000000       | lea                 esp, [esp]
            //   8da42400000000       | lea                 esp, [esp]
            //   56                   | push                esi

    condition:
        7 of them and filesize < 320512
}
Download all Yara Rules