{ "type": "Domain", "indicator": "cloudworldst.net", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/cloudworldst.net", "alexa": "http://www.alexa.com/siteinfo/cloudworldst.net", "indicator": "cloudworldst.net", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3793069212, "indicator": "cloudworldst.net", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 36, "pulses": [ { "id": "6641de0f085ac4fc0c55aec4", "name": "StopRansomware: Black Basta", "description": "This advisory details tactics, techniques, procedures and indicators of compromise related to Black Basta ransomware, a variant first identified in April 2022. Its affiliates have impacted over 500 organizations globally across multiple critical infrastructure sectors, including Healthcare and Public Health. They gain initial access through phishing and exploiting vulnerabilities, employ double extortion tactics with data exfiltration and encryption, and leverage various tools for lateral movement and privilege escalation. The advisory provides mitigations and recommendations for organizations to protect against this threat.", "modified": "2024-06-12T09:05:01.533000", "created": "2024-05-13T09:31:59.558000", "tags": [ "cve-2021-34527", "cve-2021-42278", "ransomware", "qakbot", "encryption", "cve-2024-1709", "pinkslipbot", "quackbot", "exfiltration", "cve-2021-42287", "qbot", "phishing", "healthcare", "cve-2020-1472" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a" ], "public": 1, "adversary": "Black Basta", "targeted_countries": [], "malware_families": [ { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "Pinkslipbot", "display_name": "Pinkslipbot", "target": null }, { "id": "QuackBot", "display_name": "QuackBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null } ], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [ "Healthcare", "Public Health" ], "TLP": "white", "cloned_from": null, "export_count": 4209, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 18, "FileHash-SHA1": 15, "FileHash-SHA256": 55, "domain": 95, "hostname": 10 }, "indicator_count": 198, "is_author": false, "is_subscribing": null, "subscriber_count": 386503, "modified_text": "718 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659e657578d730b29e7590e5", "name": "Black Basta-Affiliated Water Curupira\u2019s Pikabot Spam Campaign", "description": "Pikabot is a type of loader malware that was actively used in spam campaigns by a threat actor we track under the Intrusion set Water Curupira in the first quarter of 2023, followed by a break at the end of June that lasted until the start of September 2023. Other researchers have previously noted its strong similarities to Qakbot, the latter of which was taken down by law enforcement in August 2023. An increase in the number of phishing campaigns related to Pikabot was recorded in the last quarter of 2023, coinciding with the takedown of Qakbot \u2014 hinting at the possibility that Pikabot might be a replacement for the latter (with DarkGate being another temporary replacement in the wake of the takedown).", "modified": "2024-02-09T09:01:03.534000", "created": "2024-01-10T09:37:57.095000", "tags": [ "phishing", "Pikabot", "loader", "Water Curupira", "spam campaigns" ], "references": [ "https://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Pikabot", "display_name": "Pikabot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 349, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA256": 26, "URL": 28, "domain": 71 }, "indicator_count": 133, "is_author": false, "is_subscribing": null, "subscriber_count": 386504, "modified_text": "842 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a5c36b78ed73550bb0bf22", "name": "by Disable_Duck", "description": "", "modified": "2026-03-04T23:37:24.208000", "created": "2026-03-02T17:05:47.288000", "tags": [ "kgs0", "kls0", "botname http", "entity", "UAlberta", "Telus", "Norton", "ffss", "Alberta", "AlbertaNDP", "InteriorHealth", "RCMP", "CrimeStoppersAB", "EdmontonPolice", "RCMP Kelowna", "RCMP AB", "TLS/SSL Crawler", "CVE-2026-24061 Attempt", "Generic IoT Default Password Attempt", "Cisco Prime Infrastructure CVE-2019-1821 RCE Attempt", "Dahua Backdoor Attempt", "ENV Crawler", "DCERPC Protocol", "Carries HTTP Referer", "GNU Inetutils Telnetd Auth Bypass", "ICMPv4 Protocol" ], "references": [ "https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark", "https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada", "https://viz.greynoise.io/ip/analysis/7e527b44-c950-4c01-bb33-d96" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands", "Panama", "Poland", "United Kingdom of Great Britain and Northern Ireland", "Slovakia", "Aruba", "Anguilla", "Australia", "Costa Rica", "Guatemala", "Mexico", "Trinidad and Tobago", "Cura\u00e7ao", "Philippines", "Virgin Islands, U.S.", "Ukraine", "Barbados", "Germany", "Sint Maarten (Dutch part)", "Argentina", "Switzerland" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government", "Technology", "Energy", "Telecommunications" ], "TLP": "white", "cloned_from": "6901363c4ce422f5caf0f72c", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3903, "FileHash-SHA1": 4967, "FileHash-SHA256": 12884, "URL": 996, "domain": 987, "hostname": 3306, "email": 4, "CVE": 1 }, "indicator_count": 27048, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "87 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6901363c4ce422f5caf0f72c", "name": "Copy of DevT-OddTags-Browser-BasedOdditites - (L4ke.Aff3ct.216, 01.18.26)", "description": "Updated based on VT Graph & Tracking Spread of Cybercrime. This Pulse is mostly covering activity in the Province of Alberta Canada. Given recent news, it appears that BC Interior Health and Kelowna RCMP Detachment impacted in addition to Alberta Sectors of Education, Healthcare, and Government (Provincial & Federal - e.g. Treaty 6,7,8 as well as the Canadian CRA heavily impacted). \nEnriched a graph by vt user (L4ke.Aff3ct.216, 01.02.26)\nSubmitted IOCs to Greynoise.io (10.28.25)", "modified": "2026-02-18T05:00:41.494000", "created": "2025-10-28T21:31:40.008000", "tags": [ "kgs0", "kls0", "botname http", "entity", "UAlberta", "Telus", "Norton", "ffss", "Alberta", "AlbertaNDP", "InteriorHealth", "RCMP", "CrimeStoppersAB", "EdmontonPolice", "RCMP Kelowna", "RCMP AB" ], "references": [ "https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark", "https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands", "Panama", "Poland", "United Kingdom of Great Britain and Northern Ireland", "Slovakia", "Aruba", "Anguilla", "Australia", "Costa Rica", "Guatemala", "Mexico", "Trinidad and Tobago", "Cura\u00e7ao", "Philippines", "Virgin Islands, U.S.", "Ukraine", "Barbados", "Germany", "Sint Maarten (Dutch part)" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government", "Technology", "Energy", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3903, "FileHash-SHA1": 4967, "FileHash-SHA256": 12884, "URL": 995, "domain": 984, "hostname": 3305, "email": 4 }, "indicator_count": 27042, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "102 