ioc[.]one - OSINT Cyber Threat Intelligence Database

Earth Vetala MuddyWater Continues to Target Organizations in the Middle East

Tags

cmtmf-attack-pattern:	Acquire Infrastructure Boot Or Logon Autostart Execution Command And Scripting Interpreter
country:	United Arab Emirates Azerbaijan Bahrain Iran Israel Saudi Arabia
maec-delivery-vectors:	Watering Hole
attack-pattern:	Acquire Infrastructure Acquire Infrastructure - T1583 Boot Or Logon Autostart Execution - T1547 Command And Scripting Interpreter - T1623 Credentials - T1589.001 Credentials From Password Stores - T1555 Credentials From Web Browsers - T1555.003 Credentials From Web Browsers - T1503 Domain Account - T1087.002 Domain Account - T1136.002 Malicious File - T1204.002 Malicious Link - T1204.001 Msiexec - T1218.007 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Python - T1059.006 Registry Run Keys / Startup Folder - T1547.001 Remote Access Software - T1663 Server - T1583.004 Server - T1584.004 Software - T1592.002 Spearphishing Attachment - T1566.001 Spearphishing Attachment - T1598.002 Standard Encoding - T1132.001 Windows Command Shell - T1059.003 Visual Basic - T1059.005 Web Services - T1583.006 Web Services - T1584.006 Tool - T1588.002 Account Discovery - T1087 Command-Line Interface - T1059 Connection Proxy - T1090 Data Encoding - T1132 Deobfuscate/Decode Files Or Information - T1140 Powershell - T1086 Registry Run Keys / Start Folder - T1060 Remote Access Tools - T1219 Spearphishing Attachment - T1193 User Execution - T1204 Spearphishing Attachment User Execution

Show in Graph

Common Information

Type	Value
UUID	adf6e3ec-707d-4312-a5ec-e32f51e1abc6
Fingerprint	bd4d8dc3e227e989
Analysis status	DONE
Considered CTI value	2
Text language
Published	March 5, 2021, midnight
Added to db	Oct. 15, 2024, 5:46 p.m.
Last updated	Nov. 17, 2024, 10:40 p.m.
Headline	Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East
Title	Earth Vetala MuddyWater Continues to Target Organizations in the Middle East
Detected Hints/Tags/Attributes	122/4/82

Source URLs

	Redirection	Url
Details	Source	https://www.trendmicro.com/en_ca/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html

