Pikabot Fake DLL Extension Execution Via Rundll32.EXE

 1title: Pikabot Fake DLL Extension Execution Via Rundll32.EXE
 2id: 1bf0ba65-9a39-42a2-9271-31d31bf2f0bf
 3status: experimental
 4description: |
 5        Detects specific process tree behavior linked to "rundll32" executions, wherein the associated DLL lacks a common ".dll" extension, often signaling potential Pikabot activity.
 6references:
 7    - https://github.com/pr0xylife/Pikabot
 8    - https://tria.ge/231004-tp8k6sch9t/behavioral2
 9    - https://www.virustotal.com/gui/file/56db0c4842a63234ab7fe2dda6eeb63aa7bb68f9a456985b519122f74dea37e2/behavior
10    - https://tria.ge/231212-r1bpgaefar/behavioral2
11author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
12date: 2024-01-26
13tags:
14    - detection.emerging-threats
15    - attack.defense-evasion
16    - attack.execution
17logsource:
18    product: windows
19    category: process_creation
20detection:
21    selection:
22        ParentImage|endswith:
23            - '\cmd.exe'
24            - '\cscript.exe'
25            - '\mshta.exe'
26            - '\powershell.exe'
27            - '\pwsh.exe'
28            - '\regsvr32.exe'
29            - '\wscript.exe'
30        Image|endswith: '\rundll32.exe'
31        CommandLine|contains:
32            - ':\ProgramData\'
33            - ':\Users\Public\'
34            - ':\Windows\Installer\'
35            - '\AppData\Local\Temp\'
36            - '\AppData\Roaming\'
37    filter_main_known_extension:
38        - CommandLine|contains:
39              - '.cpl '
40              - '.cpl,'
41              - '.dll '
42              - '.dll,'
43              - '.inf '
44              - '.inf,'
45        - CommandLine|endswith:
46              - '.cpl'
47              - '.cpl"'
48              - '.dll'
49              - '.dll"'
50              - '.inf'
51              - '.inf"'
52              - ".cpl'"
53              - ".dll'"
54              - ".inf'"
55    condition: selection and not 1 of filter_main_*
56falsepositives:
57    - Unknown
58level: high

References

• GitHub - pr0xylife/Pikabot

  

  Contribute to pr0xylife/Pikabot development by creating an account on GitHub.

  
  Read More

• b6269018ac32484bdc093a6bec324fc9aa7990104a297f55600d31bff95ed6fd | Triage

  Check this report malware sample b6269018ac32484bdc093a6bec324fc9aa7990104a297f55600d31bff95ed6fd, with a score of 7 out of 10.

  
  Read More

• VirusTotal

  VirusTotal

  
  Read More

• 4a6d8020b61623b5a13a4fc27c5de1d1ae71c56b456b9646e1c5711f94caab82 | Triage

  Check this report malware sample 4a6d8020b61623b5a13a4fc27c5de1d1ae71c56b456b9646e1c5711f94caab82, with a score of 8 out of 10.

  
  Read More

Related rules

• APT29 2018 Phishing Campaign CommandLine Indicators
• Fireball Archer Install
• Goofy Guineapig Backdoor IOC
• Greenbug Espionage Group Indicators
• Operation Wocao Activity