Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel and Cobalt Strike (IOCs) SHA-256 hashes and detection names ---------------------------------------------------------------- QAKBOT Loader ---------------------------------------------------------------- 01fd6e0c8393a5f4112ea19a26bedffb31d6a01f4d3fe5721ca20f479766208f TrojanSpy.Win32.QAKBOT.SMYXCFJZ 2d1e93d28bf349a412bda7668536c4dc197cb12e020a5355f2d305ecac3ba458 Trojan.Win32.QAKBOT.YXCJJ f56d25cf9f20f2040b2ec14f769f36aa14819f56f6b254c0831c9b2a024b8c8d Trojan.Win32.QAKBOT.YXCJD QAKBOT ISO File ---------------------------------------------------------------- 582a5e2b2652284ebb486bf6a367aaa6bb817c856f08ef54db64c6994c5b91bd Trojan.Win32.QAKBOT.YACIW QAKBOT ISO File ---------------------------------------------------------------- f32b4407f51f1407bf4261c49ad940712b0e3777a5f7365ba6b485a163361d3b Trojan.Win32.QAKBOT.YACJD a0a0f07ffbede4772ef04ce7c7e98b77ad0d5e2b2f391d8d26dcc96c289469c4 Trojan.Win32.QAKBOT.YACJD QAKBOT LNK File ---------------------------------------------------------------- e9e214f7338c6baefd2a76ee66f5fadb0b504718ea3cebc65da7a43a5ff819a4 Trojan.LNK.QAKBOT.YACIW a0a0f07ffbede4772ef04ce7c7e98b77ad0d5e2b2f391d8d26dcc96c289469c4 Trojan.LNK.QAKBOT.YXCJJ QAKBOT Script File ---------------------------------------------------------------- d44b05b248f95986211ab3dc2765f1d76683594a174984c8b801bd7eade8aa47 Trojan.BAT.QAKBOT.YACIW QAKBOT JScript File ---------------------------------------------------------------- 06c4c4d100e9a7c79e2ee8c4ffa1f7ad165a014f5f14f90ddfc730527c564e35 Trojan.JS.QAKBOT.YACIW QAKBOT VBS File ---------------------------------------------------------------- 5510ff3cb4b8b344b0ee70b80266d3b497afd9ec423183917983e8bb36ff7c25 Trojan.JS.QAKBOT.YXCJJ QAKBOT CMD File ---------------------------------------------------------------- e69c96fc8c81c12b9101fcb67e6811b3c46b9c79de7087ac34aa1f95be9c7c1a Trojan.Win32.QAKBOT.YXCJJ Brute Ratel DLL ---------------------------------------------------------------- 62cb24967c6ce18d35d2a23ebed4217889d796cf7799d9075c1aa7752b8d3967 Backdoor.Win64.BRUTEL.YXCIW Cobalt Strike DLL ---------------------------------------------------------------- ab88d558ff0ae35860f6ba1ceab6ec3302ace9dc7e957940c053f85b4dc17e78 Backdoor.Win64.COBEACON.YXCJE 726bce40d17b3f9b245af6b78251469b89cde4d3428187f5c11ed4c3f5b58ed4 Backdoor.Win64.COBEACON.YXCJE a7d6cd8209eea40a9bcf32e923b7723d8724895f5d1084605a64651c3a811b03 Backdoor.Win64.COBEACON.YXCJE 94392d757ba3526c3dcd5c3ddcb3f005c6330ef075dc246d08a8b79e017c0c01 Backdoor.Win64.COBEACON.YXCJE 9efbc691d53ea9aa1eef245da23e197310bf266b0223ae1af8035bf854782edd Backdoor.Win64.COBEACON.YXCJE c545541fecd97b2c46ab0c6db25a2f87b48ffadbd2c75ad65c7ce2781a8de491 Backdoor.Win64.COBEACON.YXCJE a0adcd303fdff7747ab93df07b0722eab9890ba9deab7d322f077d6774ef6bc0 Backdoor.Win64.COBEACON.YXCJE 66ff672282b02f4796e006f2cfef125cccfd542b65eb3fbc728badf09cb94202 Backdoor.Win64.COBEACON.YXCJE 74da9610cb92a5a6fc15c856d3af73ff2b069f23d5a9712e48b6fd40b52fc744 Backdoor.Win64.COBEACON.YXCJE 6f9e9137a014b29f47722dbbb7a290eff11a9da3226af01bb2ecb78116dcb607 Backdoor.Win64.COBEACON.YXCJE 1751c378e2b14bd6238c3189e13501d191c117fdfe65e4e0ea1cb5829cce2bb9 Backdoor.Win64.COBEACON.YXCJE QAKBOT HTML Page ---------------------------------------------------------------- 16738ffeb00a849af4f24b6faee00d9d8e2b0247621d01718895dac5cc99fd8a Trojan.HTML.QAKBOT.YACJD BRUTEL RATEL DLL ---------------------------------------------------------------- 64a95de2783a97160bac6914ee07a42cdd154a0e33abc3b1b62c7bafdce24c0c Backdoor.Win64.BRUTEL.YACJD 54e844b5ae4a056ca8df4ca7299249c4910374d64261c83ac55e5fdf1b59f01d Backdoor.Win64.BRUTEL.YACJD Brute Ratel EXE ---------------------------------------------------------------- 01af5478e290bfcd23eeb39ff3af8802ab11a410038cae957ccb56de45d90ac0 Backdoor.Win64.BRUTEL.YACJD Brute Ratel EXE ---------------------------------------------------------------- f2fe89d8de9dc29ddca56918beb652df1b3d44218bf5e084c4d0de7325ec54f5 Backdoor.Win64.BRUTEL.YXCJG Black Basta related samples ---------------------------------------------------------------- 31103788fae9b988d9d4362b848249b49ea60e15fc5982f26b13447064a13325 Ransom.Win32.BLACKBASTA.SMYXCEP ce01002614eb7029131a73769db721ac68ef47989d7a8022980d3ae22c82b6f7 Ransom.Win32.BLACKBASTA.SMYXCEP 48976d7bf38cca4e952507e9ab27e3874ca01092eed53d0fde89c5966e9533bb Ransom.Win32.BLACKBASTA.SMYXCEP URLs and IP Addresses ---------------------------------------------------------------- QAKBOT “BB” C&C servers ---------------------------------------------------------------- 197[.]204[.]227[.]155:443 123[.]23[.]64[.]230:443 173[.]218[.]180[.]91:443 111[.]125[.]157[.]230:443 70[.]49[.]33[.]200:2222 149[.]28[.]38[.]16:995 86[.]132[.]13[.]105:2078 149[.]28[.]38[.]16:443 45[.]77[.]159[.]252:995 45[.]77[.]159[.]252:443 149[.]28[.]63[.]197:995 144[.]202[.]15[.]58:443 45[.]63[.]10[.]144:443 45[.]63[.]10[.]144:995 149[.]28[.]63[.]197:443 144[.]202[.]15[.]58:995 39[.]121[.]226[.]109:443 177[.]255[.]14[.]99:995 134[.]35[.]10[.]30:443 99[.]232[.]140[.]205:2222 180[.]180[.]132[.]100:443 86[.]176[.]180[.]223:993 41[.]98[.]11[.]74:443 196[.]64[.]230[.]149:8443 68[.]224[.]229[.]42:443 41[.]111[.]72[.]234:995 196[.]64[.]237[.]130:443 190[.]44[.]40[.]48:995 70[.]51[.]132[.]197:2222 88[.]232[.]207[.]24:443 115[.]247[.]12[.]66:443 189[.]19[.]189[.]222:32101 72[.]88[.]245[.]71:443 217[.]165[.]97[.]141:993 191[.]97[.]234[.]238:995 119[.]82[.]111[.]158:443 88[.]237[.]6[.]72:53 100[.]1[.]5[.]250:995 96[.]234[.]66[.]76:995 186[.]64[.]67[.]34:443 66[.]181[.]164[.]43:443 193[.]3[.]19[.]37:443 197[.]94[.]84[.]128:443 41[.]96[.]130[.]46:80 187[.]205[.]222[.]100:443 139[.]228[.]33[.]176:2222 88[.]245[.]168[.]200:2222 110[.]4[.]255[.]247:443 89[.]211[.]217[.]38:995 QAKBOT “Obama” C&C servers ---------------------------------------------------------------- 23[.]225[.]104[.]250 186[.]125[.]93[.]28 149[.]126[.]159[.]254 189[.]79[.]27[.]174 41[.]96[.]18[.]5 197[.]204[.]126[.]136 105[.]108[.]255[.]165 41[.]105[.]54[.]8 78[.]162[.]213[.]155 154[.]183[.]135[.]35 41[.]108[.]175[.]56 94[.]52[.]127[.]44 160[.]179[.]220[.]87 Brute Ratel C&C servers ---------------------------------------------------------------- symantecuptimehost[.]com sentisupport[.]com near-org[.]top teenieshopus[.]com Cobalt Strike C&C servers ---------------------------------------------------------------- hxxps://fewifasoc[.]com | 45.153.242[.]251 hxxps://hadujaza[.]com | 45.153.241[.]88 hxxps://himiketiv[.]com | 45.153.241[.]64 hxxps://davalibapa[.]com | 45.153.242[.]250 QAKBOT phishing domains ---------------------------------------------------------------- halasaloon[.]com edmor-p[.]com growin[.]ro