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6783308fc0b6e2bd8dfb209c", "name": "TTC-CERT_blocklist_recommended", "description": "", "modified": "2026-02-14T00:03:07.406000", "created": "2025-01-12T03:01:35.075000", "tags": [], "references": [ "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 606, "URL": 4, "domain": 25122, "hostname": 25306 }, "indicator_count": 51038, "is_author": false, "is_subscribing": null, "subscriber_count": 185, "modified_text": "106 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "663e4a5203f0af22aa9295cf", "name": "IOC Basta", "description": "", "modified": "2025-05-14T13:11:03.272000", "created": "2024-05-10T16:24:50.903000", "tags": [ "cobalt strike", "scpssh", "source ip", "anydesk", "anydesk server", "rat c2" ], "references": [], "public": 1, "adversary": "BlackBasta", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "663e40aa1c52eb7ba90593f1", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "3ltrashpanda", "id": "253624", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 95, "FileHash-MD5": 3, "FileHash-SHA256": 5 }, "indicator_count": 103, "is_author": false, "is_subscribing": null, "subscriber_count": 8, "modified_text": "381 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "553 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "553 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6710059101b736e38b9cd2b0", "name": "Black Basta", "description": "Black Basta is a financially motivated ransomware group that began operations in 2022. It targets organizations across various sectors, including manufacturing, healthcare, and finance, using a double extortion method. The group encrypts victims' systems and threatens to leak stolen data unless a ransom is paid. Their ransomware spreads via phishing campaigns, exploiting vulnerabilities in systems. Black Basta is known for collaborating with other cybercriminals, which enhances the impact and sophistication of their attacks.", "modified": "2024-11-15T17:03:59.652000", "created": "2024-10-16T18:27:29.179000", "tags": [ "strong", "black basta", "cisa", "powershell", "ransomware", "cobalt strike", "phishing", "mimikatz", "qakbot", "psexec", "bits", "webdav", "winscp", "conti", "anydesk", "quick assist", "netsupport", "windows", "blackbasta", "batloader", "rclone", "vmware esxi", "netcat", "qbot", "emotet", "trickbot", "pinkslipbot", "team", "C++", "Linux", "ChaCha20", "RSA-4096", "ConnectWise", "ZeroLogon", "NoPac", "PrintNightmare", "CVE-2024-1709", "CVE-2024-26169", "CVE-2020-1472", "CVE-2021-42278", "CVE-2021-42287", "CVE-2021-34527", "BITSAdmin", "Cobalt Strike", "Netcat", "ScreenConnect", "NetSupport Manager", "SystemBC", "Qakbot", "WMI", "RClone", "SoftPerfect", "BackStab", "EvilProxy", "Splashtop", "WinSCP", "C2", "CVE-2022-30190", "Storm-1811", "spear phishing", "Coroxy", "cobeacon", "RaaS", "aa24-131a", "wandering spider", "Conti", "wizard spider", "BGH" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a", "https://blog.qualys.com/vulnerabilities-threat-research/2024/09/19/black-basta-ransomware-what-you-need-to-know", "https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/", "https://darktrace.com/blog/black-basta-old-dogs-with-new-tricks", "https://www.fortinet.com/blog/threat-research/ransomware-roundup-black-basta", "https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies", "https://www.cve.org/CVERecord?id=CVE-2020-1472", "https://www.cve.org/CVERecord?id=CVE-2021-34527", "https://www.cve.org/CVERecord?id=CVE-2021-42278", "https://www.cve.org/CVERecord?id=CVE-2021-42287", "https://www.cve.org/CVERecord?id=CVE-2024-1709", "https://www.cve.org/CVERecord?id=CVE-2024-26169", "https://www.cve.org/CVERecord?id=CVE-2022-30190", "https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta" ], "public": 1, "adversary": "Black Basta", "targeted_countries": [ "United States of America", "Germany", "Canada", "Australia", "New Zealand", "Japan", "France", "United Kingdom of Great Britain and Northern Ireland", "Italy", "Switzerland" ], "malware_families": [ { "id": "Conti", "display_name": "Conti", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Black Basta", "display_name": "Black Basta", "target": null }, { "id": "Primary NetSupport", "display_name": "Primary NetSupport", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Basta Linux", "display_name": "Basta Linux", "target": null }, { "id": "Widespread QBot", "display_name": "Widespread QBot", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "TrojanDownloader:O97M/Qakbot", "display_name": "TrojanDownloader:O97M/Qakbot", "target": "/malware/TrojanDownloader:O97M/Qakbot" }, { "id": "Trojan:Win32/QBot", "display_name": "Trojan:Win32/QBot", "target": "/malware/Trojan:Win32/QBot" }, { "id": "Trojan:Win32/Qakbot", "display_name": "Trojan:Win32/Qakbot", "target": "/malware/Trojan:Win32/Qakbot" }, { "id": "TrojanSpy:Win32/Qakbot", "display_name": "TrojanSpy:Win32/Qakbot", "target": "/malware/TrojanSpy:Win32/Qakbot" }, { "id": "Behavior:Win32/Qakbot", "display_name": "Behavior:Win32/Qakbot", "target": "/malware/Behavior:Win32/Qakbot" }, { "id": "Behavior:Win32/Basta", "display_name": "Behavior:Win32/Basta", "target": "/malware/Behavior:Win32/Basta" }, { "id": "Ransom:Win32/Basta", "display_name": "Ransom:Win32/Basta", "target": "/malware/Ransom:Win32/Basta" }, { "id": "Trojan:Win32/Basta", "display_name": "Trojan:Win32/Basta", "target": "/malware/Trojan:Win32/Basta" }, { "id": "Behavior:Win32/CobaltStrike", "display_name": "Behavior:Win32/CobaltStrike", "target": "/malware/Behavior:Win32/CobaltStrike" }, { "id": "Backdoor:Win64/CobaltStrike", "display_name": "Backdoor:Win64/CobaltStrike", "target": "/malware/Backdoor:Win64/CobaltStrike" }, { "id": "HackTool:Win64/CobaltStrike", "display_name": "HackTool:Win64/CobaltStrike", "target": "/malware/HackTool:Win64/CobaltStrike" }, { "id": "TrojanDropper:PowerShell/Cobacis", "display_name": "TrojanDropper:PowerShell/Cobacis", "target": "/malware/TrojanDropper:PowerShell/Cobacis" }, { "id": "Trojan:Win64/TurtleLoader.CS", "display_name": "Trojan:Win64/TurtleLoader.CS", "target": "/malware/Trojan:Win64/TurtleLoader.CS" }, { "id": "Exploit:Win32/ShellCode.BN", "display_name": "Exploit:Win32/ShellCode.BN", "target": "/malware/Exploit:Win32/ShellCode.BN" }, { "id": "Behavior:Win32/SystemBC", "display_name": "Behavior:Win32/SystemBC", "target": "/malware/Behavior:Win32/SystemBC" }, { "id": "Trojan: Win32/SystemBC", "display_name": "Trojan: Win32/SystemBC", "target": "/malware/Trojan: Win32/SystemBC" } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" } ], "industries": [ "Critical Infrastructure", "Healthcare", "Manufacturing", "Construction", "Retail", "Legal", "Finance", "Technology", "Emergency Services", "Media", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 52, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "v0od0o.exe", "id": "273579", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 111, "FileHash-SHA1": 110, "FileHash-SHA256": 148, "CVE": 7, "domain": 113, "hostname": 62, "URL": 4 }, "indicator_count": 555, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "561 