BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

Pikabot

70
Global rank
39 infographic chevron month
Month rank
50 infographic chevron week
Week rank
429
IOCs

Pikabot is a trojan malware with a focus on loader capabilities. Pikabot is also used for other activities, such as executing commands on the infected system. The earlier versions of the malware made use of extensive code obfuscation to evade detection. Upon infection, it collects system information and sends it to command-and-control servers.

Loader
Type
ex-USSR
Origin
1 February, 2023
First seen
10 April, 2024
Last seen

How to analyze Pikabot with ANY.RUN

Type
ex-USSR
Origin
1 February, 2023
First seen
10 April, 2024
Last seen

IOCs

IP addresses
89.117.2.34
89.117.2.33
103.82.243.5
148.113.141.220
109.199.99.131
204.44.125.68
23.226.138.161
37.60.242.86
85.239.243.155
154.38.175.241
145.239.135.24
198.44.187.12
104.129.55.105
155.94.208.137
86.38.225.106
37.60.242.85
141.95.108.252
66.135.31.146
57.128.83.129
161.97.98.95
Hashes
7ba64c7c6f55277bcc9ecf5c1ca70a6ee7626236a28bb61056d15a72df31e0f3
Domains
vmd129057.contaboserver.net
zuum.firstbasedso.com
anadesky.firstbasedso.com
siack.firstbasedso.com
adguard.info
allcompanycenter.com
getfnewssolutions.com
buildmateindia.com
stockinvestlab.net
blockcentersys.net
neobeelab.net
prettyanimals.net
gift4animals.com
buyadvisershop.net
startuptechnologyw.net
polymersanaat.com
agriformexico.com
webtv24.org
melbournerollershutters.net.au
ppgfans.com
Last Seen at

Recent blog posts

post image
Malware Trends Report: Q1, 2024
watchers 156
comments 0
post image
Understand Encryption in Malware: From Basics...
watchers 547
comments 0
post image
ANY.RUN for Enterprises: Learn About Our Most...
watchers 298
comments 0

What is Pikabot malware?

Pikabot, a loader malware, made its first appearance in the cybersecurity realm in February 2023. This malicious software is recognized for its wide array of anti-analysis features and flexible capabilities that have made it a popular choice among many attackers.

The malware functions through two key modules: the loader and the core. The loader initiates the malware's operations, while the core houses its primary functionalities. Pikabot shows signs of continuous evolution, as its latest version appeared in February 2024, exhibiting notable differences from its original builds.

The resemblances between Pikabot and Qakbot have led to assumptions that they could be the work of the same malware developers. Pikabot has also been utilized in campaigns orchestrated by the threat actor TA577, where it was disseminated in conjunction with the DarkGate malware.

Get started today for free

Easily analyze emerging malware with ANY.RUN interactive online sandbox

Register for free

Pikabot malware technical details

Criminals leverage Pikabot for various harmful activities which include:

  • Executing Commands via cmd.exe: Pikabot can execute commands on the compromised system using the Windows Command Prompt (cmd.exe).
  • Terminating the Current Process: Pikabot has the capability to self-terminate.
  • Injecting and Executing Downloaded Shellcode: The malware can download shellcode from its command-and-control (C2) server and inject it into other running processes.
  • Injecting Downloaded DLL and EXE Files: Pikabot can also download and inject DLL and executable files.

In its earlier iterations, the Pikabot trojan utilized a combination of AES-CBC and RC4 key to encrypt strings. The new version demonstrates a shift towards less complex obfuscation and only occasional use of RC4.

Another notable difference between the early variants of the malware and its newest form is the approach to storing a configuration. While the first builts contained hardcoded configs, the newer iterations tend to download them from the command and control (C2) server.

The Pikabot malware is particularly skilled at evading sandbox detection. One way it does this is by postponing its execution until the sandbox analysis period has expired. The malware also integrates junk code among legitimate instructions to further complicate analysis.

Pikabot uses regex to dynamically generate file names and other data. This lets the malware hide its code and evade detection by security tools that rely on signatures.

Pikabot initiates its operations by registering the compromised host with the C2 servers. This process involves gathering system information and submitting it to the C2 server via an HTTPS POST request. The gathered data encompasses. The data collected by Pikabot is encoded using standard Base64 and then encrypted using AES. The malware collects the following information about the system:

  • Network Information: This includes details about the network connections, IP addresses, etc.
  • User and Group Information: Pikabot collects usernames and other related details.
  • Windows Build Information: The malware gathers data about the Windows operating system installed on the system, including the version and build number.
  • Generic Host Information: This includes various details about the system's hardware and software configuration, such as the amount of available RAM.
  • Additional Host Information: Depending on the commands received from the command-and-control (C2) server, Pikabot can collect extra info about the compromised system, including screenshots.

Pikabot execution process

Let’s upload a sample of Pikabot to the ANY.RUN sandbox to conduct a Pikabot malware analysis sessions and observe its execution process in detail.

Pikabot malware initiates its execution chain by leveraging phishing emails or malicious downloads to infiltrate a system. Once inside, it employs PowerShell scripts or macros to download additional payloads from a remote server.

Pikabot then uses living-off-the-land techniques, such as exploiting legitimate system processes like "ctfmon.exe," to evade detection and maintain persistence. This process, commonly used for language and input services, is hijacked to execute malicious code while appearing benign.

The malware establishes communication with its command-and-control (C2) server, receiving instructions and exfiltrating sensitive data. It can also spread laterally across networks, exploiting vulnerabilities or using stolen credentials.

Throughout its execution, Pikabot employs various obfuscation and evasion techniques to avoid detection by security solutions.

Pikabot process graph in ANY.RUN Pikabot process graph demonstrated in ANY.RUN

Pikabot malware distribution methods

Just as in the case of other widespread malware, such as Remcos and NjRAT, Pikabot has been observed to be distributed primarily via phishing emails. Attackers usually employ multi-stage attacks that begin with an email that ask users to perform certain activities, such as clicking a link or opening a weaponized attachment. From there, the infection begins.

Another notable attack involving Pikabot occurred in 2023 when attackers utilized malvertising. As part of their campaign, they employed Google Ads to promote a fake website with a download link for AnyDesk, a remote desktop software. After running the installer file, the victim’s system became compromised and infected with Pikabot.

Conclusion

Pikabot is a sophisticated trojan malware that has the potential to significantly disrupt the affected infrastructure. Thanks to its anti-analysis features, it can be a challenge for certain security solutions to detect it. Therefore, it is impossible to use reliable solutions that timely implement updates to keep up with the new version of Pikabot.

Use ANY.RUN, a cloud-based sandbox, for analyzing suspicious files and links to identify Pikabot and other malware families. The service lets you gain an in-depth look at the behavior of any malware in a completely safe and secure environment. ANY.RUN generates detailed reports on the analyzed threats that contain all the essential information, including Pikabot IOCs (indicators of compromise) and TTPs, needed for making better security decisions.

Create your ANY.RUN account – it’s free!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy