ioc[.]one - OSINT Cyber Threat Intelligence Database

Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware | Rapid7 Blog

Tags

cmtmf-attack-pattern:	Develop Capabilities Network Denial Of Service Process Injection
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Direct Botnet - T1583.005 Botnet - T1584.005 Clipboard Data - T1414 Code Signing - T1553.002 Credentials - T1589.001 Develop Capabilities - T1587 Domains - T1583.001 Domains - T1584.001 Hardware - T1592.001 Hooking - T1617 Input Capture - T1417 Ip Addresses - T1590.005 Network Denial Of Service - T1464 Kerberoasting - T1558.003 Keylogging - T1056.001 Keylogging - T1417.001 Malware - T1587.001 Malware - T1588.001 Msbuild - T1127.001 Network Denial Of Service - T1498 Phishing - T1660 Phishing - T1566 Portable Executable Injection - T1055.002 Powershell - T1059.001 Process Hollowing - T1055.012 Process Injection - T1631 Protocol Tunneling - T1572 Reflective Code Loading - T1620 Remote Access Software - T1663 Rundll32 - T1218.011 Scheduled Task - T1053.005 Server - T1583.004 Server - T1584.004 Sharepoint - T1213.002 Software - T1592.002 Spearphishing Voice - T1566.004 Spearphishing Voice - T1598.004 Ssh - T1021.004 Steal Or Forge Authentication Certificates - T1649 Steal Or Forge Kerberos Tickets - T1558 Tool - T1588.002 Clipboard Data - T1115 Code Signing - T1116 Connection Proxy - T1090 Deobfuscate/Decode Files Or Information - T1140 Hooking - T1179 Input Capture - T1056 Kerberoasting - T1208 Powershell - T1086 Process Hollowing - T1093 Process Injection - T1055 Remote Access Tools - T1219 Rundll32 - T1085 Scheduled Task - T1053 System Owner/User Discovery - T1033 Hooking

Show in Graph

Common Information

Type	Value
UUID	bab1db1d-429a-4f0b-9d80-d4b8e6f9394b
Fingerprint	2424893b85b7864d
Analysis status	DONE
Considered CTI value	2
Text language
Published	Dec. 4, 2024, 3:45 p.m.
Added to db	Dec. 4, 2024, 4:47 p.m.
Last updated	Dec. 20, 2024, 11:31 a.m.
Headline	Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware
Title	Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware \| Rapid7 Blog
Detected Hints/Tags/Attributes	147/3/71

Source URLs

	Redirection	Url
Details	Redirection	https://blog.rapid7.com/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/
Details	Source	https://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/

URL Provider

Details	Provider	Source level domain
Details	rapid7.com	www.rapid7.com
Details	rapid7.com	blog.rapid7.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	50	✔	Rapid7 Cybersecurity Blog	https://blog.rapid7.com/rss/	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	Domain	1	tenantsubdomain.onmicrosoft.com
Details	Domain	2	cofincafe.com
Details	Domain	13	anydesk.com
Details	Domain	307	microsoft.net
Details	Domain	131	ipinfo.io
Details	Email	1	username@tenantsubdomain.onmicrosoft.com
Details	Email	1	username@cofincafe.com
Details	File	6	antispam.exe
Details	File	1099	rundll32.exe
Details	File	8	123.txt
Details	File	2	qwertyuio.txt
Details	File	2	171024_v1us.zip
Details	File	2	171124_v15.zip
Details	File	6	safestore.dll
Details	File	2	eventcloud.dll
Details	File	2313	cmd.exe
Details	File	571	ntdll.dll
Details	File	82	gdi32.dll
Details	File	313	user32.dll
Details	File	86	msvcrt.dll
Details	File	16	ucrtbase.dll
Details	File	34	comctl32.dll
Details	File	242	advapi32.dll
Details	File	809	kernel32.dll
Details	File	3	identity.jar
Details	File	3	syncsuite.exe
Details	File	136	msedge.exe
Details	File	3	test.vbs
Details	File	2	safefilter.exe
Details	File	1	c:\programdata\hedfdfd\autoit3.exe
Details	File	1	c:\temp\cred.txt
Details	File	15	c.txt
Details	File	14	cc.txt
Details	File	2	fs.txt
Details	File	2	updatecore.exe
Details	File	19	microsoftedgeupdate.exe
Details	File	164	msbuild.exe
Details	File	38	autoit3.exe
Details	File	1348	powershell.exe
Details	File	15	sitemanager.xml
Details	File	39	recentservers.xml
Details	File	111	test.txt
Details	File	5	autohotkey.exe
Details	File	37	libcurl.dll
Details	File	27	gup.exe
Details	File	1	c:\temp and then executes gup.exe
Details	File	4	ransom.txt
Details	File	11	decrypter.exe
Details	sha256	3	3b7e06f1ccaa207dc331afd6f91e284fec4b826c3c427dffd0432fdc48d55176
Details	sha256	5	db34e255aa4d9f4e54461571469b9dd53e49feed3d238b6cfb49082de0afb1e4
Details	sha256	3	ef28a572cda7319047fbc918d60f71c124a038cd18a02000c7ab413677c5c161
Details	IPv4	8	2.9.4.0
Details	IPv4	5	179.60.149.194
Details	IPv4	1566	127.0.0.1
Details	MITRE ATT&CK Techniques	104	T1587.001
Details	MITRE ATT&CK Techniques	62	T1498
Details	MITRE ATT&CK Techniques	5	T1566.004
Details	MITRE ATT&CK Techniques	528	T1140
Details	MITRE ATT&CK Techniques	46	T1055.002
Details	MITRE ATT&CK Techniques	97	T1620
Details	MITRE ATT&CK Techniques	7	T1649
Details	MITRE ATT&CK Techniques	132	T1056.001
Details	MITRE ATT&CK Techniques	40	T1558.003
Details	MITRE ATT&CK Techniques	245	T1033
Details	MITRE ATT&CK Techniques	101	T1572
Details	MITRE ATT&CK Techniques	148	T1219
Details	Url	6	https://ipinfo.io/ip
Details	Windows Registry Key	198	HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Details	Windows Registry Key	52	HKLM\Software\Microsoft\Windows
Details	Windows Registry Key	27	HKCU\Software\Microsoft
Details	Windows Registry Key	6	HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0