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "562 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "663e665af0be7711515f63c4", "name": "FHS - Black Basta IOCs", "description": "TIs from different articles related to the Black Basta Ransomware group.", "modified": "2024-10-29T17:15:34.271000", "created": "2024-05-10T18:24:26.663000", "tags": [ "incident response", "ransomware", "forensics", "threat intelligence", "black basta", "iocs", "trendmicro", "iocsyou", "misp event", "domains", "icmp traffic", "c2 endpoint", "hvs iocs", "misp feed", "#StopRansomware: Black Basta" ], "references": [ "https://dfir-delight.de/p/black-basta-iocs/", "https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/j/black-basta-ransomware-gang-infiltrates-networks-via-qakbot,-brute-ratel-and-cobalt-strike/ioc-black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-cobalt-strike.txt", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 61, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "FHS-Services", "id": "51336", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 112, "FileHash-MD5": 66, "URL": 53, "IPv4": 122, "FileHash-SHA256": 87, "FileHash-SHA1": 54, "hostname": 14 }, "indicator_count": 508, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "578 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6654138435c5832ca2c4028f", "name": "DOH Domains IOCs", "description": "The following is a full list of items that you might not have known existed::..com, or, if you were interested in them, are the most likely ones to come up with", "modified": "2024-08-26T04:12:43.497000", "created": "2024-05-27T05:00:52.918000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fueledbycoffeeDXB", "id": "272228", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7, "domain": 1335, "hostname": 667 }, "indicator_count": 2009, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "643 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdd1247c16c5855518c7", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-02T07:05:02.060000", "created": "2024-07-02T08:44:01.648000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 286, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2521, "domain": 8243, "email": 7, "hostname": 2893 }, "indicator_count": 13683, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "667 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdc8052a11fe921381a0", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-01T08:02:48.060000", "created": "2024-07-02T08:43:52.203000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2409, "domain": 7836, "email": 7, "hostname": 2783 }, "indicator_count": 13054, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "668 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66793d4fc20f3888ca20fe66", "name": " #StopRansomware: Black Basta ", "description": "", "modified": "2024-06-24T09:33:03.695000", "created": "2024-06-24T09:33:03.695000", "tags": [ "cve-2021-34527", "cve-2021-42278", "ransomware", "qakbot", "encryption", "cve-2024-1709", "pinkslipbot", "quackbot", "exfiltration", "cve-2021-42287", "qbot", "phishing", "healthcare", "cve-2020-1472" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a" ], "public": 1, "adversary": "Black Basta", "targeted_countries": [], "malware_families": [ { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "Pinkslipbot", "display_name": "Pinkslipbot", "target": null }, { "id": "QuackBot", "display_name": "QuackBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null } ], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [ "Healthcare", "Public Health" ], "TLP": "white", "cloned_from": "664ae0bba7216fa4c9e46276", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 18, "FileHash-SHA1": 15, "FileHash-SHA256": 55, "domain": 95, "hostname": 10 }, "indicator_count": 198, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "706 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "664fa66213d6bb0091d6da0b", "name": "Black Basta Plus", "description": "Combination of several IOC intels for the Black Basta ransomware. Not all IOCs have been validated so the potential for false positives may be high. Please review any alerts to ensure their threat level. Based of off AlienVault's Black Basta pulse: https://otx.alienvault.com/pulse/6641de0f085ac4fc0c55aec4", "modified": "2024-06-22T20:03:29.127000", "created": "2024-05-23T20:26:10.442000", "tags": [ "cve-2021-34527", "cve-2021-42278", "ransomware", "qakbot", "encryption", "cve-2024-1709", "pinkslipbot", "quackbot", "exfiltration", "cve-2021-42287", "qbot", "phishing", "healthcare", "cve-2020-1472" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/j/black-basta-ransomware-gang-infiltrates-networks-via-qakbot,-brute-ratel-and-cobalt-strike/ioc-black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-cobalt-strike.txt", "https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis", "https://dfir-delight.de/p/black-basta-iocs/" ], "public": 1, "adversary": "Black Basta", "targeted_countries": [], "malware_families": [ { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "Trojan:Win32/Pinkslipbot", "display_name": "Trojan:Win32/Pinkslipbot", "target": "/malware/Trojan:Win32/Pinkslipbot" }, { "id": "Trojan:Win32/Quackbot", "display_name": "Trojan:Win32/Quackbot", "target": "/malware/Trojan:Win32/Quackbot" }, { "id": "ALF:Backdoor:Win32/QBot", "display_name": "ALF:Backdoor:Win32/QBot", "target": null } ], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [ "Healthcare", "Public Health" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AngRogers", "id": "72068", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 65, "FileHash-SHA1": 53, "FileHash-SHA256": 86, "domain": 106, "hostname": 10 }, "indicator_count": 325, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "707 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6645082ffbfa2f332e75bded", "name": "AA24-131A-Ransomware-Black-Basta.stix_", "description": "AA24-131A-StopRansomware-Black-Basta.stix_", "modified": "2024-06-14T19:00:21.016000", "created": "2024-05-15T19:08:31.637000", "tags": [], "references": [ "https://www.cisa.gov/sites/default/files/2024-05/AA24-131A-StopRansomware-Black-Basta.stix_.json" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 51, "FileHash-SHA1": 48, "FileHash-SHA256": 55, "domain": 98, "hostname": 10 }, "indicator_count": 262, "is_author": false, "is_subscribing": null, "subscriber_count": 209, "modified_text": "715 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66422aa4ddc565fcc04894f4", "name": "Black Basta Threat Actor Emerges as a Major Threat Actor to the Healthcare Industry", "description": "", "modified": "2024-06-12T14:00:20.264000", "created": "2024-05-13T14:58:44.896000", "tags": [], "references": [], "public": 1, "adversary": "BlackBasta", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mxdrthreat", "id": "230035", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 42, "FileHash-SHA1": 42, "FileHash-SHA256": 44, "domain": 94, "hostname": 7 }, "indicator_count": 229, "is_author": false, "is_subscribing": null, "subscriber_count": 