{ "type": "Domain", "indicator": "startupbuss.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/startupbuss.com", "alexa": "http://www.alexa.com/siteinfo/startupbuss.com", "indicator": "startupbuss.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3854131797, "indicator": "startupbuss.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 23, "pulses": [ { "id": "6641de0f085ac4fc0c55aec4", "name": "StopRansomware: Black Basta", "description": "This advisory details tactics, techniques, procedures and indicators of compromise related to Black Basta ransomware, a variant first identified in April 2022. Its affiliates have impacted over 500 organizations globally across multiple critical infrastructure sectors, including Healthcare and Public Health. They gain initial access through phishing and exploiting vulnerabilities, employ double extortion tactics with data exfiltration and encryption, and leverage various tools for lateral movement and privilege escalation. The advisory provides mitigations and recommendations for organizations to protect against this threat.", "modified": "2024-06-12T09:05:01.533000", "created": "2024-05-13T09:31:59.558000", "tags": [ "cve-2021-34527", "cve-2021-42278", "ransomware", "qakbot", "encryption", "cve-2024-1709", "pinkslipbot", "quackbot", "exfiltration", "cve-2021-42287", "qbot", "phishing", "healthcare", "cve-2020-1472" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a" ], "public": 1, "adversary": "Black Basta", "targeted_countries": [], "malware_families": [ { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "Pinkslipbot", "display_name": "Pinkslipbot", "target": null }, { "id": "QuackBot", "display_name": "QuackBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null } ], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [ "Healthcare", "Public Health" ], "TLP": "white", "cloned_from": null, "export_count": 4209, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 18, "FileHash-SHA1": 15, "FileHash-SHA256": 55, "domain": 95, "hostname": 10 }, "indicator_count": 198, "is_author": false, "is_subscribing": null, "subscriber_count": 386543, "modified_text": "718 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6783308fc0b6e2bd8dfb209c", "name": "TTC-CERT_blocklist_recommended", "description": "", "modified": "2026-02-14T00:03:07.406000", "created": "2025-01-12T03:01:35.075000", "tags": [], "references": [ "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 606, "URL": 4, "domain": 25122, "hostname": 25306 }, "indicator_count": 51038, "is_author": false, "is_subscribing": null, "subscriber_count": 185, "modified_text": "106 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "663e4a5203f0af22aa9295cf", "name": "IOC Basta", "description": "", "modified": "2025-05-14T13:11:03.272000", "created": "2024-05-10T16:24:50.903000", "tags": [ "cobalt strike", "scpssh", "source ip", "anydesk", "anydesk server", "rat c2" ], "references": [], "public": 1, "adversary": "BlackBasta", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "663e40aa1c52eb7ba90593f1", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "3ltrashpanda", "id": "253624", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 95, "FileHash-MD5": 3, "FileHash-SHA256": 5 }, "indicator_count": 103, "is_author": false, "is_subscribing": null, "subscriber_count": 8, "modified_text": "382 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "553 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "553 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6710059101b736e38b9cd2b0", "name": "Black Basta", "description": "Black Basta is a financially motivated ransomware group that began operations in 2022. It targets organizations across various sectors, including manufacturing, healthcare, and finance, using a double extortion method. The group encrypts victims' systems and threatens to leak stolen data unless a ransom is paid. Their ransomware spreads via phishing campaigns, exploiting vulnerabilities in systems. Black Basta is known for collaborating with other cybercriminals, which enhances the impact and sophistication of their attacks.", "modified": "2024-11-15T17:03:59.652000", "created": "2024-10-16T18:27:29.179000", "tags": [ "strong", "black basta", "cisa", "powershell", "ransomware", "cobalt strike", "phishing", "mimikatz", "qakbot", "psexec", "bits", "webdav", "winscp", "conti", "anydesk", "quick assist", "netsupport", "windows", "blackbasta", "batloader", "rclone", "vmware esxi", "netcat", "qbot", "emotet", "trickbot", "pinkslipbot", "team", "C++", "Linux", "ChaCha20", "RSA-4096", "ConnectWise", "ZeroLogon", "NoPac", "PrintNightmare", "CVE-2024-1709", "CVE-2024-26169", "CVE-2020-1472", "CVE-2021-42278", "CVE-2021-42287", "CVE-2021-34527", "BITSAdmin", "Cobalt Strike", "Netcat", "ScreenConnect", "NetSupport Manager", "SystemBC", "Qakbot", "WMI", "RClone", "SoftPerfect", "BackStab", "EvilProxy", "Splashtop", "WinSCP", "C2", "CVE-2022-30190", "Storm-1811", "spear phishing", "Coroxy", "cobeacon", "RaaS", "aa24-131a", "wandering spider", "Conti", "wizard spider", "BGH" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a", "https://blog.qualys.com/vulnerabilities-threat-research/2024/09/19/black-basta-ransomware-what-you-need-to-know", "https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/", "https://darktrace.com/blog/black-basta-old-dogs-with-new-tricks", "https://www.fortinet.com/blog/threat-research/ransomware-roundup-black-basta", "https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies", "https://www.cve.org/CVERecord?id=CVE-2020-1472", "https://www.cve.org/CVERecord?id=CVE-2021-34527", "https://www.cve.org/CVERecord?id=CVE-2021-42278", "https://www.cve.org/CVERecord?id=CVE-2021-42287", "https://www.cve.org/CVERecord?id=CVE-2024-1709", "https://www.cve.org/CVERecord?id=CVE-2024-26169", "https://www.cve.org/CVERecord?id=CVE-2022-30190", "https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta" ], "public": 1, "adversary": "Black Basta", "targeted_countries": [ "United States of America", "Germany", "Canada", "Australia", "New Zealand", "Japan", "France", "United Kingdom of Great Britain and Northern Ireland", "Italy", "Switzerland" ], "malware_families": [ { "id": "Conti", "display_name": "Conti", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Black Basta", "display_name": "Black Basta", "target": null }, { "id": "Primary NetSupport", "display_name": "Primary NetSupport", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Basta Linux", "display_name": "Basta Linux", "target": null }, { "id": "Widespread QBot", "display_name": "Widespread QBot", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "TrojanDownloader:O97M/Qakbot", "display_name": "TrojanDownloader:O97M/Qakbot", "target": "/malware/TrojanDownloader:O97M/Qakbot" }, { "id": "Trojan:Win32/QBot", "display_name": "Trojan:Win32/QBot", "target": "/malware/Trojan:Win32/QBot" }, { "id": "Trojan:Win32/Qakbot", "display_name": "Trojan:Win32/Qakbot", "target": "/malware/Trojan:Win32/Qakbot" }, { "id": "TrojanSpy:Win32/Qakbot", "display_name": "TrojanSpy:Win32/Qakbot", "target": "/malware/TrojanSpy:Win32/Qakbot" }, { "id": "Behavior:Win32/Qakbot", "display_name": "Behavior:Win32/Qakbot", "target": "/malware/Behavior:Win32/Qakbot" }, { "id": "Behavior:Win32/Basta", "display_name": "Behavior:Win32/Basta", "target": "/malware/Behavior:Win32/Basta" }, { "id": "Ransom:Win32/Basta", "display_name": "Ransom:Win32/Basta", "target": "/malware/Ransom:Win32/Basta" }, { "id": "Trojan:Win32/Basta", "display_name": "Trojan:Win32/Basta", "target": "/malware/Trojan:Win32/Basta" }, { "id": "Behavior:Win32/CobaltStrike", "display_name": "Behavior:Win32/CobaltStrike", "target": "/malware/Behavior:Win32/CobaltStrike" }, { "id": "Backdoor:Win64/CobaltStrike", "display_name": "Backdoor:Win64/CobaltStrike", "target": "/malware/Backdoor:Win64/CobaltStrike" }, { "id": "HackTool:Win64/CobaltStrike", "display_name": "HackTool:Win64/CobaltStrike", "target": "/malware/HackTool:Win64/CobaltStrike" }, { "id": "TrojanDropper:PowerShell/Cobacis", "display_name": "TrojanDropper:PowerShell/Cobacis", "target": "/malware/TrojanDropper:PowerShell/Cobacis" }, { "id": "Trojan:Win64/TurtleLoader.CS", "display_name": "Trojan:Win64/TurtleLoader.CS", "target": "/malware/Trojan:Win64/TurtleLoader.CS" }, { "id": "Exploit:Win32/ShellCode.BN", "display_name": "Exploit:Win32/ShellCode.BN", "target": "/malware/Exploit:Win32/ShellCode.BN" }, { "id": "Behavior:Win32/SystemBC", "display_name": "Behavior:Win32/SystemBC", "target": "/malware/Behavior:Win32/SystemBC" }, { "id": "Trojan: Win32/SystemBC", "display_name": "Trojan: Win32/SystemBC", "target": "/malware/Trojan: Win32/SystemBC" } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" } ], "industries": [ "Critical Infrastructure", "Healthcare", "Manufacturing", "Construction", "Retail", "Legal", "Finance", "Technology", "Emergency Services", "Media", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 52, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "v0od0o.exe", "id": "273579", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 111, "FileHash-SHA1": 110, "FileHash-SHA256": 148, "CVE": 7, "domain": 113, "hostname": 62, "URL": 4 }, "indicator_count": 555, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "561 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "562 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "663e665af0be7711515f63c4", "name": "FHS - Black Basta IOCs", "description": "TIs from different articles related to the Black Basta Ransomware group.", "modified": "2024-10-29T17:15:34.271000", "created": "2024-05-10T18:24:26.663000", "tags": [ "incident response", "ransomware", "forensics", "threat intelligence", "black basta", "iocs", "trendmicro", "iocsyou", "misp