ioc[.]one - OSINT Cyber Threat Intelligence Database

Crambus: New Campaign Targets Middle Eastern Government

Tags

country:

Albania United Arab Emirates Kuwait Jordan Iran Iraq Israel Saudi Arabia Lebanon Qatar

attack-pattern:

Data Clipboard Data - T1414 Credentials - T1589.001 Ip Addresses - T1590.005 Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Remote Desktop Protocol - T1021.001 Server - T1583.004 Server - T1584.004 Ssh - T1021.004 Tool - T1588.002 Vulnerabilities - T1588.006 Vulnerability Scanning - T1595.002 Clipboard Data - T1115 Credential Dumping - T1003 Powershell - T1086 Remote Desktop Protocol - T1076 Windows Management Instrumentation - T1047

Show in Graph

Common Information

Type	Value
UUID	7271f875-c3fd-4ee8-8156-02618dc91b36
Fingerprint	8e41ae40d925d3c0
Analysis status	DONE
Considered CTI value	2
Text language
Published	Oct. 19, 2023, midnight
Added to db	Nov. 19, 2023, 1:04 a.m.
Last updated	Nov. 17, 2024, 10:40 p.m.
Headline	Crambus: New Campaign Targets Middle Eastern Government
Title	Crambus: New Campaign Targets Middle Eastern Government
Detected Hints/Tags/Attributes	101/2/77

Source URLs

	Redirection	Url
Details	Source	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/crambus-middle-east-government
Details	Source	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/crambus-middle-east-government?&web_view=true
Details	Source	https://symantec-enterprise-blogs.security.com/threat-intelligence/crambus-middle-east-government

URL Provider

Details	Provider	Source level domain
Details	security.com	symantec-enterprise-blogs.security.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	162	✔	—	https://media.cert.europa.eu/rss?type=category&id=APTFilter&language=en&duplicates=false	2024-08-30 22:08
Details	232	✔	Broadcom Software Blogs	https://sed-cms.broadcom.com/rss/v1/blogs/rss.xml	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	Domain	1	microsoft.exchange.webservices.data
Details	Domain	339	system.net
Details	Domain	149	system.security
Details	Domain	47	microsoft.exchange
Details	Domain	3	url.host
Details	Domain	1	inboxitems.id
Details	Domain	1	message.torecipients.name
Details	Domain	3	result.id
Details	Domain	228	system.io
Details	Domain	1	directory.name
Details	File	2	token.bin
Details	File	1	joper.ps1
Details	File	1	msssh.exe
Details	File	1	mssh.exe
Details	File	1	%userprofile%\public directory and was used to forward port 3389 to port 999 on all available interfaces: csidl_profile\public\plink.exe
Details	File	1	p2.bat
Details	File	1	001.txt
Details	File	9	p.bat
Details	File	28	plink.exe
Details	File	1	telecomm.exe
Details	File	1	hwf.ps1
Details	File	1	zone.ps1
Details	File	1	setapp.ps1
Details	File	1	pl.bat
Details	File	1	virtpackage.exe
Details	File	1	poluniq.exe
Details	File	2	copy.ps1
Details	File	1	tnc.ps1
Details	File	76	netsh.exe
Details	File	1	m.obj
Details	File	256	net.exe
Details	File	9	adobe.exe
Details	File	1	fs-tool.exe
Details	File	1	usbpcapcmd.exe
Details	File	30	dumpcap.exe
Details	File	165	reg.exe
Details	File	2126	cmd.exe
Details	File	1	webservices.dat
Details	File	1	actions.mov
Details	File	13	webservices.dll
Details	File	1	ewserror.txt
Details	File	1	exchangeservice.url
Details	File	12	document.txt
Details	sha256	1	4d04ad9d3c3abeb61668e52a52a37a46c1a60bc8f29f12b76ff9f580caeefba8
Details	sha256	1	41672b08e6e49231aedf58123a46ed7334cafaad054f2fd5b1e0c1d5519fd532
Details	sha256	1	497e1c76ed43bcf334557c64e1a9213976cd7df159d695dcc19c1ca3d421b9bc
Details	sha256	2	75878356f2e131cefb8aeb07e777fcc110475f8c92417fcade97e207a94ac372
Details	sha256	1	d884b3178fc97d1077a13d47aadf63081559817f499163c2dc29f6828ee08cae
Details	sha256	1	a1a633c752be619d5984d02d4724d9984463aa1de0ea1375efda29cadb73355a
Details	sha256	1	22df38f5441dec57e7d7c2e1a38901514d3f55203b2890dc38d2942f1e4bc100
Details	sha256	1	159b07668073e6cd656ad7e3822db997d5a8389a28c439757eb60ba68eaff70f
Details	sha256	1	6964f4c6fbfb77d50356c2ee944f7ec6848d93f05a35da6c1acb714468a30147
Details	sha256	1	661c9535d9e08a3f5e8ade7c31d5017519af2101786de046a4686bf8a5a911ff
Details	sha256	1	db1cbe1d85a112caf035fd5d4babfb59b2ca93411e864066e60a61ec8fe27368
Details	sha256	1	497978a120f1118d293906524262da64b15545ee38dc0f6c10dbff3bd9c0bac2
Details	sha256	1	6b9f60dc91fbee3aecb4a875e24af38c97d3011fb23ace6f34283a73349c4681
Details	sha256	1	be6d631fb2ff8abe22c5d48035534d0dede4abfd8c37b1d6cbf61b005d1959c1
Details	sha256	1	6bad09944b3340947d2b39640b0e04c7b697a9ce70c7e47bc2276ed825e74a2a
Details	sha256	1	ba620b91bef388239f3078ecdcc9398318fd8465288f74b4110b2a463499ba08
Details	sha256	1	d0bfdb5f0de097e4460c13bc333755958fb30d4cb22e5f4475731ad1bdd579ec
Details	sha256	1	5a803bfe951fbde6d6b23401c4fd1267b03f09d3907ef83df6cc25373c11a11a
Details	sha256	1	1698f9797f059c4b30f636d16528ed3dd2b4f8290e67eb03e26181e91a3d7c3b
Details	sha256	1	23db83aa81de19443cafe14c9c0982c511a635a731d6df56a290701c83dae9c7
Details	sha256	1	41ff7571d291c421049bfbd8d6d3c51b0a380db3b604cef294c1edfd465978d9
Details	sha256	1	c488127b3384322f636b2a213f6f7b5fdaa6545a27d550995dbf3f32e22424bf
Details	sha256	1	927327bdce2f577b1ee19aa3ef72c06f7d6c2ecd5f08acc986052452a807caf2
Details	sha256	1	a6365e7a733cfe3fa5315d5f9624f56707525bbf559d97c66dbe821fae83c9e9
Details	sha256	1	c3ac52c9572f028d084f68f6877bf789204a6a0495962a12ee2402f66394a918
Details	sha256	1	7e107fdd6ea33ddc75c1b75fdf7a99d66e4739b4be232ff5574bf0e116bc6c05
Details	IPv4	1	151.236.19.91
Details	IPv4	619	0.0.0.0
Details	IPv4	1441	127.0.0.1
Details	IPv4	1	78.47.218.106
Details	IPv4	1	10.75.45.222
Details	IPv4	1	91.132.92.90
Details	Threat Actor Identifier - APT	258	APT34
Details	Windows Registry Key	1	HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\Terminal