ioc[.]one - OSINT Cyber Threat Intelligence Database

Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East

Tags

maec-delivery-vectors:

attack-pattern:

Credentials - T1589.001 Lsass Memory - T1003.001 Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Rundll32 - T1218.011 Scheduled Task - T1053.005 Security Account Manager - T1003.002 Server - T1583.004 Server - T1584.004 Steganography - T1001.002 Steganography - T1406.001 Steganography - T1027.003 Web Shell - T1505.003 Tool - T1588.002 Vulnerabilities - T1588.006 Connection Proxy - T1090 Powershell - T1086 Rundll32 - T1085 Scheduled Task - T1053 Web Shell - T1100

Show in Graph

Common Information

Type	Value
UUID	e26231a1-b260-4b78-9cd4-5ad9bb1da2b4
Fingerprint	8c618d0920e0fd01
Analysis status	DONE
Considered CTI value	2
Text language
Published	Sept. 29, 2022, midnight
Added to db	Oct. 6, 2022, 10:03 a.m.
Last updated	Nov. 17, 2024, 10:40 p.m.
Headline	Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East
Title	Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East
Detected Hints/Tags/Attributes	76/2/98

Source URLs

	Redirection	Url
Details	Source	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage

URL Provider

Details	Provider	Source level domain
Details	security.com	symantec-enterprise-blogs.security.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	233	✔	Broadcom Software Blogs	https://sed-cms.broadcom.com/rss/v1/blogs/rss.xml/221	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	CVE	168	cve-2021-34473
Details	CVE	142	cve-2021-34523
Details	CVE	143	cve-2021-31207
Details	CVE	184	cve-2021-26855
Details	CVE	126	cve-2021-27065
Details	Domain	1	domu.cab
Details	Domain	1	0718.cab
Details	Domain	1	bigbluedc.com
Details	File	1	site.htm
Details	File	69	comsvcs.dll
Details	File	1018	rundll32.exe
Details	File	1	dm.db
Details	File	14	reflection.bin
Details	File	1	f.safe
Details	File	2126	cmd.exe
Details	File	10	dd.exe
Details	File	478	lsass.exe
Details	File	1	8b7db7a3-5376-4d32-8be1-0d3092117022-microsoft.tmp
Details	File	2	temp.rar
Details	File	165	reg.exe
Details	File	1	ieupdate.dll
Details	File	9	a.ps1
Details	File	14	s.dat
Details	File	2	exshell.ps
Details	File	1	domu.csv
Details	File	1	domu.cab
Details	File	2	c:\windows\temp\1.txt
Details	File	10	winrm.vbs
Details	File	1	0718.ldf
Details	File	1	0718.cab
Details	File	1	flogoff.aspx
Details	File	15	p.exe
Details	File	1	systemcontrolmodel.dll
Details	File	32	powershell_ise.exe
Details	File	1	getlastloginou.ps1
Details	File	38	7.exe
Details	File	1	deployer.7z
Details	File	1	111.txt
Details	File	1	repro.exe
Details	sha256	1	619b64c6728f9ec27bba7912528a4101a9c835a547db6596fa095b3fe628e128
Details	sha256	1	e597aae95dcaccc5677f78d38cd455fa06b74d271fef44bd514e7413772b5dcb
Details	sha256	1	ce3293002a9681736a049301ca5ed6d696d0d46257576929efbb638545ecb78e
Details	sha256	1	d3c62b920d3e5a6ea12ec59512fe26fb58eb5a19433b10dbe36201a3fc158998
Details	sha256	1	73bf59c7f6a28c092a21bf1256db04919084aca5924bbd74277f8bda6191b584
Details	sha256	1	acc52983d5f6b86bec6a81bc3fbe5c195b469def733f7677d681f0e405a1049b
Details	sha256	1	f91e44ff423908b6acf8878dced05dc7188ddab39d1040e0d736f96f0a43518d
Details	sha256	1	e7fcc98005cff9f406a5806222612c20dae3e47c469ff6028310847a599d1a38
Details	sha256	1	104873d692af36173cb39f8b46f2080c8ce1a1a52d60c69e1034e2033ba95f7a
Details	sha256	1	3b715112ac93e4cd5eaa7760b5670760fd25d0fec68f6a493624fa23c1c6e042
Details	sha256	1	8030d3472eac3c703ae918600a78a6a89800b157d76f333734ed1af5101d04ed
Details	sha256	1	17e60fc72b5398060138f72b3ecb3b09c37243e3b2905df94b7f5b44d6157806
Details	sha256	1	97ccac64927da6f46b3a775d2feb10c271b676e6b124e5bf84e9722c9dc4f093
Details	sha256	1	2d5daaae2fe2e7cd6c47ab4c5f824f670969d3fe88bfd3e4512967378c61924d
Details	sha256	1	d8326470d5631e58409401fbadfc8157ee247c32b368fb4be70c2b8f8f88427e
Details	sha256	1	a6cf19ab0dc0f0fb9ed4e6da13925a80d92c326a59131991eaf207d92bc61e13
Details	sha256	1	348d897e952c0f5872c35ea1b15eab802791b865d3c6ad3a27693680a28056cd
Details	sha256	1	1c5ad98a27551e6da3502cdc9ecb232f0d1a343b002c1760f350298fee8df202
Details	sha256	1	dc13f67a5c52488709056f51a63f3fa1056db71616f83cbb5f1f1949395248be
Details	sha256	2	16bef09e16119f1754a6b4283e93ff7a17cfdd7c043c3ff05a3d41f128ead52e
Details	sha256	1	d4e2106f9d5294c04ccc02d59882785d548caf4904c8c00446d906bbec2629b2
Details	sha256	1	31443b7329b1bdbcf0564e68406beabf2a30168fdcb7042bca8fb2998e3f11c5
Details	sha256	1	c4e9267138cc030e9e87c15c7ff3a15f0a7ece3c39872f354e74842e871e8dc1
Details	sha256	1	87e507f8fa0f881744afa3a4d5790297bb942230a08134becc150fff511f295b
Details	sha256	1	59e3bbf97bc08814c56f9aeebaf890a168551d3d9f2ac3efdc8247ecc1732f73
Details	sha256	1	1242d1372ab50a48ad9acec06b4f2a154b072dc494fa392e6647e736135fa636
Details	sha256	1	f3ae5c2ee98257d0b53d90b62eee18427918af41cb44f8097aa7c3f257c8f7ae
Details	sha256	1	0b29be26d5caae7cf46eaf9345eea7d9fd7e808b3334e2a2043232d450a648ee
Details	sha256	1	e27a24e4e99e623566d8a43eb7e562d27c28a7c746d533d36f56312e9a317c2b
Details	sha256	1	681c22f79e5ec794858172378ed0285ef4da87f4f2dc8545bf304ce1f936529c
Details	sha256	1	baa5c96ec2c51b601a6808428dbe0dc5e274e2ac65c38c465c5a74a2deb962c6
Details	sha256	1	74b1c46bfda5d2be5c674a6c53c2ad8f4f8d5c5b1cc010f17c6c538e117e013f
Details	sha256	1	5972621204b6503773bfaa58b6aadae073d94c781d89e49557e4d9ecfe4049ab
Details	sha256	1	59bfccc3a6f8e4f737c7b483ec13ba36e53f12af658529a9dd8b0df2b235c0de
Details	sha256	1	d0992dce0769d6ac23076635c902b56daeda17bab5c30f764991c0844141f61f
Details	sha256	1	3859784f390174acc2eeabc82649f7e13f5db592978192b9243c38c254b7e614
Details	sha256	1	1b9e723c70f0a682d4f3a5a7d98a89697b8509a07c8986de041b05806c04d1f9
Details	sha256	1	ee5f18e7dcb251a09da9650ac15723b0607282e5befc829d599005a322ac239d
Details	sha256	1	78718feee5ee5683827e5068d73922c8cd2cf297fb1818fb2440babb8d589609
Details	sha256	1	e5f98a1b0d37a09260db033aa09d6829dc4788567beccda9b8fef7e6e3764848
Details	sha256	1	469ebdd2f6ecdce9558f3e546ef2814c5e1ad274dcd23bf4613964a0c685d889
Details	sha256	1	45549618493cf78facbfedba54e662408b7ebaabe3352119974b6500d11edc85
Details	sha256	1	d273b4710800ede37617c3b6e3d58e67e45e6b54556dde468d18e48e006a79f2
Details	sha256	1	d66a019a3cec95b6292215cf6fce4c0837f4b1de3c8af232d11ea291c87db698
Details	sha256	1	57e729442e8d6a06857f71538c0c11a5a49ff5d6136c05f20f391ae9eb95c2da
Details	sha256	1	a7baecdbbf55825db281a417a9e11cd8d7b8c3ab5679d2474352091b431c6900
Details	sha256	1	1b75fe197f71809dea790f9d1357c0bb5e396f42dfcd4f966c64f5f71b39a865
Details	sha256	1	de5206a50a0ef8c7f00955ffc2f5034c9d588f8736819387be9f2572666aaa4b
Details	sha256	1	084d4a46bb5b6a1ff7dfc2dd7be6f2023d608f5883e345a67fb98ed22188f1bd
Details	IPv4	1	194.180.174.254
Details	IPv4	1	185.225.19.55
Details	IPv4	1	5.252.176.3
Details	IPv4	1	153.92.1.125
Details	Mandiant Temporary Group Assumption	2	TEMP.RAR
Details	Threat Actor Identifier - APT	278	APT10
Details	Url	1	http://194.180.174.254/111
Details	Url	1	http://185.225.19.55:8080/111
Details	Url	1	http://185.225.19.55/111.txt
Details	Windows Registry Key	24	HKLM\SAM