53, "modified_text": "717 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6641f443bf5f53cf5c334367", "name": "#StopRansomware: Black Basta | CISA", "description": "Ransomware: Black Basta is a new form of cyber-security, but what do you know about it and what can you do to protect your personal information from such a threat?.", "modified": "2024-06-12T11:01:21.251000", "created": "2024-05-13T11:06:43.176000", "tags": [ "strong", "black basta", "cisa", "mitre att", "stopransomware", "basta", "ck techniques", "technique title", "iocs", "powershell", "black", "cobalt strike", "ransomware", "cyber", "tools", "sector", "execution", "mimikatz", "local", "april", "ransom", "download", "qakbot", "february", "psexec", "bits", "mega", "webdav", "impact", "install" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Critical Infrastructure", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "parvesh4399", "id": "224939", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 16, "FileHash-SHA256": 56, "domain": 96, "hostname": 10 }, "indicator_count": 197, "is_author": false, "is_subscribing": null, "subscriber_count": 59, "modified_text": "717 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6641ee545cefcbbdf2b35cd2", "name": "Black Basta Ransomware Strikes 500+ Entities Across North America, Europe, and Australia", "description": "The Black Basta ransomware-as-a-service (RaaS) operation has targeted more than 500 private industry and critical infrastructure entities in North America, Europe, and Australia since its emergence in April 2022.\n\nIn a joint advisory published by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), the agencies said the threat actors encrypted and stole data from at least 12 out of 16 critical infrastructure sectors.\n\n\"Black Basta affiliates use common initial access techniques \u2014 such as phishing and exploiting known vulnerabilities \u2014 and then employ a double-extortion model, both encrypting systems and exfiltrating data,\" the bulletin read.", "modified": "2024-06-12T10:01:49.904000", "created": "2024-05-13T10:41:24.759000", "tags": [ "strong", "black basta", "cisa", "mitre att", "stopransomware", "basta", "ck techniques", "technique title", "iocs", "powershell", "black", "cobalt strike", "ransomware", "cyber", "tools", "sector", "execution", "mimikatz", "local", "april", "ransom", "download", "qakbot", "february", "psexec", "bits", "mega", "webdav", "impact", "install" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a", "https://thehackernews.com/2024/05/black-basta-ransomware-strikes-500.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Critical Infrastructure", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 318, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 19, "FileHash-SHA1": 16, "FileHash-SHA256": 56, "domain": 96, "hostname": 10 }, "indicator_count": 202, "is_author": false, "is_subscribing": null, "subscriber_count": 435, "modified_text": "718 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "664ae0bba7216fa4c9e46276", "name": " #StopRansomware: Black Basta ", "description": "", "modified": "2024-06-12T09:05:01.533000", "created": "2024-05-20T05:33:47.757000", "tags": [ "cve-2021-34527", "cve-2021-42278", "ransomware", "qakbot", "encryption", "cve-2024-1709", "pinkslipbot", "quackbot", "exfiltration", "cve-2021-42287", "qbot", "phishing", "healthcare", "cve-2020-1472" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a" ], "public": 1, "adversary": "Black Basta", "targeted_countries": [], "malware_families": [ { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "Pinkslipbot", "display_name": "Pinkslipbot", "target": null }, { "id": "QuackBot", "display_name": "QuackBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null } ], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [ "Healthcare", "Public Health" ], "TLP": "white", "cloned_from": "6641de0f085ac4fc0c55aec4", "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 18, "FileHash-SHA1": 15, "FileHash-SHA256": 55, "domain": 95, "hostname": 10 }, "indicator_count": 198, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "718 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6641b2af1018105ca9e05f71", "name": "#StopRansomware: Black Basta | CISA", "description": "Ransomware: Black Basta is a new form of cyber-security, but what do you know about it and what can you do to protect your personal information from such a threat?.", "modified": "2024-06-12T06:01:34.035000", "created": "2024-05-13T06:26:55.774000", "tags": [ "strong", "black basta", "cisa", "mitre att", "stopransomware", "basta", "ck techniques", "technique title", "iocs", "powershell", "black", "cobalt strike", "ransomware", "cyber", "tools", "sector", "execution", "mimikatz", "local", "april", "ransom", "download", "qakbot", "february", "psexec", "bits", "mega", "webdav", "impact", "install" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Critical Infrastructure", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 19, "FileHash-SHA1": 16, "FileHash-SHA256": 56, "domain": 96, "hostname": 10 }, "indicator_count": 202, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "718 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "664159d753d614e3b46d46c2", "name": "#StopRansomware: Black Basta | CISA", "description": "Ransomware: Black Basta is a new form of cyber-security, but what do you know about it and what can you do to protect your personal information from such a threat?.", "modified": "2024-06-12T00:07:09.388000", "created": "2024-05-13T00:07:51.300000", "tags": [ "strong", "black basta", "cisa", "mitre att", "stopransomware", "basta", "ck techniques", "technique title", "iocs", "powershell", "black", "cobalt strike", "ransomware", "cyber", "tools", "sector", "execution", "mimikatz", "local", "april", "ransom", "download", "qakbot", "february", "psexec", "bits", "mega", "webdav", "impact", "install" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Critical Infrastructure", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChrisTan0", "id": "262536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 19, "FileHash-SHA1": 16, "FileHash-SHA256": 56, "domain": 96, "hostname": 10 }, "indicator_count": 202, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "718 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66414ff31fd0ab498c4d78d3", "name": "IOC Black Basta - CISA", "description": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a", "modified": "2024-06-09T15:02:02.700000", "created": "2024-05-12T23:25:39.925000", "tags": [ "cobalt strike", "scpssh", "source ip", "anydesk", "anydesk server", "rat c2" ], "references": [], "public": 1, "adversary": "BlackBasta", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "663e4a5203f0af22aa9295cf", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sc-otx-generic", "id": "194320", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_194320/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 95, "FileHash-MD5": 3, "FileHash-SHA256": 5 }, "indicator_count": 103, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "720 