{
	"id": "e1278d78-e4bc-4ee9-88e3-c3463b4d16e0",
	"created_at": "2026-04-06T00:13:31.196093Z",
	"updated_at": "2026-04-10T03:20:55.810264Z",
	"deleted_at": null,
	"sha1_hash": "8063345463b981f53cb3c4230650f94944ca2f4a",
	"title": "PikaBot",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 40143,
	"plain_text": "PikaBot\r\nPublished: 2023-02-26 · Archived: 2026-04-05 14:21:34 UTC\r\nstack_strings = [{'start': 5902456, 'end': 5902507, 'op_offset': -48}, {'start': 5902507, 'end': 5902\r\ndef emulate(start, end, op_offset):\r\n dp = Dumpulator(\"/tmp/pika2.dmp\", quiet=True)\r\n print('loaded')\r\n dp.start(start, end=end)\r\n print('done')\r\n str_len = dp.regs.ecx\r\n if str_len \u003e 2:\r\n if dp.read(dp.regs.ebp + op_offset, 2)[1] == 0:\r\n out = dp.read(dp.regs.ebp + op_offset, str_len * 2)\r\n out = out.replace(b'\\x00',b'')\r\n else:\r\n out = dp.read(dp.regs.ebp + op_offset, str_len)\r\n else:\r\n out = dp.read(dp.regs.ebp + op_offset, str_len)\r\n return out\r\nlabels = {}\r\nfor ss in stack_strings:\r\n try:\r\n out = emulate(ss.get('start'), ss.get('end'),ss.get('op_offset'))\r\n if out.isascii():\r\n print(f\"{hex(ss.get('start'))}: {out.decode('utf-8')}\")\r\n labels[ss.get('start')] = out.decode('utf-8')\r\n else:\r\n print(f\"ERROR: {hex(ss.get('start'))}: {out}\")\r\n \r\n except:\r\n print(f\"TOTAL FAILURE: {hex(ss.get('start'))}\")\r\n \r\nprint(labels)\r\n \r\nloaded\r\ndone\r\n0x5a1078: RegOpenKeyExW\r\nloaded\r\nhttps://research.openanalysis.net/pikabot/yara/config/loader/2023/02/26/pikabot.html\r\nPage 1 of 4\n\ndone\r\n0x5a10ab: HARDWARE\\ACPI\\DSDT\\VBOX__\r\nloaded\r\ndone\r\n0x5a113b: GetUserDefaultLangID\r\nloaded\r\ndone\r\n0x5a11c9: CreateMutexW\r\nloaded\r\ndone\r\n0x5a1203: {8B30B3CD-2068-4F75-AB1F-FCAE6AF928B6}\r\nloaded\r\ndone\r\n0x5a1287: GetLastError\r\nloaded\r\ndone\r\n0x5a12cb: wsprintfW\r\nloaded\r\ndone\r\n0x5a12f8: SOFTWARE\\%s\r\nloaded\r\ndone\r\nERROR: 0x5a132f: bytearray(b'\\x05\\x06\\x05\\t\\xfc\\n\\n\\x0b\\xf8\\x05\\x0b\\xe6\\x0c\\x0b\\x03\\r\\xfc\\n\\xdb\\xfa\\x\r\nloaded\r\ndone\r\n0x5a1398: RegCreateKeyExW\r\nloaded\r\ndone\r\n0x5a13d5: wsprintfW\r\nloaded\r\ndone\r\n0x5a1402: schtasks.exe /Create /F /TN \"%s\" /TR \" cmd /q /c start /min \\\"\\\" powershell \\\"$%s = Get-Ite\r\nloaded\r\ndone\r\n0x5a164b: {8B30B3CD-2068-4F75-AB1F-FCAE6AF928B6}\r\nloaded\r\ndone\r\nERROR: 0x5a16d4: bytearray(b'\\x00\\x81\\x00\\x81\\x00\\x81\\x08\\x81H\\x80\\x08\\x81\\x00\\x81\\x08\\x81\\x08\\x81H\\x\r\nloaded\r\ndone\r\n0x5a173e:\r\nloaded\r\ndone\r\nERROR: 0x5a17a0: bytearray(b'\\x00\\x80\\x00\\x80\\x00\\x80\\x08\\x80H\\x81\\x08\\x80\\x00\\x80\\x08\\x80\\x08\\x80H\\x\r\nloaded\r\ndone\r\n0x5a180b: @@H@HHH@H@HH@@@@H\r\nhttps://research.openanalysis.net/pikabot/yara/config/loader/2023/02/26/pikabot.html\r\nPage 2 of 