URL Provider

Details	Provider	Source level domain
Details	trendmicro.com	www.trendmicro.com

Attributes

Details	Type	#Events	Value
Details	Domain	1	id.remoteutilities.com
Details	Domain	3	instance-sy9at2-relay.screenconnect.com
Details	Domain	14	pyinstxtractor.py
Details	Domain	1	hacktool.win64.passdump.ac
Details	Domain	1	hacktool.win64.lazagne.ag
Details	File	269	msiexec.exe
Details	File	2126	cmd.exe
Details	File	1208	powershell.exe
Details	File	9	a.ps1
Details	File	2	sharpchisel.exe
Details	File	1	c:\programdata\sharpchisel.exe
Details	File	26	procdump64.exe
Details	File	2	c:\programdata\procdump64.exe
Details	File	1	c:\programdate\1.exe
Details	File	1	c:\users\public\new.exe
Details	File	1	c:\users\public\out1.exe
Details	File	1	out1.exe
Details	File	14	pyinstxtractor.py
Details	File	1	c:\users\public\browser64.exe
Details	File	1	browser64.exe
Details	File	47	index.jsp
Details	File	376	wscript.exe
Details	File	1	news.js
Details	File	1	newsblog.js
Details	File	4	hacktool.msi
Details	File	2	pd64.dll
Details	File	1	win64.pas
Details	File	2	passworddumper.exe
Details	File	52	trojan.js
Details	File	11	new.exe
Details	File	156	1.exe
Details	File	1	إلکترونیة.pdf
Details	File	15	trojan.pdf
Details	File	1	إلکترونیة.exe
Details	File	1	برنامج.zip
Details	File	1	برنامجدولیة.zip
Details	File	1	مجانية.zip
Details	File	1	مکتالمنحالدراسیة.zip
Details	File	1	الدرایةس.exe
Details	md5	1	deb2b1a127c472229babbb8dc2dca1c2
Details	md5	1	7e95a3d753cc4a17793ef9513e030b49
Details	sha256	1	b2f429efdb1801892ec8a2bcdd00a44d6ee31df04721482a1927fc6df554cdcf
Details	sha256	2	61f83466b512eb12fc82441259a5205f076254546a7726a2e3e983011898e4e2
Details	sha256	2	ccdddd1ebf3c5de2e68b4dcb8fbc7d4ed32e8f39f6fdf71ac022a7b4d0aa4131
Details	sha256	1	0cd6f593cc58ba3ac40f9803d97a6162a308ec3caa53e1ea1ce7f977f2e667d3
Details	sha256	1	79fd822627b72bd2fbe9eae43cf98c99c2ecaa5649b7a3a4cfdc3ef8f977f2e6
Details	sha256	1	304ea86131c4d105d35ebbf2784d44ea24f0328fb483db29b7ad5ffe514454f8
Details	sha256	1	fb414beebfb9ecbc6cb9b35c1d2adc48102529d358c7a8997e903923f7eda1a2
Details	sha256	1	3495b0a6508f1af0f95906efeba36148296dccd2ab8ffb4e569254b683584fea
Details	sha256	1	78b1ab1b8196dc236fa6ad4014dd6add142b3cab583e116da7e8886bc47a7347
Details	sha256	1	70cab18770795ea23e15851fa49be03314dc081fc44cdf76e8f0c9b889515c1b
Details	sha256	1	468e331fd3f9c41399e3e90f6fe033379ab69ced5e11b35665790d4a4b7cf254
Details	sha256	1	f865531608a4150ea5d77ef3dd148209881fc8d831b2cfb8ca95ceb5868e1393
Details	sha256	1	f664670044dbd967ff9a5d8d8f345be294053e0bae80886cc275f105d8e7a376
Details	sha256	1	8bee2012e1f79d882ae635a82b65f88eaf053498a6b268c594b0d7d601b1212f
Details	sha256	1	9b345d2d9f52cda989a0780acadf45350b423957fb7b7668b9193afca3e0cd27
Details	sha256	1	5e2642f33115c3505bb1d83b137e7f2b18e141930975636e6230cdd4292990dd
Details	sha256	1	3e4e179a7a6718eedf36608bd7130b62a5a464ac301a211c3c8e37c7e4b0b32b
Details	IPv4	1	51.68.244.39
Details	IPv4	2	87.236.212.184
Details	IPv4	1	187.236.212.184
Details	IPv4	1441	127.0.0.1
Details	IPv4	1	23.95.215.100
Details	IPv4	1	23.94.50.197
Details	Mandiant Temporary Group Assumption	29	TEMP.ZAGROS
Details	MITRE ATT&CK Techniques	21	T1583.006
Details	MITRE ATT&CK Techniques	310	T1566.001
Details	MITRE ATT&CK Techniques	460	T1059.001
Details	MITRE ATT&CK Techniques	333	T1059.003
Details	MITRE ATT&CK Techniques	137	T1059.005
Details	MITRE ATT&CK Techniques	106	T1204.001
Details	MITRE ATT&CK Techniques	365	T1204.002
Details	MITRE ATT&CK Techniques	380	T1547.001
Details	MITRE ATT&CK Techniques	99	T1087.002
Details	MITRE ATT&CK Techniques	125	T1555.003
Details	MITRE ATT&CK Techniques	99	T1132.001
Details	MITRE ATT&CK Techniques	504	T1140
Details	Url	1	http://87.236.212.184/sharpchisel.exe
Details	Url	1	http://87.236.212.184/procdump64.exe
Details	Url	1	http://87.236.212.184/out1
Details	Url	1	http://23.94.50.197:444/index.jsp/deb2b1a127c472229babbb8dc2dca1c2/qpkb49mivezadai1
Details	Url	1	http://23.95.215.100:8008/index.jsp/7e95a3d753cc4a17793ef9513e030b49/4t2fg7k6wwrnkgd9