PikaBot C2 Detected – 94[.]72[.]104[.]77:13724

PikaBot Detection Alerts

image 35

PikaBot C2

The Information provided at the time of posting was detected as “PikaBot C2”. Depending on when you are viewing this article, it may no longer be the case and could be determined as being a false positive. Please do your own additional validation. – RedPacket Security


General Information

IP Address94[.]72[.]104[.]77
Port13724
Hostname (if available)vmd131927[.]contaboserver[.]net
DescriptionA targeted phishing email delivers an ISO image attachment containing a copy of Windows Write (write.exe) alongside a malicious DLL named edputil.dll. When executed, write.exe side-loads edputil.dll, which then retrieves and runs the Pikabot DLL. Pikabot establishes communication with its Command and Control (C2) servers, receiving commands to download additional payloads. Twenty-five minutes post-infection, encrypted HTTPS traffic delivers a Meduza Stealer binary. Subsequently, Meduza Stealer exfiltrates sensitive data, including email credentials and system information, over TCP to its C2 server. The attackers leverage obfuscation techniques and common ports to evade detection, posing a significant threat to the compromised system’s integrity and security.
Date Detected2024-03-13T03:41:36.423000
Malware Families (linked to)
Tagspikabot
References
CountryGB

Mitre Att&ck Linked TTPS

Mitre Attack ID Mitre Attack Name

 

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

To keep up to date follow us on the below channels.