event", "domains", "icmp traffic", "c2 endpoint", "hvs iocs", "misp feed", "#StopRansomware: Black Basta" ], "references": [ "https://dfir-delight.de/p/black-basta-iocs/", "https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/j/black-basta-ransomware-gang-infiltrates-networks-via-qakbot,-brute-ratel-and-cobalt-strike/ioc-black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-cobalt-strike.txt", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 61, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "FHS-Services", "id": "51336", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 112, "FileHash-MD5": 66, "URL": 53, "IPv4": 122, "FileHash-SHA256": 87, "FileHash-SHA1": 54, "hostname": 14 }, "indicator_count": 508, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "578 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6654138435c5832ca2c4028f", "name": "DOH Domains IOCs", "description": "The following is a full list of items that you might not have known existed::..com, or, if you were interested in them, are the most likely ones to come up with", "modified": "2024-08-26T04:12:43.497000", "created": "2024-05-27T05:00:52.918000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fueledbycoffeeDXB", "id": "272228", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7, "domain": 1335, "hostname": 667 }, "indicator_count": 2009, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "643 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdd1247c16c5855518c7", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-02T07:05:02.060000", "created": "2024-07-02T08:44:01.648000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 286, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2521, "domain": 8243, "email": 7, "hostname": 2893 }, "indicator_count": 13683, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "667 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdc8052a11fe921381a0", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-01T08:02:48.060000", "created": "2024-07-02T08:43:52.203000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2409, "domain": 7836, "email": 7, "hostname": 2783 }, "indicator_count": 13054, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "668 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66793d4fc20f3888ca20fe66", "name": " #StopRansomware: Black Basta ", "description": "", "modified": "2024-06-24T09:33:03.695000", "created": "2024-06-24T09:33:03.695000", "tags": [ "cve-2021-34527", "cve-2021-42278", "ransomware", "qakbot", "encryption", "cve-2024-1709", "pinkslipbot", "quackbot", "exfiltration", "cve-2021-42287", "qbot", "phishing", "healthcare", "cve-2020-1472" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a" ], "public": 1, "adversary": "Black Basta", "targeted_countries": [], "malware_families": [ { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "Pinkslipbot", "display_name": "Pinkslipbot", "target": null }, { "id": "QuackBot", "display_name": "QuackBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null } ], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [ "Healthcare", "Public Health" ], "TLP": "white", "cloned_from": "664ae0bba7216fa4c9e46276", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 18, "FileHash-SHA1": 15, "FileHash-SHA256": 55, "domain": 95, "hostname": 10 }, "indicator_count": 198, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "706 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "664fa66213d6bb0091d6da0b", "name": "Black Basta Plus", "description": "Combination of several IOC intels for the Black Basta ransomware. Not all IOCs have been validated so the potential for false positives may be high. Please review any alerts to ensure their threat level. Based of off AlienVault's Black Basta pulse: https://otx.alienvault.com/pulse/6641de0f085ac4fc0c55aec4", "modified": "2024-06-22T20:03:29.127000", "created": "2024-05-23T20:26:10.442000", "tags": [ "cve-2021-34527", "cve-2021-42278", "ransomware", "qakbot", "encryption", "cve-2024-1709", "pinkslipbot", "quackbot", "exfiltration", "cve-2021-42287", "qbot", "phishing", "healthcare", "cve-2020-1472" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/j/black-basta-ransomware-gang-infiltrates-networks-via-qakbot,-brute-ratel-and-cobalt-strike/ioc-black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-cobalt-strike.txt", "https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis", "https://dfir-delight.de/p/black-basta-iocs/" ], "public": 1, "adversary": "Black Basta", "targeted_countries": [], "malware_families": [ { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "Trojan:Win32/Pinkslipbot", "display_name": "Trojan:Win32/Pinkslipbot", "target": "/malware/Trojan:Win32/Pinkslipbot" }, { "id": "Trojan:Win32/Quackbot", "display_name": "Trojan:Win32/Quackbot", "target": "/malware/Trojan:Win32/Quackbot" }, { "id": "ALF:Backdoor:Win32/QBot", "display_name": "ALF:Backdoor:Win32/QBot", "target": null } ], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [ "Healthcare", "Public Health" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AngRogers", "id": "72068", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 65, "FileHash-SHA1": 53, "FileHash-SHA256": 86, "domain": 106, "hostname": 10 }, "indicator_count": 325, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "707 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6645082ffbfa2f332e75bded", "name": "AA24-131A-Ransomware-Black-Basta.stix_", "description": "AA24-131A-StopRansomware-Black-Basta.stix_", "modified": "2024-06-14T19:00:21.016000", "created": "2024-05-15T19:08:31.637000", "tags": [], "references": [ "https://www.cisa.gov/sites/default/files/2024-05/AA24-131A-StopRansomware-Black-Basta.stix_.json" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 51, "FileHash-SHA1": 48, "FileHash-SHA256": 55, "domain": 98, "hostname": 10 }, "indicator_count": 262, "is_author": false, "is_subscribing": null, "subscriber_count": 209, "modified_text": "715 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66422aa4ddc565fcc04894f4", "name": "Black Basta Threat Actor Emerges as a Major Threat Actor to the Healthcare Industry", "description": "", "modified": "2024-06-12T14:00:20.264000", "created": "2024-05-13T14:58:44.896000", "tags": [], "references": [], "public": 1, "adversary": "BlackBasta", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mxdrthreat", "id": "230035", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 42, "FileHash-SHA1": 42, "FileHash-SHA256": 44, "domain": 94, "hostname": 7 }, "indicator_count": 229, "is_author": false, "is_subscribing": null, "subscriber_count": 53, "modified_text": "718 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6641f443bf5f53cf5c334367", "name": "#StopRansomware: Black Basta | CISA", "description": "Ransomware: Black Basta is a new form of cyber-security, but what do you know about it and what can you do to protect your personal information from such a threat?.", "modified": "2024-06-12T11:01:21.251000", "created": "2024-05-13T11:06:43.176000", "tags": [ "strong", "black basta", "cisa", "mitre att", "stopransomware", "basta", "ck techniques", "technique title", "iocs", "powershell", "black", "cobalt strike", "ransomware", "cyber", "tools", "sector", "execution", "mimikatz", "local", "april", "ransom", "download", "qakbot", "february", "psexec", "bits", "mega", "webdav", "impact", "install" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Critical Infrastructure", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "parvesh4399", "id": "224939", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 16, "FileHash-SHA256": 56, "domain": 96, "hostname": 10 }, "indicator_count": 197, "is_author": false, "is_subscribing": null, "subscriber_count": 59, "modified_text": "718 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6641ee545cefcbbdf2b35cd2", "name": "Black Basta Ransomware Strikes 500+ Entities Across North America, Europe, and Australia", "description": "The Black Basta ransomware-as-a-service (RaaS) operation has targeted more than 500 private industry and critical infrastructure entities in North America, Europe, and Australia since its emergence in April 2022.\n\nIn a joint advisory published by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), the agencies said the threat actors encrypted and stole data from at least 12 out of 16 critical infrastructure sectors.\n\n\"Black Basta affiliates use common initial access techniques \u2014 such as phishing and exploiting known vulnerabilities \u2014 and then employ a double-extortion model, both encrypting systems and exfiltrating data,\" the bulletin read.", "modified": "2024-06-12T10:01:49.904000", "created": "2024-05-13T10:41:24.759000", "tags": [ "strong", "black basta", "cisa", "mitre att", "stopransomware", "basta", "ck techniques", "technique title", "iocs", "powershell", "black", "cobalt strike", "ransomware", "cyber", "tools", "sector", "execution", "mimikatz", "local", "april", "ransom", "download", "qakbot", "february", "psexec", "bits", "mega", "webdav", "impact", "install" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a", "https://thehackernews.com/2024/05/black-basta-ransomware-strikes-500.