ioc[.]one - OSINT Cyber Threat Intelligence Database

MuddyWater replaces Atera by custom MuddyRot implant in a recent campaign

Tags

country:	Azerbaijan Jordan Israel Saudi Arabia
attack-pattern:	Data Email Accounts - T1585.002 Email Accounts - T1586.002 Exploits - T1587.004 Exploits - T1588.005 Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Scheduled Task - T1053.005 Sharepoint - T1213.002 Software - T1592.002 Tool - T1588.002 Powershell - T1086 Scheduled Task - T1053

Show in Graph

Common Information

Type	Value
UUID	1deded55-2e64-494b-8058-713b1571b542
Fingerprint	b5d00398a5bf07cb
Analysis status	DONE
Considered CTI value	2
Text language
Published	July 15, 2024, 7:38 p.m.
Added to db	Aug. 31, 2024, 1:51 a.m.
Last updated	Nov. 17, 2024, 5:58 p.m.
Headline	MuddyWater replaces Atera by custom MuddyRot implant in a recent campaign
Title	MuddyWater replaces Atera by custom MuddyRot implant in a recent campaign
Detected Hints/Tags/Attributes	70/2/15

Source URLs

	Redirection	Url
Details	Source	https://blog.sekoia.io/muddywater-replaces-atera-by-custom-muddyrot-implant-in-a-recent-campaign/

URL Provider

Details	Provider	Source level domain
Details	sekoia.io	blog.sekoia.io

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	59	✔	Sekoia.io Blog	https://blog.sekoia.io/feed/	2024-08-30 22:08

Attributes

Details	Type	#Events	CTI	Value
Details	Domain	118		sekoia.io
Details	Email	18		tdr@sekoia.io
Details	File	748		kernel32.dll
Details	File	229		advapi32.dll
Details	File	86		ole32.dll
Details	File	130		ws2_32.dll
Details	File	1		c:\programdata\softwarememory directory with the name documentsmanagerreporter.exe
Details	File	6		schtask.exe
Details	sha256	4		94278fa01900fdbfb58d2e373895c045c69c01915edc5349cd6f3e5b7130c472
Details	sha256	4		b8703744744555ad841f922995cef5dbca11da22565195d05529f5f9095fbfca
Details	sha256	4		73c677dd3b264e7eb80e26e78ac9df1dba30915b5ce3b1bc1c83db52b9c6b30e
Details	sha256	4		960d4c9e79e751be6cad470e4f8e1d3a2b11f76f47597df8619ae41c96ba5809
Details	IPv4	2		91.235.234.202
Details	IPv4	4		146.19.143.14
Details	Threat Actor Identifier - APT	166		APT31