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "663e40aa1c52eb7ba90593f1", "name": "BlackBasta IOCs", "description": "The full list of domain names, domains and IP addresses revealed by the BBC in the wake of the release of a security alert on 22 January 2016:. and here is a summary of them:", "modified": "2024-06-09T15:02:02.700000", "created": "2024-05-10T15:43:38.327000", "tags": [ "cobalt strike", "scpssh", "source ip", "anydesk", "anydesk server", "rat c2" ], "references": [], "public": 1, "adversary": "BlackBasta", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kevin.eisenhut", "id": "267834", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 95, "FileHash-MD5": 3, "FileHash-SHA256": 5 }, "indicator_count": 103, "is_author": false, "is_subscribing": null, "subscriber_count": 0, "modified_text": "720 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6642c33d02173a322e2965e3", "name": "Black Basta Launches Social Engineering Attack Targeting Organizations", "description": "", "modified": "2024-05-14T01:49:49.296000", "created": "2024-05-14T01:49:49.296000", "tags": [ "cyber threat", "time", "crypto cyber", "defence", "hash" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 49, "FileHash-SHA1": 46, "FileHash-SHA256": 57, "domain": 93 }, "indicator_count": 245, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "747 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a63982b05ce1550b073543", "name": "Hackers Actively Distributing PikaBot Loader Malware", "description": "", "modified": "2024-02-15T08:05:44.712000", "created": "2024-01-16T08:08:34.787000", "tags": [], "references": [ "January 10th, 2024 - CryptoGen Cyber Threat Intelligence - #3807 - Hackers Actively Distributing PikaBot Loader Malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 11, "FileHash-SHA256": 26, "URL": 7, "domain": 72 }, "indicator_count": 135, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "836 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659f32b3852786ff6489e705", "name": "Black Basta-Affiliated Water Curupira\u2019s Pikabot Spam Campaign", "description": "", "modified": "2024-02-10T00:02:00.626000", "created": "2024-01-11T00:13:39.164000", "tags": [ "OSINT", "Black Basta", "Pikabot", "T1566.002 - Spearphishing Link", "T1189 - Drive-by Compromise", "T1064 - Scripting", "T1059 - Command and Scripting Interpreter", "T1055 - Process Injection" ], "references": [ "https://community.riskiq.com/article/ebaeeb6c" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7, "domain": 70, "FileHash-MD5": 8, "FileHash-SHA256": 26 }, "indicator_count": 111, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "841 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659e945f9b10a8da559d9051", "name": "Water Curupira Hackers Actively Distributing PikaBot Loader Malware", "description": "A threat actor called Water Curupira has been observed actively distributing the PikaBot loader malware as part of spam campaigns in 2023.\n\n\"PikaBot's operators ran phishing campaigns, targeting victims via its two components \u2014 a loader and a core module \u2014 which enabled unauthorized remote access and allowed the execution of arbitrary commands through an established connection with their command-and-control (C&C) server,\" Trend Micro said in a report published today.", "modified": "2024-02-09T12:04:42.659000", "created": "2024-01-10T12:58:07.682000", "tags": [ "phishing", "malware", "endpoints", "research", "spam", "articles", "news", "reports", "cyber threats", "learn", "pikabot", "dll file", "trend micro", "black basta", "water curupira", "pikabot payload", "cloud security", "trend vision", "ot security", "alliance", "qakbot", "stop", "cobalt strike", "black", "icedid", "download", "hybrid", "small", "protect", "carriers", "attack", "june", "august", "darkgate", "crash", "shift", "ukraine", "find", "indonesia", "redacted", "look into", "spam wave", "campaign", "compromise", "email md5", "subject", "from ou", "urgente" ], "references": [ "https://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/a/a-look-into-pikabot-spam-wave-campaign/ioc-pikabot-spam-campaign.txt", "https://thehackernews.com/2024/01/alert-water-curupira-hackers-actively.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Black Basta", "display_name": "Black Basta", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Pikabot", "display_name": "Pikabot", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 311, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA256": 26, "URL": 28, "domain": 71 }, "indicator_count": 133, "is_author": false, "is_subscribing": null, "subscriber_count": 435, "modified_text": "841 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a61a1479fcc5efe1859414", "name": "Black Basta-Affiliated Water Curupira\u2019s Pikabot Spam Campaign", "description": "", "modified": "2024-02-09T09:01:03.534000", "created": "2024-01-16T05:54:28.635000", "tags": [ "phishing", "Pikabot", "loader", "Water Curupira", "spam campaigns" ], "references": [ "https://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Pikabot", "display_name": "Pikabot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [], "TLP": "white", "cloned_from": "65a6054068a728aff3173138", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA256": 26, "URL": 28, "domain": 71 }, "indicator_count": 133, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "842 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a419c344af01fa9b1f458d", "name": "Black Basta-Affiliated Water Curupira\u2019s Pikabot Spam Campaign", "description": "", "modified": "2024-02-09T09:01:03.534000", "created": "2024-01-14T17:28:35.921000", "tags": [ "phishing", "Pikabot", "loader", "Water Curupira", "spam campaigns" ], "references": [ "https://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Pikabot", "display_name": "Pikabot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [], "TLP": "white", "cloned_from": "659e657578d730b29e7590e5", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "goatluxy", "id": "207695", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA256": 26, "URL": 28, "domain": 71 }, "indicator_count": 133, "is_author": false, "is_subscribing": null, "subscriber_count": 71, "modified_text": "842 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a4420a9dcd1c1ff93a4270", "name": "Black Basta-Affiliated Water Curupira\u2019s Pikabot Spam Campaign", "description": "", "modified": "2024-02-09T09:01:03.534000", "created": "2024-01-14T20:20:26.065000", "tags": [ "phishing", "Pikabot", "loader", "Water Curupira", "spam campaigns" ], "references": [ "https://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Pikabot", "display_name": "Pikabot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [], "TLP": "white", "cloned_from": "65a419c344af01fa9b1f458d", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA256": 26, "URL": 28, "domain": 71 }, "indicator_count": 133, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "842 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a488c72ba18fd8a0f8fbcf", "name": "Black Basta-Affiliated Water Curupira\u2019s