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Critical Infrastructure", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 318, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 19, "FileHash-SHA1": 16, "FileHash-SHA256": 56, "domain": 96, "hostname": 10 }, "indicator_count": 202, "is_author": false, "is_subscribing": null, "subscriber_count": 435, "modified_text": "718 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "664ae0bba7216fa4c9e46276", "name": " #StopRansomware: Black Basta ", "description": "", "modified": "2024-06-12T09:05:01.533000", "created": "2024-05-20T05:33:47.757000", "tags": [ "cve-2021-34527", "cve-2021-42278", "ransomware", "qakbot", "encryption", "cve-2024-1709", "pinkslipbot", "quackbot", "exfiltration", "cve-2021-42287", "qbot", "phishing", "healthcare", "cve-2020-1472" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a" ], "public": 1, "adversary": "Black Basta", "targeted_countries": [], "malware_families": [ { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "Pinkslipbot", "display_name": "Pinkslipbot", "target": null }, { "id": "QuackBot", "display_name": "QuackBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null } ], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [ "Healthcare", "Public Health" ], "TLP": "white", "cloned_from": "6641de0f085ac4fc0c55aec4", "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 18, "FileHash-SHA1": 15, "FileHash-SHA256": 55, "domain": 95, "hostname": 10 }, "indicator_count": 198, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "718 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6641b2af1018105ca9e05f71", "name": "#StopRansomware: Black Basta | CISA", "description": "Ransomware: Black Basta is a new form of cyber-security, but what do you know about it and what can you do to protect your personal information from such a threat?.", "modified": "2024-06-12T06:01:34.035000", "created": "2024-05-13T06:26:55.774000", "tags": [ "strong", "black basta", "cisa", "mitre att", "stopransomware", "basta", "ck techniques", "technique title", "iocs", "powershell", "black", "cobalt strike", "ransomware", "cyber", "tools", "sector", "execution", "mimikatz", "local", "april", "ransom", "download", "qakbot", "february", "psexec", "bits", "mega", "webdav", "impact", "install" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Critical Infrastructure", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 19, "FileHash-SHA1": 16, "FileHash-SHA256": 56, "domain": 96, "hostname": 10 }, "indicator_count": 202, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "718 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "664159d753d614e3b46d46c2", "name": "#StopRansomware: Black Basta | CISA", "description": "Ransomware: Black Basta is a new form of cyber-security, but what do you know about it and what can you do to protect your personal information from such a threat?.", "modified": "2024-06-12T00:07:09.388000", "created": "2024-05-13T00:07:51.300000", "tags": [ "strong", "black basta", "cisa", "mitre att", "stopransomware", "basta", "ck techniques", "technique title", "iocs", "powershell", "black", "cobalt strike", "ransomware", "cyber", "tools", "sector", "execution", "mimikatz", "local", "april", "ransom", "download", "qakbot", "february", "psexec", "bits", "mega", "webdav", "impact", "install" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Critical Infrastructure", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChrisTan0", "id": "262536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 19, "FileHash-SHA1": 16, "FileHash-SHA256": 56, "domain": 96, "hostname": 10 }, "indicator_count": 202, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "718 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "663e40aa1c52eb7ba90593f1", "name": "BlackBasta IOCs", "description": "The full list of domain names, domains and IP addresses revealed by the BBC in the wake of the release of a security alert on 22 January 2016:. and here is a summary of them:", "modified": "2024-06-09T15:02:02.700000", "created": "2024-05-10T15:43:38.327000", "tags": [ "cobalt strike", "scpssh", "source ip", "anydesk", "anydesk server", "rat c2" ], "references": [], "public": 1, "adversary": "BlackBasta", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kevin.eisenhut", "id": "267834", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 95, "FileHash-MD5": 3, "FileHash-SHA256": 5 }, "indicator_count": 103, "is_author": false, "is_subscribing": null, "subscriber_count": 0, "modified_text": "721 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66414ff31fd0ab498c4d78d3", "name": "IOC Black Basta - CISA", "description": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a", "modified": "2024-06-09T15:02:02.700000", "created": "2024-05-12T23:25:39.925000", "tags": [ "cobalt strike", "scpssh", "source ip", "anydesk", "anydesk server", "rat c2" ], "references": [], "public": 1, "adversary": "BlackBasta", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "663e4a5203f0af22aa9295cf", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sc-otx-generic", "id": "194320", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_194320/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 95, "FileHash-MD5": 3, "FileHash-SHA256": 5 }, "indicator_count": 103, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "721 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6642c33d02173a322e2965e3", "name": "Black