APT_MuddyWater_MalDoc_Feb20_1

Rule Info

Name
APT_MuddyWater_MalDoc_Feb20_1
Author
Florian Roth
Description
Detects weaponized Office documents used by MuddyWater
Score
75
Reference
Internal Research
Date
2020-02-13
Minimum Yara
1.7
Rule Hash
7929376ad2ff686c017bd92fa2e2daa8
Tags
['APT', 'OFFICE', 'FILE', 'T1566_001', 'T1203', 'G0069']
Required Modules
[]
Virustotal Matches
https://www.virustotal.com/gui/search/apt_muddywater_maldoc_feb20_1/comments

Antivirus Verdicts

Rating
Number of Samples
Malicious (>= 10 engines)
29
Suspicious (< 10 engines)
5
Clean (0 engines)
1

Rule Matches

Timestamp
Positives
Total
Hash
VT
2023-02-01 21:21:54
4
62
17ccd1b03b4fc7aa725b99eb6de6ae2d72276fe7fc03ce9a6ddfccd81adbdf5e
2023-01-13 06:08:48
30
62
0f67f5fa23aeff5a66151e3414a52e50a598061fd3db1415309d1c3b468a78f8
2023-01-13 05:52:18
30
62
2df022e1ab8b850b1d560dbf2cd6ff4a2fc47ea650d30958d32d697efdac6ee2
2023-01-13 02:36:38
30
62
20e283ce351ed1387d07654c4ccd07342f408e2ba84efa8d9d781ea7e1bfca1a
2023-01-11 12:27:55
27
56
da1cd2dbbc70bf9d2683f5482c8af8d5d5f053d4ee1899ceb556547c8116b21e
2023-01-10 14:30:21
33
62
93dc0e443d69c93ad1b223c684a78c6e285610065c2f56c7a668c98bd28c48e4
2022-08-29 01:57:49
0
61
27723301337ec3ccbfed4b3ab6512d06ef27af0b0d97fe961492791e2c55f859
2022-03-26 15:13:16
4
59
582ebe9b7433a8508f5cd1408f6b93865a95455e8078899a46628e8fd71acc43
2022-02-09 21:20:32
29
61
abfcc8dde2bd27966026ea4903172bad345704c6f880e796231191d7119ef6a1
2022-02-02 21:47:05
17
61
a694562cdd720f61fc8c625b5a34f7c25455bb3312c454da7e6391535bdf0204
2022-01-31 23:32:56
29
61
3e6986d4dc7610c059aa8a51a61e30bcf509b7c2b5b4e931134c42384a0deea6
2021-11-09 07:31:55
34
60
148839e013fee10ee5007f80de2e169778739e84d1bbb093f69b56060ceef73f
2021-11-09 07:31:55
26
61
64001be2fc9ccec320d48c75d2de8ad7cd74092065cb44fe35b38624d4493df0
2021-11-09 07:31:55
33
61
eb1c21fcba6d04376a8cfd19fbd19203db68e13161049b70586ff509dc6e2175
2021-11-09 07:29:09
25
61
f9cde44e0b4e43775b28ce8689f747038f83ea0389d510b1da41e63392f3a269
2021-11-08 07:39:40
10
59
fcdd38ff378605c66333429d9df2242fbce25a5f69f4d6d4c11d9613bcb409b0
2021-07-08 17:16:31
37
62
d8823ee70109ce789639748933a45c723060040597d17925cb605ad8f7f85a14
2021-07-08 17:16:30
29
62
2f69f7df7a2ab7b1803bb50b23ac17f7047b4651513bdff98dae5adee492c98f
2021-06-15 08:56:31
16
60
18cfd4c853b4fb497f681ea393292aec798b65d53874d8018604068c30db5f41
2021-06-15 08:26:00
15
59
1d768c6a5165cadf39ac68e4cc294399f09b48dfefd7bfd6d78e75ad882cd3f1
2021-06-04 18:00:58
1
61
26ed7e89b3c5058836252e0a8ed9ec6b58f5f82a2e543bc6a97b3fd17ae3e4ec
2021-04-21 02:55:00
11
58
20ec56029ec2dc6a0f86d172f12914d078fc679a8d01257394864413d01d7eda
2020-05-29 01:04:02
37
60
78f78c3ed9b6dee1c8d6ec8a173847ab356e2836e7f24be3f76103ca7a498911
2020-05-19 13:55:02
2
50
d44dbba8ae470888ae1a7674d953c56920334ba1b499597ee9a14d6bbac40860
2020-05-04 13:28:38
29
62
1078d27f2873ddec4203062b5eca87a4b63917f1f970b3878fcfb31ecc16869c
2020-02-29 00:56:08
38
61
d00c4d4c3fec1eec334f8633ca5d0708d5c6967bee05710a6d1cb92f94f78af7
2020-02-29 00:55:36
35
61
4d108c88e8140dde62b13981ff55be18c371e3b4419ae99c294077016d760e38
2020-02-29 00:54:39
36
61
bad2d7b5b64ddf09bf4f26cc440187a6fec58bbe433496f0a7441b4a02e46bf8
2020-02-29 00:54:36
38
62
bb09d7b7941879e50782319ae903474f3117584e4f54c6dbe587f4994121b2b1
2020-02-21 08:58:36
27
58
306ddc3a4cf048dec9bc84ad33a86c986fcdc9b3f07cfeccec355ff12d789217
2020-02-20 17:52:37
39
58
a325349e810154b700b530da25c54383907a27c58c2e8ba056cce2b865aad3bf
2020-02-20 08:48:16
34
62
2bdf62d363c33f5c0fd2649daf8cf1e97027ddc90d9c692ebde79bfa1a563c64
2020-02-19 11:47:41
30
58
63e404011aeabb964ce63f467be29d678d0576bddb72124d491ab5565e1044cf
2020-02-19 02:51:12
2
59
dffd670f0e331438ecc979b58821c9f07646fde65b61c46633cf62462141b261
2020-02-18 09:23:42
33
60
a69fee382cf86f9e457e0688932cbd00671d0d5218f8043f1ee385278ee19c8c

Rule Matches per Month (last 24 months)

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022