Source: pikabot_core.bin.exe |
Avira: detected |
Source: https://45.32.188.56/7 |
Avira URL Cloud: Label: malware |
Source: https://45.32.188.56/ |
Avira URL Cloud: Label: malware |
Source: https://45.32.188.56:2967/prosabbatical/4vPvU918g1sKCJV?Fummel=IFfKa&nonaccommodating=5veOCi&Leptome |
Avira URL Cloud: Label: malware |
Source: https://45.32.188.56:2967/ |
Avira URL Cloud: Label: malware |
Source: https://45.32.188.56:2967/al |
Avira URL Cloud: Label: malware |
Source: pikabot_core.bin.exe |
ReversingLabs: Detection: 50% |
Source: pikabot_core.bin.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: pikabot_core.bin.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: global traffic |
TCP traffic: 192.168.2.5:49707 -> 45.32.188.56:2967 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.32.188.56 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.32.188.56 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.32.188.56 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.32.188.56 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.32.188.56 |
Source: pikabot_core.bin.exe, 00000000.00000002.3242063777.0000000000B51000.00000004.00000020.00020000.00000000.sdmp, pikabot_core.bin.exe, 00000000.00000002.3242063777.0000000000B8F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://45.32.188.56/ |
Source: pikabot_core.bin.exe, 00000000.00000002.3242063777.0000000000B8F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://45.32.188.56/7 |
Source: pikabot_core.bin.exe, 00000000.00000002.3242063777.0000000000B51000.00000004.00000020.00020000.00000000.sdmp, pikabot_core.bin.exe, 00000000.00000002.3242063777.0000000000B8F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://45.32.188.56:2967/ |
Source: pikabot_core.bin.exe, 00000000.00000002.3242063777.0000000000B8F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://45.32.188.56:2967/al |
Source: pikabot_core.bin.exe, 00000000.00000002.3242063777.0000000000B8F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://45.32.188.56:2967/prosabbatical/4vPvU918g1sKCJV?Fummel=IFfKa&nonaccommodating=5veOCi&Leptome |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_0088C6E0 NtClose, |
0_2_0088C6E0 |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_00876489 |
0_2_00876489 |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_0085C49C |
0_2_0085C49C |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_0084F4EC |
0_2_0084F4EC |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_00874222 |
0_2_00874222 |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_0086E233 |
0_2_0086E233 |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_0084843C |
0_2_0084843C |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_0085BC4A |
0_2_0085BC4A |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_0084DE57 |
0_2_0084DE57 |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_00855661 |
0_2_00855661 |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_00850279 |
0_2_00850279 |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_0085D07B |
0_2_0085D07B |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_0084E380 |
0_2_0084E380 |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_00872B99 |
0_2_00872B99 |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_00855BAF |
0_2_00855BAF |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_0084E7AA |
0_2_0084E7AA |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_0084FFD0 |
0_2_0084FFD0 |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_0084D1F2 |
0_2_0084D1F2 |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_00861B3E |
0_2_00861B3E |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_0087AB3A |
0_2_0087AB3A |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_00853B7B |
0_2_00853B7B |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_0085E6A6 |
0_2_0085E6A6 |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_008448A8 |
0_2_008448A8 |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_00871AA8 |
0_2_00871AA8 |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_0087D6BB |
0_2_0087D6BB |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_00888EC9 |
0_2_00888EC9 |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_008844DE |
0_2_008844DE |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_0087BAD0 |
0_2_0087BAD0 |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_0084B4DD |
0_2_0084B4DD |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_00874CFE |
0_2_00874CFE |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_008462FE |
0_2_008462FE |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_0085E809 |
0_2_0085E809 |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_0088B04C |
0_2_0088B04C |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_0086FA55 |
0_2_0086FA55 |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_0086027C |
0_2_0086027C |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_0087CBB5 |
0_2_0087CBB5 |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_008669BB |
0_2_008669BB |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_00886FD9 |
0_2_00886FD9 |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_00885FE8 |
0_2_00885FE8 |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_00857FEE |
0_2_00857FEE |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_0086D3ED |
0_2_0086D3ED |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_0084C1FB |
0_2_0084C1FB |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_00870316 |
0_2_00870316 |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_00877518 |
0_2_00877518 |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_00851522 |
0_2_00851522 |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_00882723 |
0_2_00882723 |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_0085252B |
0_2_0085252B |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_00889547 |
0_2_00889547 |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_0086C968 |
0_2_0086C968 |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: String function: 0088260D appears 33 times |
|
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: String function: 008618D2 appears 78 times |
|
Source: pikabot_core.bin.exe |
Binary or memory string: OriginalFilename vs pikabot_core.bin.exe |
Source: pikabot_core.bin.exe, 00000000.00000000.1997154668.000000000088F000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameSearchFilterHost.exe@ vs pikabot_core.bin.exe |
Source: pikabot_core.bin.exe, 00000000.00000002.3241955420.000000000088F000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameSearchFilterHost.exe@ vs pikabot_core.bin.exe |
Source: pikabot_core.bin.exe |
Binary or memory string: OriginalFilenameSearchFilterHost.exe@ vs pikabot_core.bin.exe |
Source: pikabot_core.bin.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: classification engine |
Classification label: mal76.troj.evad.winEXE@1/0@0/1 |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_00855BAF SetLastError,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification, |
0_2_00855BAF |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Mutant created: \Sessions\1\BaseNamedObjects\{F0B9756B-5D50-4696-A969-4C9AF7B69188} |
Source: pikabot_core.bin.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: pikabot_core.bin.exe |
ReversingLabs: Detection: 50% |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Section loaded: netapi32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Section loaded: logoncli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 |
Jump to behavior |
Source: pikabot_core.bin.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: SetLastError,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification, |
0_2_00855BAF |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_0088C6E0 push dword ptr [0088D004h]; ret |
0_2_0088C744 |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Check user administrative privileges: GetTokenInformation,DecisionNodes |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: pikabot_core.bin.exe, 00000000.00000002.3242063777.0000000000B99000.00000004.00000020.00020000.00000000.sdmp, pikabot_core.bin.exe, 00000000.00000002.3242063777.0000000000B51000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_0085E4FD mov eax, dword ptr fs:[00000030h] |
0_2_0085E4FD |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_0085E511 mov eax, dword ptr fs:[00000030h] |
0_2_0085E511 |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_00850279 GetTokenInformation,GetProcessHeap,FindCloseChangeNotification, |
0_2_00850279 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\pikabot_core.bin.exe |
Code function: 0_2_0084DA84 GetUserNameW, |
0_2_0084DA84 |
Source: Yara match |
File source: pikabot_core.bin.exe, type: SAMPLE |
Source: Yara match |
File source: 0.2.pikabot_core.bin.exe.840000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.pikabot_core.bin.exe.840000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.3241914669.0000000000841000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.1996832931.0000000000841000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: pikabot_core.bin.exe, type: SAMPLE |
Source: Yara match |
File source: 0.2.pikabot_core.bin.exe.840000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.pikabot_core.bin.exe.840000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.3241914669.0000000000841000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.1996832931.0000000000841000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |