{ "type": "URL", "indicator": "https://bashupload.com/uCiPm/SENT_Kill[.]zip", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://bashupload.com/uCiPm/SENT_Kill[.]zip", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4034406285, "indicator": "https://bashupload.com/uCiPm/SENT_Kill[.]zip", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "6389edf4071ec7c595fc8204", "name": "BlackBasta ransomware", "description": "Members of the Conti ransomware group appear to have splintered into multiple threat groups including BlackBasta, which has become one of the most significant ransomware threats. ThreatLabz has observed more than five victims that have been compromised by BlackBasta 2.0 since the new version\u2019s release in mid-November 2022. This demonstrates that the threat group is very successful at compromising organizations and the latest version of the ransomware will likely enable them to better evade antivirus and\u00a0EDRs.", "modified": "2025-03-23T00:03:10.218000", "created": "2022-12-02T12:22:12.999000", "tags": [ "blackbasta", "conti", "ransomware" ], "references": [ "https://www.zscaler.com/blogs/security-research/back-black-basta" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Conti", "display_name": "Conti", "target": null }, { "id": "BlackBasta", "display_name": "BlackBasta", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1471", "name": "Data Encrypted for Impact", "display_name": "T1471 - Data Encrypted for Impact" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 411, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 5, "URL": 2, "domain": 2, "FileHash-SHA1": 3, "FileHash-MD5": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 386990, "modified_text": "437 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67c834b9ebbf99258302a0c5", "name": "Kaspersky SOC analyzes an incident involving a web shell used as a backdoor | Securelist", "description": "Kaspersky Endpoint Security (SOC) uncovered a well-known family of web shells used by Chinese-speaking threat actors, according to the company's security researcher Domenico Caldarella.", "modified": "2025-03-05T11:25:45.374000", "created": "2025-03-05T11:25:45.374000", "tags": [ "backdoor", "malware", "malware descriptions", "malware technologies", "soc", "web shell", "redacted", "enjsonandcrypt", "bashupload", "potato", "monday morning", "siem", "security", "southeast asia", "soc analyst", "sharepoint", "virustotal", "careto", "aspx", "cookieplus" ], "references": [ "https://securelist.com/soc-files-web-shell-chase/115714/" ], "public": 1, "adversary": "Careto", "targeted_countries": [], "malware_families": [ { "id": "ASPX", "display_name": "ASPX", "target": null }, { "id": "CookiePlus", "display_name": "CookiePlus", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "threathunter999", "id": "300383", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 20, "YARA": 1, "domain": 1 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 23, "modified_text": "454 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.zscaler.com/blogs/security-research/back-black-basta", "https://securelist.com/soc-files-web-shell-chase/115714/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Blackbasta", "Conti" ], "industries": [], "unique_indicators": 16 }, "other": { "adversary": [ "Careto" ], "malware_families": [ "Aspx", "Cookieplus" ], "industries": [], "unique_indicators": 37 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/bashupload.com", "whois": "http://whois.domaintools.com/bashupload.com", "domain": "bashupload.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "6389edf4071ec7c595fc8204", "name": "BlackBasta ransomware", "description": "Members of the Conti ransomware group appear to have splintered into multiple threat groups including BlackBasta, which has become one of the most significant ransomware threats. ThreatLabz has observed more than five victims that have been compromised by BlackBasta 2.0 since the new version\u2019s release in mid-November 2022. This demonstrates that the threat group is very successful at compromising organizations and the latest version of the ransomware will likely enable them to better evade antivirus and\u00a0EDRs.", "modified": "2025-03-23T00:03:10.218000", "created": "2022-12-02T12:22:12.999000", "tags": [ "blackbasta", "conti", "ransomware" ], "references": [ "https://www.zscaler.com/blogs/security-research/back-black-basta" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Conti", "display_name": "Conti", "target": null }, { "id": "BlackBasta", "display_name": "BlackBasta", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1471", "name": "Data Encrypted for Impact", "display_name": "T1471 - Data Encrypted for Impact" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 411, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 5, "URL": 2, "domain": 2, "FileHash-SHA1": 3, "FileHash-MD5": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 386990, "modified_text": "437 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67c834b9ebbf99258302a0c5", "name": "Kaspersky SOC analyzes an incident involving a web shell used as a backdoor | Securelist", "description": "Kaspersky Endpoint Security (SOC) uncovered a well-known family of web shells used by Chinese-speaking threat actors, according to the company's security researcher Domenico Caldarella.", "modified": "2025-03-05T11:25:45.374000", "created": "2025-03-05T11:25:45.374000", "tags": [ "backdoor", "malware", "malware descriptions", "malware technologies", "soc", "web shell", "redacted", "enjsonandcrypt", "bashupload", "potato", "monday morning", "siem", "security", "southeast asia", "soc analyst", "sharepoint", "virustotal", "careto", "aspx", "cookieplus" ], "references": [ "https://securelist.com/soc-files-web-shell-chase/115714/" ], "public": 1, "adversary": "Careto", "targeted_countries": [], "malware_families": [ { "id": "ASPX", "display_name": "ASPX", "target": null }, { "id": "CookiePlus", "display_name": "CookiePlus", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "threathunter999", "id": "300383", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 20, "YARA": 1, "domain": 1 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 23, "modified_text": "454 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://bashupload.com/uCiPm/SENT_Kill[.]zip", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://bashupload.com/uCiPm/SENT_Kill[.]zip", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780452856.6640563 }