Basta Launches Social Engineering Attack Targeting Organizations", "description": "", "modified": "2024-05-14T01:49:49.296000", "created": "2024-05-14T01:49:49.296000", "tags": [ "cyber threat", "time", "crypto cyber", "defence", "hash" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 49, "FileHash-SHA1": 46, "FileHash-SHA256": 57, "domain": 93 }, "indicator_count": 245, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "747 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.cve.org/CVERecord?id=CVE-2021-42278", "https://www.cve.org/CVERecord?id=CVE-2024-1709", "https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/", "https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies", "https://www.cve.org/CVERecord?id=CVE-2022-30190", "https://www.cve.org/CVERecord?id=CVE-2024-26169", "https://thehackernews.com/2024/05/black-basta-ransomware-strikes-500.html", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a", "https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis", "https://www.fortinet.com/blog/threat-research/ransomware-roundup-black-basta", "https://www.cve.org/CVERecord?id=CVE-2021-34527", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://blog.qualys.com/vulnerabilities-threat-research/2024/09/19/black-basta-ransomware-what-you-need-to-know", "https://www.cisa.gov/sites/default/files/2024-05/AA24-131A-StopRansomware-Black-Basta.stix_.json", "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt", "https://dfir-delight.de/p/black-basta-iocs/", "https://www.cve.org/CVERecord?id=CVE-2021-42287", "https://www.cve.org/CVERecord?id=CVE-2020-1472", "https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/", "https://darktrace.com/blog/black-basta-old-dogs-with-new-tricks", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/j/black-basta-ransomware-gang-infiltrates-networks-via-qakbot,-brute-ratel-and-cobalt-strike/ioc-black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-cobalt-strike.txt" ], "related": { "alienvault": { "adversary": [ "Black Basta" ], "malware_families": [ "Quackbot", "Qakbot - s0650", "Pinkslipbot", "Qbot" ], "industries": [ "Healthcare", "Public health" ] }, "other": { "adversary": [ "Black Basta", "BlackBasta" ], "malware_families": [ "Black basta", "Ransom:win32/basta", "Trojan:win32/basta", "Netsupport", "Qbot", "Basta linux", "Alf:backdoor:win32/qbot", "Trojandropper:powershell/cobacis", "Qakbot", "Trojandownloader:o97m/qakbot", "Trojan:win32/pinkslipbot", "Trojan:win32/quackbot", "Conti", "Behavior:win32/cobaltstrike", "Trojan:win32/qakbot", "Primary netsupport", "Trojan:win64/turtleloader.cs", "Behavior:win32/systembc", "Behavior:win32/basta", "Backdoor:win64/cobaltstrike", "Trojan:win32/qbot", "Widespread qbot", "Pinkslipbot", "Qakbot - s0650", "Exploit:win32/shellcode.bn", "Trojanspy:win32/qakbot", "Cobalt strike", "Hacktool:win64/cobaltstrike", "Behavior:win32/qakbot", "Quackbot", "Trojan: win32/systembc" ], "industries": [ "Manufacturing", "Construction", "Emergency services", "Finance", "Healthcare", "Public health", "Legal", "Transportation", "Media", "Retail", "Technology", "Critical infrastructure" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 23, "pulses": [ { "id": "6641de0f085ac4fc0c55aec4", "name": "StopRansomware: Black Basta", "description": "This advisory details tactics, techniques, procedures and indicators of compromise related to Black Basta ransomware, a variant first identified in April 2022. Its affiliates have impacted over 500 organizations globally across multiple critical infrastructure sectors, including Healthcare and Public Health. They gain initial access through phishing and exploiting vulnerabilities, employ double extortion tactics with data exfiltration and encryption, and leverage various tools for lateral movement and privilege escalation. The advisory provides mitigations and recommendations for organizations to protect against this threat.", "modified": "2024-06-12T09:05:01.533000", "created": "2024-05-13T09:31:59.558000", "tags": [ "cve-2021-34527", "cve-2021-42278", "ransomware", "qakbot", "encryption", "cve-2024-1709", "pinkslipbot", "quackbot", "exfiltration", "cve-2021-42287", "qbot", "phishing", "healthcare", "cve-2020-1472" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a" ], "public": 1, "adversary": "Black Basta", "targeted_countries": [], "malware_families": [ { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "Pinkslipbot", "display_name": "Pinkslipbot", "target": null }, { "id": "QuackBot", "display_name": "QuackBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null } ], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [ "Healthcare", "Public Health" ], "TLP": "white", "cloned_from": null, "export_count": 4209, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 18, "FileHash-SHA1": 15, "FileHash-SHA256": 55, "domain": 95, "hostname": 10 }, "indicator_count": 