← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
The-Ultimate-Black-basta-chat-leak
WHITE PetrP.73 2025-02-27 Modified: 2025-03-29
63
IOCs
HIGH VOLUME
Black Basta ransomware is actively exploiting Veeam Backup & Replication and Atlassian Confluence vulnerabilities for initial access and privilege escalation. Leaked chats reveal a structured attack strategy targeting unpatched enterprise systems. Immediate patching and enhanced monitoring are recommended to mitigate risk.
commandlineaccountnameeventidnewprocessnametimegeneratedveeamanydeskpowershellsharenameobjectnamelockbitmimikatzransomwarelsassprocdumphelldownbuddynetscanblackbastadownloadtriggerrealvncchatstringspikabotdefenderreconpsexecpersistencemetasploitsoarkillblack bastaatomic redzimbrasocks proxycobalt strikenetcatexecutionteamamadeyshellformbookdatelookcontiagentteslamonitoringmeterpreterencodedcommandkaliaprilfebruaryaugustbatloaderdefensetargetmanipulationqbotexploitspeednullpythonuserinittoolsprojectsentinelblackexample
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (63)
All CIDR CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain email hostname
TYPEINDICATORDESCRIPTIONCREATED
CIDR 149.154.167.0/24 2025-02-27
CVE CVE-2023-22527 2025-02-27
FileHash-MD5 472a5f070458763f00a60ea310ad1312 MD5 of 6a5702c106666c1b89bcb12a450d393e6506fa387865328d06e1e230d4782548 2025-02-27
FileHash-MD5 5748e201ac18944dd2ae67287944a5ee 2025-02-27
FileHash-MD5 685d0cf6a7f9a3f12b98110fcc16d717 2025-02-27
FileHash-MD5 aa34141ea0a31372751154ab34f1fc73 MD5 of e19dfc72ad2eea815ef6b4eb9b812471b3bb3cf40333d97e3c552c87db86e65a 2025-02-27
FileHash-MD5 ad45748672878683e5a4bb38e41a583d MD5 of c5793613219a782eb08205921a3f9ed97c2c74de18e0cd36008046d1a5e1288e 2025-02-27
FileHash-SHA1 2bbc7301056a3479106c53e0f131cfda6836bd23 SHA1 of 6a5702c106666c1b89bcb12a450d393e6506fa387865328d06e1e230d4782548 2025-02-27
FileHash-SHA1 78227f3a159478bd377add728d206675aa3963a6 SHA1 of e19dfc72ad2eea815ef6b4eb9b812471b3bb3cf40333d97e3c552c87db86e65a 2025-02-27
FileHash-SHA1 aa644941c54bf7e76ff20ba6fc208c176ed865a0 SHA1 of c5793613219a782eb08205921a3f9ed97c2c74de18e0cd36008046d1a5e1288e 2025-02-27
FileHash-SHA256 0fd52ebb37e4e5c41756133e47215547478097f9a6ff170cc442cb21276e3f36 2025-02-27
FileHash-SHA256 2ece57a04cf8f636ba7ac6755ad274c86e35871e66622ffd1f84a322140b2f90 2025-02-27
FileHash-SHA256 50d414576bf441cca754e6e3b96dabdf35fed443ecb98f865dc89e623bc2f0e9 2025-02-27
FileHash-SHA256 5a2f52bb90ed8a2fd9bc0e07937684ac9b9389cdd112760f8dc96e16aa63d513 2025-02-27
FileHash-SHA256 6a5702c106666c1b89bcb12a450d393e6506fa387865328d06e1e230d4782548 2025-02-27
FileHash-SHA256 c5793613219a782eb08205921a3f9ed97c2c74de18e0cd36008046d1a5e1288e 2025-02-27
FileHash-SHA256 e19dfc72ad2eea815ef6b4eb9b812471b3bb3cf40333d97e3c552c87db86e65a 2025-02-27
URL http://135.125.177.95/syK/rEw 2025-02-27
URL https://58.171.144.24:10002/ui/ 2025-02-27
URL https://79.141.1.193/sslvpn_logon.shtml 2025-02-27
URL https://79.141.8.42/sslvpn_logon.shtml 2025-02-27
URL https://avcheck.net/id/WEU8WK6wm7uG 2025-02-27
URL https://avcheck.net/id/weu8wk6wm7ug 2025-02-27
URL https://darpan.kvs.gov.in/rdweb/pages/en-us/login.aspx 2025-02-27
URL https://desktop.anthonygell.derbyshire.sch.uk/rdweb/pages/en-us/login.aspx​ 2025-02-27
URL https://dmk.ctu.edu.vn/rdweb/pages/en-us/login.aspx 2025-02-27
URL https://login.servtracker.com/rdweb/pages/en-us/login.aspx 2025-02-27
URL https://remote.anhanguera.edu.br/rdweb/pages/pt-br/login.aspx 2025-02-27
URL https://send.vis.ee/download/146debb445669e94/#u9u3Mme-Ue8w7tcNJ3M5Qg 2025-02-27
URL https://send.vis.ee/download/146debb445669e94/#u9u3Mme-Ue8w7tcNJ3M5Qg​ 2025-02-27
domain avcheck.net 2025-02-27
domain selectwendormo9tres.com 2025-02-27
email veeam.backup@robson.com 2025-02-27
hostname darpan.kvs.gov.in 2025-02-27
hostname desktop.anthonygell.derbyshire.sch.uk 2025-02-27
hostname dmk.ctu.edu.vn 2025-02-27
hostname login.servtracker.com 2025-02-27
hostname remote.anhanguera.edu.br 2025-02-27
hostname send.vis.ee 2025-02-27
URL http://temp.sh/ctGHj/downloader.vbs 2025-02-27
URL http://temp.sh/rTViM/RZcjtSD4p5fVUeznxPhQFXB2vdrwy.zip 2025-02-27
domain rzcjtsd4p5fvueznxphqfxb2vdrwy.zip 2025-02-27
CVE CVE-2024-23897 2025-02-27
URL http://149.28.105.251:801/download/HK_DNS_x64_n1_x64_inf.dll 2025-02-27
URL https://202.55.69.146 2025-02-27
URL https://213.47.213.243 2025-02-27
URL https://91.204.248.6/zimbraAdmin/public/jsp/ZimbraAdmin.jsp 2025-02-27
URL https://mail.sc.qa/owa/:F40:-https://email.REDACTED.com/owa/auth/logon.aspx:Jon.Doe@REDACTED.com:keo1234 2025-02-27
URL https://outlook.REDACTED.com/owa/auth/logon.aspx:Jane.Doe@REDACTED.com:redacted@net01 2025-02-27
URL https://vulnerableapp.com/api' 2025-02-27
URL https://vulnerablefirewall.com/cgi-bin/globalprotect 2025-02-27
domain attacker-dns-server.com 2025-02-27
domain attacker-server.com 2025-02-27
domain inara.pk 2025-02-27
domain malicious-domain.com 2025-02-27
domain requests.post 2025-02-27
domain socket.af 2025-02-27
domain victim-mailserver.com 2025-02-27
domain vulnerableapp.com 2025-02-27
domain vulnerablefirewall.com 2025-02-27
hostname data.attacker-server.com 2025-02-27
hostname freedns.afraid.org 2025-02-27
hostname pay.kassa.shop 2025-02-27
References (2)
↗ https://osintteam.blog/the-ultimate-black-basta-chat-leak-part-2-veeam-confluence-8b766c2182ac ↗ https://osintteam.blog/black-basta-playbook-chat-leak-d5036936166d