4\n\nloaded\r\ndone\r\n0x5a185b:\r\nloaded\r\ndone\r\n0x5a1888: GetModuleFileNameW\r\nloaded\r\ndone\r\n0x5a18c4: wsprintfW\r\nloaded\r\ndone\r\n0x5a18fc: @H@H@@HH@HH@@HHH@@@@@@\r\nloaded\r\ndone\r\n0x5a199f: CreateProcessW\r\nloaded\r\ndone\r\n0x5a1aac: RegSetValueExW\r\nloaded\r\ndone\r\n0x5a1aee:\r\nloaded\r\ndone\r\n0x5a1bcc: RegCloseKey\r\nloaded\r\ndone\r\n0x5a1d93: CreateProcessW\r\nloaded\r\ninitial unmapped read from 8df790[1], cip = 5a1dce, exception: ExceptionType.Memory, (0x5a1dce, 0x2d\r\nfinal unmapped read from 8df790[1], cip = 5a1deb, exception: ExceptionType.Memory, (0x5a1deb, 0x10, 6\r\nTraceback (most recent call last):\r\n File \"/Users/herrcore/.pyenv/versions/3.9.5/lib/python3.9/site-packages/dumpulator/dumpulator.py\",\r\n status = syscall_impl(dp, *args)\r\n File \"/Users/herrcore/.pyenv/versions/3.9.5/lib/python3.9/site-packages/dumpulator/ntsyscalls.py\",\r\n raise NotImplementedError()\r\nNotImplementedError\r\nException thrown during syscall implementation, stopping emulation!\r\nforced exit memory operation 21 of 4fe2[1] = 0\r\nTOTAL FAILURE: 0x5a1dce\r\nloaded\r\ninitial unmapped read from 8df790[1], cip = 5a1dfb, exception: ExceptionType.Memory, (0x5a1dfb, 0x2d\r\nfinal unmapped read from 8df790[1], cip = 5a1e18, exception: ExceptionType.Memory, (0x5a1e18, 0x10, 6\r\nhttps://research.openanalysis.net/pikabot/yara/config/loader/2023/02/26/pikabot.html\r\nPage 3 of 4\n\nTraceback (most recent call last):\r\n File \"/Users/herrcore/.pyenv/versions/3.9.5/lib/python3.9/site-packages/dumpulator/dumpulator.py\",\r\n status = syscall_impl(dp, *args)\r\n File \"/Users/herrcore/.pyenv/versions/3.9.5/lib/python3.9/site-packages/dumpulator/ntsyscalls.py\",\r\n raise NotImplementedError()\r\nNotImplementedError\r\nException thrown during syscall implementation, stopping emulation!\r\nforced exit memory operation 21 of 4fe2[1] = 0\r\nTOTAL FAILURE: 0x5a1dfb\r\nloaded\r\ndone\r\n0x5a2013: Kernel32.dll\r\nloaded\r\ndone\r\n0x5a2041: User32.dll\r\nloaded\r\ndone\r\n0x5a2075: Advapi32.dll\r\n{5902456: 'RegOpenKeyExW', 5902507: 'HARDWARE\\\\ACPI\\\\DSDT\\\\VBOX__', 5902651: 'GetUserDefaultLangID',\r\nSource: https://research.openanalysis.net/pikabot/yara/config/loader/2023/02/26/pikabot.html\r\nhttps://research.openanalysis.net/pikabot/yara/config/loader/2023/02/26/pikabot.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://research.openanalysis.net/pikabot/yara/config/loader/2023/02/26/pikabot.html"
	],
	"report_names": [
		"pikabot.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434411,
	"ts_updated_at": 1775791255,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8063345463b981f53cb3c4230650f94944ca2f4a.pdf",
		"text": "https://archive.orkl.eu/8063345463b981f53cb3c4230650f94944ca2f4a.txt",
		"img": "https://archive.orkl.eu/8063345463b981f53cb3c4230650f94944ca2f4a.jpg"
	}
}