Pikabot Spam Campaigns", "description": "", "modified": "2024-02-09T09:01:03.534000", "created": "2024-01-15T01:22:15.343000", "tags": [ "phishing", "Pikabot", "loader", "Water Curupira", "spam campaigns" ], "references": [ "https://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Pikabot", "display_name": "Pikabot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [], "TLP": "white", "cloned_from": "65a4420a9dcd1c1ff93a4270", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA256": 26, "URL": 28, "domain": 71 }, "indicator_count": 133, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "842 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a6054068a728aff3173138", "name": "Black Basta-Affiliated Water Curupira\u2019s Pikabot Spam Campaign", "description": "", "modified": "2024-02-09T09:01:03.534000", "created": "2024-01-16T04:25:36.061000", "tags": [ "phishing", "Pikabot", "loader", "Water Curupira", "spam campaigns" ], "references": [ "https://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Pikabot", "display_name": "Pikabot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [], "TLP": "white", "cloned_from": "659e657578d730b29e7590e5", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA256": 26, "URL": 28, "domain": 71 }, "indicator_count": 133, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "842 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659d8bfacf3b69e7685873e2", "name": "Pikabot Spam Campaign", "description": "", "modified": "2024-02-08T18:03:28.637000", "created": "2024-01-09T18:10:02.930000", "tags": [ "pikabot", "redacted", "look into", "spam wave", "campaign", "compromise", "email md5", "subject", "from ou", "urgente", "cobalt strike", "black" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/a/a-look-into-pikabot-spam-wave-campaign/ioc-pikabot-spam-campaign.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cyber74Team", "id": "202637", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_202637/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA256": 26, "URL": 28, "domain": 71 }, "indicator_count": 133, "is_author": false, "is_subscribing": null, "subscriber_count": 165, "modified_text": "842 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659d5f9099ecb2a5a3c38b84", "name": "A Look Into Pikabot\u2019s Spam Wave Campaign", "description": "Trend Vision One provides a comprehensive guide to the best ways to protect your business from cyber-attacks, breaches and other threats, as well as the most advanced tools for security management and response to them.", "modified": "2024-02-08T15:02:37.221000", "created": "2024-01-09T15:00:32.696000", "tags": [ "phishing", "malware", "endpoints", "research", "spam", "articles", "news", "reports", "cyber threats", "learn", "pikabot", "trend micro", "dll file", "black basta", "pikabot payload", "cloud security", "trend vision", "ot security", "alliance", "stop", "qakbot", "cobalt strike", "icedid", "download", "hybrid", "small", "protect", "carriers", "attack", "black", "june", "august", "darkgate", "crash", "shift", "ukraine", "find", "indonesia", "redacted", "look into", "spam wave", "campaign", "compromise", "email md5", "subject", "from ou", "urgente" ], "references": [ "https://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/a/a-look-into-pikabot-spam-wave-campaign/ioc-pikabot-spam-campaign.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Black Basta", "display_name": "Black Basta", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Pikabot", "display_name": "Pikabot", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "URL": 28, "FileHash-MD5": 8, "FileHash-SHA256": 26, "domain": 73 }, "indicator_count": 136, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "842 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis", "https://www.fortinet.com/blog/threat-research/ransomware-roundup-black-basta", "https://dfir-delight.de/p/black-basta-iocs/", "https://www.cve.org/CVERecord?id=CVE-2020-1472", "https://viz.greynoise.io/ip/analysis/7e527b44-c950-4c01-bb33-d96", "https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/", "https://community.riskiq.com/article/ebaeeb6c", "https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark", "January 10th, 2024 - CryptoGen Cyber Threat Intelligence - #3807 - Hackers Actively Distributing PikaBot Loader Malware.pdf", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/a/a-look-into-pikabot-spam-wave-campaign/ioc-pikabot-spam-campaign.txt", "https://www.cisa.gov/sites/default/files/2024-05/AA24-131A-StopRansomware-Black-Basta.stix_.json", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/j/black-basta-ransomware-gang-infiltrates-networks-via-qakbot,-brute-ratel-and-cobalt-strike/ioc-black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-cobalt-strike.txt", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a", "https://thehackernews.com/2024/05/black-basta-ransomware-strikes-500.html", "https://www.cve.org/CVERecord?id=CVE-2021-42278", "https://www.cve.org/CVERecord?id=CVE-2024-1709", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://www.cve.org/CVERecord?id=CVE-2021-42287", "https://darktrace.com/blog/black-basta-old-dogs-with-new-tricks", "https://www.cve.org/CVERecord?id=CVE-2024-26169", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta", "https://www.cve.org/CVERecord?id=CVE-2021-34527", "https://www.cve.org/CVERecord?id=CVE-2022-30190", "https://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html", "https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies", "https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/", "https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada", "https://thehackernews.com/2024/01/alert-water-curupira-hackers-actively.html", "https://blog.qualys.com/vulnerabilities-threat-research/2024/09/19/black-basta-ransomware-what-you-need-to-know", "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt" ], "related": { "alienvault": { "adversary": [ "Black Basta" ], "malware_families": [ "Qbot", "Pikabot", "Pinkslipbot", "Qakbot - s0650", "Quackbot" ], "industries": [ "Public health", "Healthcare" ] }, "other": { "adversary": [ "BlackBasta", "Black Basta" ], "malware_families": [ "Alf:backdoor:win32/qbot", "Cobalt strike", "Qakbot", "Behavior:win32/basta", "Pinkslipbot", "Backdoor:win64/cobaltstrike", "Conti", "Quackbot", "Trojan:win32/qbot", "Trojan:win32/pinkslipbot", "Black basta", "Trojan:win64/turtleloader.cs", "Behavior:win32/systembc", "Trojandownloader:o97m/qakbot", "Trojan:win32/quackbot", "Widespread qbot", "Exploit:win32/shellcode.bn", "Pikabot", "Ransom:win32/basta", "Trojan:win32/qakbot", "Behavior:win32/cobaltstrike", "Primary netsupport", "Netsupport", "Basta linux", "Qbot", "Behavior:win32/qakbot", "Trojan:win32/basta", "Qakbot - s0650", "Trojandropper:powershell/cobacis", "Hacktool:win64/cobaltstrike", "Trojan: win32/systembc", "Trojanspy:win32/qakbot" ], "industries": [ "Government", "Public health", "Telecommunications", "Healthcare", "Construction", "Energy", "Media", "Education", "Legal", "Finance", "Manufacturing", "Transportation", "Critical infrastructure", "Emergency services", "Retail", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 36, "pulses": [ { "id": "6641de0f085ac4fc0c55aec4", "name": "StopRansomware: Black Basta", "description": "This advisory details tactics, techniques, procedures and indicators of compromise related to Black Basta ransomware, a variant first identified in April 2022. Its affiliates have impacted over 500 organizations globally across multiple critical infrastructure sectors, including Healthcare and Public Health. They gain initial access through phishing and exploiting vulnerabilities, employ double extortion tactics with data exfiltration and encryption, and leverage various tools for lateral movement and privilege escalation. The advisory provides mitigations and recommendations for organizations to protect against this threat.", "modified": "2024-06-12T09:05:01.533000", "created": "2024-05-13T09:31:59.558000", "tags": [ "cve-2021-34527", "cve-2021-42278", "ransomware", "qakbot", "encryption", "cve-2024-1709", "pinkslipbot", "quackbot", "exfiltration", "cve-2021-42287", "qbot", "phishing", "healthcare", "cve-2020-1472" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a" ], "public": 1, "adversary": "Black Basta", "targeted_countries": [], "malware_families": [ { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "Pinkslipbot", "display_name": "Pinkslipbot", "target": null }, { "id": "QuackBot", "display_name": "QuackBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null } ], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [ "Healthcare", "Public Health" ], "TLP": "white", "cloned_from": null, "export_count": 4209, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 18, "FileHash-SHA1": 15, "FileHash-SHA256": 55, "domain": 95, "hostname": 10 }, "indicator_count": 198, "is_author": false, "is_subscribing": null, "subscriber_count": 386503, "modified_text": "718 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659e657578d730b29e7590e5", "name": "Black Basta-Affiliated Water Curupira\u2019s Pikabot Spam Campaign", "description": "Pikabot is a type of loader malware that was actively used in spam campaigns by a threat actor we track under the Intrusion set Water Curupira in the first quarter of 2023, followed by a break at the end of June that lasted until the start of September 2023. Other researchers have previously noted its strong similarities to Qakbot, the latter of which was taken down by law enforcement in August 2023. An increase in the number of phishing campaigns related to Pikabot was recorded in the last quarter of 2023, coinciding with the takedown of Qakbot \u2014 hinting at the possibility that Pikabot might be a replacement for the latter (with DarkGate being another temporary replacement in the wake of the takedown).", "modified": "2024-02-09T09:01:03.534000", "created": "2024-01-10T09:37:57.095000", "tags": [ "phishing", "Pikabot", "loader", "Water Curupira", "spam campaigns" ], "references": [ "https://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Pikabot", "display_name": "Pikabot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 349, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA256": 26, "URL": 28, "domain": 71 }, "indicator_count": 133, "is_author": false, "is_subscribing": null, "subscriber_count": 386504, "modified_text": "842 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a5c36b78ed73550bb0bf22", "name": "by Disable_Duck", "description": "", "modified": "2026-03-04T23:37:24.208000", "created": "2026-03-02T17:05:47.288000", "tags": [ "kgs0", "kls0", "botname http", "entity", "UAlberta", "Telus", "Norton", "ffss", "Alberta", "AlbertaNDP", "InteriorHealth", "RCMP", "CrimeStoppersAB", "EdmontonPolice", "RCMP Kelowna", "RCMP AB", "TLS/SSL Crawler", "CVE-2026-24061 Attempt", "Generic IoT Default Password Attempt", "Cisco Prime Infrastructure CVE-2019-1821 RCE Attempt", "Dahua Backdoor Attempt", "ENV Crawler", "DCERPC Protocol", "Carries HTTP Referer", "GNU Inetutils Telnetd Auth Bypass", "ICMPv4 Protocol" ], "references": [ "https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark", "https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada", "https://viz.greynoise.io/ip/analysis/7e527b44-c950-4c01-bb33-d96" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands", "Panama", "Poland", "United Kingdom of Great Britain and Northern Ireland", "Slovakia", "Aruba", "Anguilla", "Australia", "Costa Rica", "Guatemala", "Mexico", "Trinidad and Tobago", "Cura\u00e7ao", "Philippines", "Virgin Islands, U.S.", "Ukraine", "Barbados", "Germany", "Sint Maarten (Dutch part)", "Argentina", "Switzerland" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government", "Technology", "Energy", "Telecommunications" ], "TLP": "white", "cloned_from": "6901363c4ce422f5caf0f72c", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3903, "FileHash-SHA1": 4967, "FileHash-SHA256": 12884, "URL": 996, "domain": 987, "hostname": 3306, "email": 4, "CVE": 1 }, "indicator_count": 27048, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "87 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6901363c4ce422f5caf0f72c", "name": "Copy of DevT-OddTags-Browser-BasedOdditites - (L4ke.Aff3ct.216, 01.18.26)", "description": "Updated based on VT Graph & Tracking Spread of Cybercrime. This Pulse is mostly covering activity in the Province of Alberta Canada. Given recent news, it appears that BC Interior Health and Kelowna RCMP Detachment impacted in addition to Alberta Sectors of Education, Healthcare, and Government (Provincial & Federal - e.g. Treaty 6,7,8 as well as the Canadian CRA heavily impacted). \nEnriched a graph by vt user (L4ke.Aff3ct.216, 01.02.26)\nSubmitted IOCs to Greynoise.io (10.28.25)", "modified": "2026-02-18T05:00:41.494000", "created": "2025-10-28T21:31:40.008000", "tags": [ "kgs0", "kls0", "botname http", "entity", "UAlberta", "Telus", "Norton", "ffss", "Alberta", "AlbertaNDP", "InteriorHealth", "RCMP", "CrimeStoppersAB", "EdmontonPolice", "RCMP Kelowna", "RCMP AB" ], "references": [ "https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark", "https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands", "Panama", "Poland", "United Kingdom of Great Britain and Northern Ireland", "Slovakia", "Aruba", "Anguilla", "Australia", "Costa Rica", "Guatemala", "Mexico", "Trinidad and Tobago", "Cura\u00e7ao", "Philippines", "Virgin Islands, U.S.", "Ukraine", "Barbados", "Germany", "Sint Maarten (Dutch part)" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government", "Technology", "Energy", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3903, "FileHash-SHA1": 4967, "FileHash-SHA256": 12884, "URL": 995, "domain": 984, "hostname": 3305, "email": 4 }, "indicator_count": 27042, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "102 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6783308fc0b6e2bd8dfb209c", "name": "TTC-CERT_blocklist_recommended", "description": "", "modified": "2026-02-14T00:03:07.406000", "created": "2025-01-12T03:01:35.075000", "tags": [], "references": [ "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 