PikaBot YARA Signature

pikabot.yara

rule pikabot_0 {
    meta:
        author      = "@c3rb3ru5d3d53c"
        description = "Detects PikaBot"
        created     = "2023-03-02"
        tlp         = "white"
        rev         = 1
    strings:
        $trait_0 = {
            8d 85 ?? ?? ?? ?? 89 b5 ?? ?? ?? ?? 50 8d 85 ??
            ?? ?? ?? 50 8d 85 ?? ?? ?? ?? 50 6a 02 8d 95 ??
            ?? ?? ?? 59 e8 40 05 00 00 ff d0 83 c4 0c 8d 85
            ?? ?? ?? ?? 8d 95 ?? ?? ?? ?? 56 50 56 68 3f 00
            0f 00 56 56 56 8d 85 ?? ?? ?? ?? 50 68 01 00 00
            80 6a 06 59 e8 10 05 00 00 ff d0 85 c0 0f 85 b5
            01 00 00}
        $trait_1 = {
            55 8b ec 51 51 89 4d ?? 56 be c7 26 00 00 57 8b
            fa 85 c9 74 36 85 ff 74 32 33 c0 89 45 ?? 53 8a
            1c 08 8d 43 ?? 0f b6 c8 8d 53 ?? 80 fa 19 0f b6
            c3 0f 47 c8 8b 45 ?? 6b f6 05 0f be c9 03 f1 8b
            4d ?? 40 89 45 ?? 3b c7 72 d5 5b 5f 8b c6 5e c9
            c3}
    condition:
        uint16(0) == 0x5a4d and
        uint32(uint32(0x3c)) == 0x00004550 and
        1 of them
}

Unpacked samples used to generate signature:

8528b4fbb050be27debef474bd27d441d92196f5d19840f94afa979e8483c8ef
05d1b791865c9551ed8da6a170eb6f945a4d1e79cb70341f589cc47bacf78cc3

Command used to generate signature:

find samples/ -type f | while read i; binlex -i $i | jq -r 'select(.trait_tlsh != null and .size < 128) | .trait' | grep -v '89 5d ??' | grep -v 'c7 45 ?? ?? ?? ?? ??' | sort | uniq; end | sort | uniq -c | sort -rn | sed 's/^ *//' | grep -P '^2 ' | sed 's/^2 //' | blyara -n pikabot_0 | sed '/trait_2/d'