Windows Analysis Report
pikabot_core.bin.exe

ID:	1431279
Product:	CloudBasic
Start time:	19:10:06
Start date:	24.04.2024
Sample:	pikabot_core.bin.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	f207a52477086eaf27141c780530336d
SHA1:	cb3ea1f333d8b80b5ddda33bb1366a46b22dbeaa
SHA256:	ce742b7cc94a5c668116d343b6a9677523dc13b358294bba3cd248fba8b880da
Filetype:	Win32 Executable (generic) a (10002005/4) 98.81%

Name	Type	MD5	SHA1	SHA256

AV Detection

Source: pikabot_core.bin.exe

Avira: detected

Source: https://45.32.188.56/7	Avira URL Cloud: Label: malware
Source: https://45.32.188.56/	Avira URL Cloud: Label: malware
Source: https://45.32.188.56:2967/prosabbatical/4vPvU918g1sKCJV?Fummel=IFfKa&nonaccommodating=5veOCi&Leptome	Avira URL Cloud: Label: malware
Source: https://45.32.188.56:2967/	Avira URL Cloud: Label: malware
Source: https://45.32.188.56:2967/al	Avira URL Cloud: Label: malware

Source: pikabot_core.bin.exe

ReversingLabs: Detection: 50%

Compliance

Source: pikabot_core.bin.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: pikabot_core.bin.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Source: global traffic

TCP traffic: 192.168.2.5:49707 -> 45.32.188.56:2967

Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.188.56
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.188.56
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.188.56
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.188.56
Source: unknown	TCP traffic detected without corresponding DNS query: 45.32.188.56

Source: pikabot_core.bin.exe, 00000000.00000002.3242063777.0000000000B51000.00000004.00000020.00020000.00000000.sdmp, pikabot_core.bin.exe, 00000000.00000002.3242063777.0000000000B8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.32.188.56/
Source: pikabot_core.bin.exe, 00000000.00000002.3242063777.0000000000B8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.32.188.56/7
Source: pikabot_core.bin.exe, 00000000.00000002.3242063777.0000000000B51000.00000004.00000020.00020000.00000000.sdmp, pikabot_core.bin.exe, 00000000.00000002.3242063777.0000000000B8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.32.188.56:2967/
Source: pikabot_core.bin.exe, 00000000.00000002.3242063777.0000000000B8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.32.188.56:2967/al
Source: pikabot_core.bin.exe, 00000000.00000002.3242063777.0000000000B8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.32.188.56:2967/prosabbatical/4vPvU918g1sKCJV?Fummel=IFfKa&nonaccommodating=5veOCi&Leptome

System Summary

Source: C:\Users\user\Desktop\pikabot_core.bin.exe

Code function: 0_2_0088C6E0 NtClose,

0_2_0088C6E0

Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_00876489		0_2_00876489
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_0085C49C		0_2_0085C49C
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_0084F4EC		0_2_0084F4EC
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_00874222		0_2_00874222
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_0086E233		0_2_0086E233
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_0084843C		0_2_0084843C
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_0085BC4A		0_2_0085BC4A
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_0084DE57		0_2_0084DE57
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_00855661		0_2_00855661
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_00850279		0_2_00850279
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_0085D07B		0_2_0085D07B
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_0084E380		0_2_0084E380
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_00872B99		0_2_00872B99
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_00855BAF		0_2_00855BAF
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_0084E7AA		0_2_0084E7AA
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_0084FFD0		0_2_0084FFD0
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_0084D1F2		0_2_0084D1F2
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_00861B3E		0_2_00861B3E
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_0087AB3A		0_2_0087AB3A
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_00853B7B		0_2_00853B7B
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_0085E6A6		0_2_0085E6A6
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_008448A8		0_2_008448A8
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_00871AA8		0_2_00871AA8
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_0087D6BB		0_2_0087D6BB
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_00888EC9		0_2_00888EC9
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_008844DE		0_2_008844DE
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_0087BAD0		0_2_0087BAD0
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_0084B4DD		0_2_0084B4DD
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_00874CFE		0_2_00874CFE
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_008462FE		0_2_008462FE
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_0085E809		0_2_0085E809
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_0088B04C		0_2_0088B04C
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_0086FA55		0_2_0086FA55
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_0086027C		0_2_0086027C
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_0087CBB5		0_2_0087CBB5
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_008669BB		0_2_008669BB
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_00886FD9		0_2_00886FD9
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_00885FE8		0_2_00885FE8
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_00857FEE		0_2_00857FEE
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_0086D3ED		0_2_0086D3ED
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_0084C1FB		0_2_0084C1FB
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_00870316		0_2_00870316
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_00877518		0_2_00877518
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_00851522		0_2_00851522
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_00882723		0_2_00882723
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_0085252B		0_2_0085252B
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_00889547		0_2_00889547
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_0086C968		0_2_0086C968

Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: String function: 0088260D appears 33 times
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: String function: 008618D2 appears 78 times

Source: pikabot_core.bin.exe	Binary or memory string: OriginalFilename vs pikabot_core.bin.exe
Source: pikabot_core.bin.exe, 00000000.00000000.1997154668.000000000088F000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSearchFilterHost.exe@ vs pikabot_core.bin.exe
Source: pikabot_core.bin.exe, 00000000.00000002.3241955420.000000000088F000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSearchFilterHost.exe@ vs pikabot_core.bin.exe
Source: pikabot_core.bin.exe	Binary or memory string: OriginalFilenameSearchFilterHost.exe@ vs pikabot_core.bin.exe

Source: pikabot_core.bin.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal76.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\pikabot_core.bin.exe

Code function: 0_2_00855BAF SetLastError,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

0_2_00855BAF

Source: C:\Users\user\Desktop\pikabot_core.bin.exe

Mutant created: \Sessions\1\BaseNamedObjects\{F0B9756B-5D50-4696-A969-4C9AF7B69188}

Source: pikabot_core.bin.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\pikabot_core.bin.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: pikabot_core.bin.exe

ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Section loaded: logoncli.dll			Jump to behavior
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Section loaded: srvcli.dll			Jump to behavior

Source: C:\Users\user\Desktop\pikabot_core.bin.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: pikabot_core.bin.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Data Obfuscation

Source: C:\Users\user\Desktop\pikabot_core.bin.exe

Code function: SetLastError,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

0_2_00855BAF

Source: C:\Users\user\Desktop\pikabot_core.bin.exe

Code function: 0_2_0088C6E0 push dword ptr [0088D004h]; ret

0_2_0088C744

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\pikabot_core.bin.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: pikabot_core.bin.exe, 00000000.00000002.3242063777.0000000000B99000.00000004.00000020.00020000.00000000.sdmp, pikabot_core.bin.exe, 00000000.00000002.3242063777.0000000000B51000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\pikabot_core.bin.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_0085E4FD mov eax, dword ptr fs:[00000030h]		0_2_0085E4FD
Source: C:\Users\user\Desktop\pikabot_core.bin.exe	Code function: 0_2_0085E511 mov eax, dword ptr fs:[00000030h]		0_2_0085E511

Source: C:\Users\user\Desktop\pikabot_core.bin.exe

Code function: 0_2_00850279 GetTokenInformation,GetProcessHeap,FindCloseChangeNotification,

0_2_00850279

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\pikabot_core.bin.exe

Code function: 0_2_0084EC90 cpuid

0_2_0084EC90

Source: C:\Users\user\Desktop\pikabot_core.bin.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\pikabot_core.bin.exe

Code function: 0_2_0084DA84 GetUserNameW,

0_2_0084DA84

Stealing of Sensitive Information

Source: Yara match	File source: pikabot_core.bin.exe, type: SAMPLE
Source: Yara match	File source: 0.2.pikabot_core.bin.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.pikabot_core.bin.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3241914669.0000000000841000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1996832931.0000000000841000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Remote Access Functionality

Source: Yara match	File source: pikabot_core.bin.exe, type: SAMPLE
Source: Yara match	File source: 0.2.pikabot_core.bin.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.pikabot_core.bin.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3241914669.0000000000841000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1996832931.0000000000841000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY