PikaBot C2 Detected – 94[.]72[.]104[.]80:5000
PikaBot Detection Alerts
PikaBot C2
The Information provided at the time of posting was detected as “PikaBot C2”. Depending on when you are viewing this article, it may no longer be the case and could be determined as being a false positive. Please do your own additional validation. – RedPacket Security
General Information
| IP Address | 94[.]72[.]104[.]80 |
| Port | 5000 |
| Hostname (if available) | vmd131929[.]contaboserver[.]net |
| Description | A targeted phishing email delivers an ISO image attachment containing a copy of Windows Write (write.exe) alongside a malicious DLL named edputil.dll. When executed, write.exe side-loads edputil.dll, which then retrieves and runs the Pikabot DLL. Pikabot establishes communication with its Command and Control (C2) servers, receiving commands to download additional payloads. Twenty-five minutes post-infection, encrypted HTTPS traffic delivers a Meduza Stealer binary. Subsequently, Meduza Stealer exfiltrates sensitive data, including email credentials and system information, over TCP to its C2 server. The attackers leverage obfuscation techniques and common ports to evade detection, posing a significant threat to the compromised system’s integrity and security. |
| Date Detected | 2024-03-13T03:41:36.423000 |
| Malware Families (linked to) | |
| Tags | pikabot |
| References | |
| Country | GB |
Mitre Att&ck Linked TTPS
| Mitre Attack ID | Mitre Attack Name |
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
