A Look Into Pikabot’s Spam Wave Campaign
======================================================================================================================
Indicators of Compromise
======================================================================================================================
Email MD5 				Subject
4deb812eeae3c499530e1bd4f0e108ba 	20231121084934-Re_ PRJIT80245790581.202307.1038-mgboto.eml 
5be9d3aa133d23c439e5181da7450323 	20231121085513-Re_ IMPORTANT COMMUNICATION FROM OU-[REDACTED].eml 
de2cab21e6342cf20535b0734d5ca3c0 	20231121085656-Re_ URGENTE - Op4148301 - 003-afeloca.eml 
222b1793938f507877ee194ba0acd86b 	20231121090601-Re_ W4M_2457 _ Condomínio do-u10053918.eml 
7d6a6233a8792ea216a529836c13e923 	20231121091041-Re_ NOS561681398996_NIF 501585-nrodrigues.eml 
22be88cf8f57d9412eaa40c541f08eb2 	20231121090330-Re_ Falhas de arranqque sucessiv-[REDACTED].eml 
c28f33fee92fd7396fdb5792dea90365 	202311211437_Scanned from a Xerox Multifunction Printer 21 November 2023 .eml 
2430e3a9d5c97d0184f8af59abda4abb 	20231121084051-Re_ THE FATHER - Cine-Teatro Marq-mbxusr2567.eml 
======================================================================================================================
SHA256									Malicious PDF detection name

4c267d4f7155d7f0686d1ac2ea861eaa926fd41a9d71e8f6952caf24492b376b	Trojan.LNK.PIKABOT.YXDKVZ
fbd63777f81cebd7a9f2f1c7f2a8982499fe4d18b9f4aa4e7ed589ceefac47de	Trojan.PDF.PIKABOT.A
29a12bf2f2ff68027ae042a24f1c1285c6bc4b7a495d3d2a8f565ef67141eca8	Trojan.PDF.PIKABOT.B
6c13985e067cfad583bb1f5751821e649a61a41171a5f95ee9dfd254c04f71a8	Trojan.PDF.PIKABOT.B
ed4bba5e886871527fa56beb280f222ef0fde97686db00a74ee02c1a44a0094d	Trojan.PDF.PIKABOT.B
1d365a8a2e72a81a6ffbc6c0c32b28e580872e57df184c270b4fa47ac8b8bf2b	Trojan.PDF.PIKABOT.B
b436380d62babc42fa6b3adc592e1b6b0bd05c5cb1b0c08aa5c55eae738729e7	Trojan.PDF.PIKABOT.C
980e2dccc3b83bab32b13f82091f37a2ffcf302c7fb7e87532c7c618f68c0753	Trojan.PDF.PIKABOT.C
6f9b2fdac415c7eb7fcc31c5ff9aac7e6347ddf4747985b7bac4f76a6f9da193	Trojan.PDF.PIKABOT.C
3b13380f7dfd615707887f3e8904f432aacdbb111822dd596a44366cb5526624	Trojan.PDF.PIKABOT.YXDLNZ
8045ea8720b66291e3c00f6fd1925de11241410421851b7cabe4a707875a1004	Trojan.PDF.PIKABOT.YADLN
======================================================================================================================							
SHA256									Malicious LNK detection name
	
4c267d4f7155d7f0686d1ac2ea861eaa926fd41a9d71e8f6952caf24492b376b	Trojan.LNK.PIKABOT.YXDKVZ
======================================================================================================================
SHA256 									Malicious JS detection name

7808be7f2b92c775f6ef047ffc857d8731e75bf486a45fec1c4d199b43c5a6c2 	Trojan.JS.PIKABOT.YXDKFZ 
1dd66462bd11d65247fff82ae81358c9e1b5e1024a953478b8a5de8f5fc5443a 	Trojan.JS.PIKABOT.A 
ea63ac688aec3ab8920d83617f214922c16aedee341edbe3a18469179555fb21 	Trojan.JS.PIKABOT.A 
07279c93f0532a4f5bc4617ab3cb30b7c336f71f587e934a5a0e35ce88fbf632 	Trojan.JS.PIKABOT.A 
2dad1218d4950ba3a84cfce17af2d8d4ece92f623338d49b357ec9d973ecf8a8 	Trojan.JS.PIKABOT.A 
33e03a536f869dee3ffa0b1bc8c885f77c50d0a7974b6e9b4041a5a254255c34 	Trojan.JS.PIKABOT.A 
1a12028a0e0ecc32160e5372a45d95e3045421906f2c807b7c4c8f4a85d47469 	Trojan.JS.PIKABOT.A 
1dd66462bd11d65247fff82ae81358c9e1b5e1024a953478b8a5de8f5fc5443a 	Trojan.JS.PIKABOT.A 
33e03a536f869dee3ffa0b1bc8c885f77c50d0a7974b6e9b4041a5a254255c34 	Trojan.JS.PIKABOT.A 
6e18eb1884d2a1a20a0d6a4dcdaf1b7ab342271b2de0d0327848f37eb45e785e 	Trojan.JS.PIKABOT.D 
7094f89bf955dfbdcc4de8943af2328aa7475c2fb6af305c76a6df73aff8b1c3 	Trojan.JS.PIKABOT.B  
2c49ff53d0cf0ea36f34148598b8eacca12a1a654bfc09c4e00d6b60a8ad57fe 	Trojan.JS.PIKABOT.B  
8514b9d2fe185989d996a2669788910405af5e8fd7102ab3decdd4d727af35df 	Trojan.JS.PIKABOT.B  
79b1ac4dc5cae6d03548c2ab570e98f9cfb7e4da24480ce3d513b1abdd13bf21 	Trojan.JS.PIKABOT.YXDKDZ 
1dd66462bd11d65247fff82ae81358c9e1b5e1024a953478b8a5de8f5fc5443a 	Trojan.JS.PIKABOT.A 
======================================================================================================================
SHA256 									Malicious DLL detection name