606, "URL": 4, "domain": 25122, "hostname": 25306 }, "indicator_count": 51038, "is_author": false, "is_subscribing": null, "subscriber_count": 185, "modified_text": "106 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "663e4a5203f0af22aa9295cf", "name": "IOC Basta", "description": "", "modified": "2025-05-14T13:11:03.272000", "created": "2024-05-10T16:24:50.903000", "tags": [ "cobalt strike", "scpssh", "source ip", "anydesk", "anydesk server", "rat c2" ], "references": [], "public": 1, "adversary": "BlackBasta", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "663e40aa1c52eb7ba90593f1", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "3ltrashpanda", "id": "253624", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 95, "FileHash-MD5": 3, "FileHash-SHA256": 5 }, "indicator_count": 103, "is_author": false, "is_subscribing": null, "subscriber_count": 8, "modified_text": "381 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "553 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "553 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6710059101b736e38b9cd2b0", "name": "Black Basta", "description": "Black Basta is a financially motivated ransomware group that began operations in 2022. It targets organizations across various sectors, including manufacturing, healthcare, and finance, using a double extortion method. The group encrypts victims' systems and threatens to leak stolen data unless a ransom is paid. Their ransomware spreads via phishing campaigns, exploiting vulnerabilities in systems. Black Basta is known for collaborating with other cybercriminals, which enhances the impact and sophistication of their attacks.", "modified": "2024-11-15T17:03:59.652000", "created": "2024-10-16T18:27:29.179000", "tags": [ "strong", "black basta", "cisa", "powershell", "ransomware", "cobalt strike", "phishing", "mimikatz", "qakbot", "psexec", "bits", "webdav", "winscp", "conti", "anydesk", "quick assist", "netsupport", "windows", "blackbasta", "batloader", "rclone", "vmware esxi", "netcat", "qbot", "emotet", "trickbot", "pinkslipbot", "team", "C++", "Linux", "ChaCha20", "RSA-4096", "ConnectWise", "ZeroLogon", "NoPac", "PrintNightmare", "CVE-2024-1709", "CVE-2024-26169", "CVE-2020-1472", "CVE-2021-42278", "CVE-2021-42287", "CVE-2021-34527", "BITSAdmin", "Cobalt Strike", "Netcat", "ScreenConnect", "NetSupport Manager", "SystemBC", "Qakbot", "WMI", "RClone", "SoftPerfect", "BackStab", "EvilProxy", "Splashtop", "WinSCP", "C2", "CVE-2022-30190", "Storm-1811", "spear phishing", "Coroxy", "cobeacon", "RaaS", "aa24-131a", "wandering spider", "Conti", "wizard spider", "BGH" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a", "https://blog.qualys.com/vulnerabilities-threat-research/2024/09/19/black-basta-ransomware-what-you-need-to-know", "https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/", "https://darktrace.com/blog/black-basta-old-dogs-with-new-tricks", "https://www.fortinet.com/blog/threat-research/ransomware-roundup-black-basta", "https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies", "https://www.cve.org/CVERecord?id=CVE-2020-1472", "https://www.cve.org/CVERecord?id=CVE-2021-34527", "https://www.cve.org/CVERecord?id=CVE-2021-42278", "https://www.cve.org/CVERecord?id=CVE-2021-42287", "https://www.cve.org/CVERecord?id=CVE-2024-1709", "https://www.cve.org/CVERecord?id=CVE-2024-26169", "https://www.cve.org/CVERecord?id=CVE-2022-30190", "https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta" ], "public": 1, "adversary": "Black Basta", "targeted_countries": [ "United States of America", "Germany", "Canada", "Australia", "New Zealand", "Japan", "France", "United Kingdom of Great Britain and Northern Ireland", "Italy", "Switzerland" ], "malware_families": [ { "id": "Conti", "display_name": "Conti", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Black Basta", "display_name": "Black Basta", "target": null }, { "id": "Primary NetSupport", "display_name": "Primary NetSupport", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Basta Linux", "display_name": "Basta Linux", "target": null }, { "id": "Widespread QBot", "display_name": "Widespread QBot", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "TrojanDownloader:O97M/Qakbot", "display_name": "TrojanDownloader:O97M/Qakbot", "target": "/malware/TrojanDownloader:O97M/Qakbot" }, { "id": "Trojan:Win32/QBot", "display_name": "Trojan:Win32/QBot", "target": "/malware/Trojan:Win32/QBot" }, { "id": "Trojan:Win32/Qakbot", "display_name": "Trojan:Win32/Qakbot", "target": "/malware/Trojan:Win32/Qakbot" }, { "id": "TrojanSpy:Win32/Qakbot", "display_name": "TrojanSpy:Win32/Qakbot", "target": "/malware/TrojanSpy:Win32/Qakbot" }, { "id": "Behavior:Win32/Qakbot", "display_name": "Behavior:Win32/Qakbot", "target": "/malware/Behavior:Win32/Qakbot" }, { "id": "Behavior:Win32/Basta", "display_name": "Behavior:Win32/Basta", "target": "/malware/Behavior:Win32/Basta" }, { "id": "Ransom:Win32/Basta", "display_name": "Ransom:Win32/Basta", "target": "/malware/Ransom:Win32/Basta" }, { "id": "Trojan:Win32/Basta", "display_name": "Trojan:Win32/Basta", "target": "/malware/Trojan:Win32/Basta" }, { "id": "Behavior:Win32/CobaltStrike", "display_name": "Behavior:Win32/CobaltStrike", "target": "/malware/Behavior:Win32/CobaltStrike" }, { "id": "Backdoor:Win64/CobaltStrike", "display_name": "Backdoor:Win64/CobaltStrike", "target": "/malware/Backdoor:Win64/CobaltStrike" }, { "id": "HackTool:Win64/CobaltStrike", "display_name": "HackTool:Win64/CobaltStrike", "target": "/malware/HackTool:Win64/CobaltStrike" }, { "id": "TrojanDropper:PowerShell/Cobacis", "display_name": "TrojanDropper:PowerShell/Cobacis", "target": "/malware/TrojanDropper:PowerShell/Cobacis" }, { "id": "Trojan:Win64/TurtleLoader.CS", "display_name": "Trojan:Win64/TurtleLoader.CS", "target": "/malware/Trojan:Win64/TurtleLoader.CS" }, { "id": "Exploit:Win32/ShellCode.BN", "display_name": "Exploit:Win32/ShellCode.BN", "target": "/malware/Exploit:Win32/ShellCode.BN" }, { "id": "Behavior:Win32/SystemBC", "display_name": "Behavior:Win32/SystemBC", "target": "/malware/Behavior:Win32/SystemBC" }, { "id": "Trojan: Win32/SystemBC", "display_name": "Trojan: Win32/SystemBC", "target": "/malware/Trojan: Win32/SystemBC" } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" } ], "industries": [ "Critical Infrastructure", "Healthcare", "Manufacturing", "Construction", "Retail", "Legal", "Finance", "Technology", "Emergency Services", "Media", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 52, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "v0od0o.exe", "id": "273579", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 111, "FileHash-SHA1": 110, "FileHash-SHA256": 148, "CVE": 7, "domain": 113, "hostname": 62, "URL": 4 }, "indicator_count": 555, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "561 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "562 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "cloudworldst.net", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "cloudworldst.net", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780221984.1115665 }