198, "is_author": false, "is_subscribing": null, "subscriber_count": 386543, "modified_text": "718 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6783308fc0b6e2bd8dfb209c", "name": "TTC-CERT_blocklist_recommended", "description": "", "modified": "2026-02-14T00:03:07.406000", "created": "2025-01-12T03:01:35.075000", "tags": [], "references": [ "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 606, "URL": 4, "domain": 25122, "hostname": 25306 }, "indicator_count": 51038, "is_author": false, "is_subscribing": null, "subscriber_count": 185, "modified_text": "106 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "663e4a5203f0af22aa9295cf", "name": "IOC Basta", "description": "", "modified": "2025-05-14T13:11:03.272000", "created": "2024-05-10T16:24:50.903000", "tags": [ "cobalt strike", "scpssh", "source ip", "anydesk", "anydesk server", "rat c2" ], "references": [], "public": 1, "adversary": "BlackBasta", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "663e40aa1c52eb7ba90593f1", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "3ltrashpanda", "id": "253624", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 95, "FileHash-MD5": 3, "FileHash-SHA256": 5 }, "indicator_count": 103, "is_author": false, "is_subscribing": null, "subscriber_count": 8, "modified_text": "382 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "553 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "553 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6710059101b736e38b9cd2b0", "name": "Black Basta", "description": "Black Basta is a financially motivated ransomware group that began operations in 2022. It targets organizations across various sectors, including manufacturing, healthcare, and finance, using a double extortion method. The group encrypts victims' systems and threatens to leak stolen data unless a ransom is paid. Their ransomware spreads via phishing campaigns, exploiting vulnerabilities in systems. Black Basta is known for collaborating with other cybercriminals, which enhances the impact and sophistication of their attacks.", "modified": "2024-11-15T17:03:59.652000", "created": "2024-10-16T18:27:29.179000", "tags": [ "strong", "black basta", "cisa", "powershell", "ransomware", "cobalt strike", "phishing", "mimikatz", "qakbot", "psexec", "bits", "webdav", "winscp", "conti", "anydesk", "quick assist", "netsupport", "windows", "blackbasta", "batloader", "rclone", "vmware esxi", "netcat", "qbot", "emotet", "trickbot", "pinkslipbot", "team", "C++", "Linux", "ChaCha20", "RSA-4096", "ConnectWise", "ZeroLogon", "NoPac", "PrintNightmare", "CVE-2024-1709", "CVE-2024-26169", "CVE-2020-1472", "CVE-2021-42278", "CVE-2021-42287", "CVE-2021-34527", "BITSAdmin", "Cobalt Strike", "Netcat", "ScreenConnect", "NetSupport Manager", "SystemBC", "Qakbot", "WMI", "RClone", "SoftPerfect", "BackStab", "EvilProxy", "Splashtop", "WinSCP", "C2", "CVE-2022-30190", "Storm-1811", "spear phishing", "Coroxy", "cobeacon", "RaaS", "aa24-131a", "wandering spider", "Conti", "wizard spider", "BGH" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a", "https://blog.qualys.com/vulnerabilities-threat-research/2024/09/19/black-basta-ransomware-what-you-need-to-know", "https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/", "https://darktrace.com/blog/black-basta-old-dogs-with-new-tricks", "https://www.fortinet.com/blog/threat-research/ransomware-roundup-black-basta", "https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies", "https://www.cve.org/CVERecord?id=CVE-2020-1472", "https://www.cve.org/CVERecord?id=CVE-2021-34527", "https://www.cve.org/CVERecord?id=CVE-2021-42278", "https://www.cve.org/CVERecord?id=CVE-2021-42287", "https://www.cve.org/CVERecord?id=CVE-2024-1709", "https://www.cve.org/CVERecord?id=CVE-2024-26169", "https://www.cve.org/CVERecord?id=CVE-2022-30190", "https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta" ], "public": 1, "adversary": "Black Basta", "targeted_countries": [ "United States of America", "Germany", "Canada", "Australia", "New Zealand", "Japan", "France", "United Kingdom of Great Britain and Northern Ireland", "Italy", "Switzerland" ], "malware_families": [ { "id": "Conti", "display_name": "Conti", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Black Basta", "display_name": "Black Basta", "target": null }, { "id": "Primary NetSupport", "display_name": "Primary NetSupport", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Basta Linux", "display_name": "Basta Linux", "target": null }, { "id": "Widespread QBot", "display_name": "Widespread QBot", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "TrojanDownloader:O97M/Qakbot", "display_name": "TrojanDownloader:O97M/Qakbot", "target": "/malware/TrojanDownloader:O97M/Qakbot" }, { "id": "Trojan:Win32/QBot", "display_name": "Trojan:Win32/QBot", "target": "/malware/Trojan:Win32/QBot" }, { "id": "Trojan:Win32/Qakbot", "display_name": "Trojan:Win32/Qakbot", "target": "/malware/Trojan:Win32/Qakbot" }, { "id": "TrojanSpy:Win32/Qakbot", "display_name": "TrojanSpy:Win32/Qakbot", "target": "/malware/TrojanSpy:Win32/Qakbot" }, { "id": "Behavior:Win32/Qakbot", "display_name": "Behavior:Win32/Qakbot", "target": "/malware/Behavior:Win32/Qakbot" }, { "id": "Behavior:Win32/Basta", "display_name": "Behavior:Win32/Basta", "target": "/malware/Behavior:Win32/Basta" }, { "id": "Ransom:Win32/Basta", "display_name": "Ransom:Win32/Basta", "target": "/malware/Ransom:Win32/Basta" }, { "id": "Trojan:Win32/Basta", "display_name": "Trojan:Win32/Basta", "target": "/malware/Trojan:Win32/Basta" }, { "id": "Behavior:Win32/CobaltStrike", "display_name": "Behavior:Win32/CobaltStrike", "target": "/malware/Behavior:Win32/CobaltStrike" }, { "id": "Backdoor:Win64/CobaltStrike", "display_name": "Backdoor:Win64/CobaltStrike", "target": "/malware/Backdoor:Win64/CobaltStrike" }, { "id": "HackTool:Win64/CobaltStrike", "display_name": "HackTool:Win64/CobaltStrike", "target": "/malware/HackTool:Win64/CobaltStrike" }, { "id": "TrojanDropper:PowerShell/Cobacis", "display_name": "TrojanDropper:PowerShell/Cobacis", "target": "/malware/TrojanDropper:PowerShell/Cobacis" }, { "id": "Trojan:Win64/TurtleLoader.CS", "display_name": "Trojan:Win64/TurtleLoader.CS", "target": "/malware/Trojan:Win64/TurtleLoader.CS" }, { "id": "Exploit:Win32/ShellCode.BN", "display_name": "Exploit:Win32/ShellCode.BN", "target": "/malware/Exploit:Win32/ShellCode.BN" }, { "id": "Behavior:Win32/SystemBC", "display_name": "Behavior:Win32/SystemBC", "target": "/malware/Behavior:Win32/SystemBC" }, { "id": "Trojan: Win32/SystemBC", "display_name": "Trojan: Win32/SystemBC", "target": "/malware/Trojan: Win32/SystemBC" } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" } ], "industries": [ "Critical Infrastructure", "Healthcare", "Manufacturing", "Construction", "Retail", "Legal", "Finance", "Technology", "Emergency Services", "Media", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 52, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "v0od0o.exe", "id": "273579", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 111, "FileHash-SHA1": 110, "FileHash-SHA256": 148, "CVE": 7, "domain": 113, "hostname": 62, "URL": 4 }, "indicator_count": 555, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "561 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "562 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "663e665af0be7711515f63c4", "name": "FHS - Black Basta IOCs", "description": "TIs from different articles related to the Black Basta Ransomware group.", "modified": "2024-10-29T17:15:34.271000", "created": "2024-05-10T18:24:26.663000", "tags": [ "incident response", "ransomware", "forensics", "threat intelligence", "black basta", "iocs", "trendmicro", "iocsyou", "misp event", "domains", "icmp traffic", "c2 endpoint", "hvs iocs", "misp feed", "#StopRansomware: Black Basta" ], "references": [ "https://dfir-delight.de/p/black-basta-iocs/", "https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/j/black-basta-ransomware-gang-infiltrates-networks-via-qakbot,-brute-ratel-and-cobalt-strike/ioc-black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-cobalt-strike.txt", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 61, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "FHS-Services", "id": "51336", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 112, "FileHash-MD5": 66, "URL": 53, "IPv4": 122, "FileHash-SHA256": 87, "FileHash-SHA1": 54, "hostname": 14 }, "indicator_count": 508, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "578 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6654138435c5832ca2c4028f", "name": "DOH Domains IOCs", "description": "The following is a full list of items that you might not have known existed::..com, or, if you were interested in them, are the most likely ones to come up with", "modified": "2024-08-26T04:12:43.497000", "created": "2024-05-27T05:00:52.918000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fueledbycoffeeDXB", "id": "272228", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7, "domain": 1335, "hostname": 667 }, "indicator_count": 2009, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "643 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdd1247c16c5855518c7", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-02T07:05:02.060000", "created": "2024-07-02T08:44:01.648000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 286, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2521, "domain": 8243, "email": 7, "hostname": 2893 }, "indicator_count": 13683, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "667 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "startupbuss.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "startupbuss.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780242187.7238958 }