eead7f5b6f1282ad988238cc8c39292fa99ea416f7793038a20e5caabe93112a 	Backdoor.Win32.PIKABOT.C
7e85b9d1d09301d8b3f48df44159347d89cb3c798d0436b5e9b060df4072b8c7	Backdoor.Win32.PIKABOT.A
46e0fe3a942bb1f9aa9cd1b460ca7efa9acddb3c5b2d2bc3b42a87d8463f1c66	Backdoor.Win32.PIKABOT.B
======================================================================================================================
Pikabot downloader

hxxps://sindicaturadetecate[.]gob[.]mx/pe/?IDbHJCMofpEIzDQjrcwNcDqHoiQRnSKZQcA 
hxxps://lsn[.]edu[.]dz/pqis/?aWDzZBatBsyv 
hxxp:188[.]34[.]192[.]184/76DKN6/Wheez 
hxxps://brouweres[.]com:443/vvs49/0.6515179055030298.dat 
hxxps://brouweres[.]com:443/vvs49/0.8450027286577588.dat 
hxxps://brouweres[.]com:443/vvs49/0.15313287608559223.dat 
hxxps://brouweres[.]com:443/vvs49/0.9900618798908114.dat
======================================================================================================================
Pikabot C&C server

15[.]235[.]202[.]109:2226   
15[.]235[.]44[.]231:5938   
15[.]235[.]45[.]155:2221   
15[.]235[.]47[.]206:13783   
15[.]235[.]47[.]80:23399   
154[.]221[.]30[.]136:13724   
154[.]61[.]75[.]156:2078   
154[.]92[.]19[.]139:2222   
188[.]26[.]127[.]4:13785   
210[.]243[.]8[.]247:23399   
51[.]195[.]232[.]97:13782   
51[.]68[.]147[.]114:2083   
51[.]79[.]143[.]215:13783   
64[.]176[.]5[.]228:13783   
154[.]221[.]30[.]136:13724   
137[.]220[.]55[.]190:2223   
210[.]243[.]8[.]247:23399   
65[.]20[.]78[.]68:13721   
139[.]180[.]216[.]25:2967   
70[.]34[.]209[.]101:13720   
154[.]92[.]19[.]139:2222   
172[.]233[.]156[.]100:13721   
154[.]61[.]75[.]156:2078   
64[.]176[.]67[.]194:2967 
158[.]247[.]253[.]155:2225 
139[.]180[.]216[.]25:2967 
70[.]34[.]209[.]101:13720 
172[.]233[.]156[.]100:13721 
154[.]92[.]19[.]139:2222 
154[.]61[.]75[.]156:2078 
137[.]220[.]55[.]190:2223 
======================================================================================================================
Black Basta Cobalt Strike DNS beacons

startupbusiness24[.]net
seohomee[.]com
softradar[.]net
investsystemus[.]net
blocknowtech[.]net
mytrailinvest[.]net
realeinvestment[.]net
cloudwebstart[.]net
monitor-websystem[.]net
karmafisker[.]com
airbusco[.]net
trailgroupl[.]net
monitorsystem[.]net
cloudworldst[.]net
neobeelab[.]net
stockinvestlab[.]net
prettyanimals[.]net
gift4animals[.]com
ionoslaba[.]com
buyadvisershop[.]net
blockcentersys[.]net
startuptechnologyw[.]net
investmentrealtyhp[.]net
mynewbee[.]net
buzzybeet[.]net
wellsystemte[.]net
investmendvisor[.]net
reelsysmoona[.]net
startupbizaud[.]net
building4business[.]net
steamteamdev[.]net
audsystemecll[.]net
welausystem[.]net
treeauwin[.]net
clearsystemwo[.]net
======================================================================================================================
Black Basta Cobalt Strike HTTPS beacons

lindacolor[.]com
withclier[.]com
unougn[.]com
bluenetworking[.]net
getfnewsolutions[.]com
conitreid[.]com
allcompanycenter[.]com
sandelias[.]com
getfnewssolutions[.]com
erihudeg[.]com
reganter[.]com
masterunis[.]net
masterunis[.]net
taskthebox[.]net
taskthebox[.]net
settingfir[.]com
magementfair[.]com
businesforhome[.]com
ruggioil[.]com
gertefin[.]com
gartenlofti[.]com
garbagemoval[.]com
constrtionfirst[.]com
animalsfast[.]net
schumacherbar[.]com
maluisepaul[.]com
masterunix[.]net
wardeli[.]com
nutiensel[.]com
jessvisser[.]com
caspercan[.]com
kolinileas[.]com
unitedfrom[.]com
brendonline[.]com
septcntr[.]com
auuditoe[.]com
conectmeto[.]net