MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07
SHA3-384 hash: dff976c60cc9946e825278809d2d29e69163e17a6b6776b852cd9b1b041bfa02594ce63cae387c94c4112f83d6b46d11
SHA1 hash: f7e61eb028b399b74c73883a2fccedbe56ecea2e
MD5 hash: bd842c41b4c1b3c2deb475d7a3876599
humanhash: indigo-four-wolfram-west
File name:libintl3.dll
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:530'432 bytes
First seen:2021-01-29 16:30:00 UTC
Last seen:2021-01-29 21:53:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3417123af2f473f771d46841bfce6d48 (1 x CobaltStrike)
ssdeep 12288:NMINVoXxVuxcowWRjZ9dpOLg8UU8YhUhKEcBvg+:2rxIwU19eL4oUAEun
Threatray 655 similar samples on MalwareBazaar
TLSH 70B4D043F7A102F9C16BD134C9D66773EBB1B9540B249B4B4A60CB522F13BB19B1EB48
Reporter rpsanch
Tags:Cobalt Strike TEARDROP

Intelligence

File Origin
# of uploads :
3
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
libintl3.dll
Verdict:
No threats detected
Analysis date:
2021-01-29 16:33:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/73f2102b-1101-4975-9d37-0e5e5b782daa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/114766/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/594142
Signature
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 346109 Sample: Zoalj0zGsM Startdate: 29/01/2021 Architecture: WINDOWS Score: 56 31 Malicious sample detected (through community Yara rule) 2->31 33 Multi AV Scanner detection for submitted file 2->33 7 loaddll64.exe 1 2->7         started        process3 process4 9 rundll32.exe 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe 7->13         started        15 9 other processes 7->15 process5 17 WerFault.exe 20 9 9->17         started        19 WerFault.exe 9 11->19         started        21 WerFault.exe 9 13->21         started        23 WerFault.exe 9 15->23         started        25 WerFault.exe 9 15->25         started        27 WerFault.exe 9 15->27         started        29 4 other processes 15->29
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07/
Threat name:
Win64.Trojan.TearDrop
Create hunting rule
Status:
Malicious
First seen:
2021-01-28 19:08:00 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
1cf5710e500a423b84b51fa3afdd923fe0a8255c5817d3238175623e2ebbfad9
CobaltStrike
2af42a2047b16f2dea0038365058a8d8b7f71152117c371ce7f593e47aa785d1
CobaltStrike
3e6c11f27c1309c63abe0a1563c6141ce7b8d8110419c572be46dcb3578db443
CobaltStrike
49f80e9afca6ccd55838cd0e16639d51ed5db3d751f36ba7d79ea0678b50da6a
CobaltStrike
4d71f1eab01045de9ae76ea248be7746bad70c12ad977eeb6e8f8e46bbce6395
CobaltStrike
a8241398b22ba3745b460a7a0c39cb9a86ca258b9283901d42e8dab283acb39b
CobaltStrike
bf9b98c2b8e313967028e6ba8760d9a23f6b93036b5f85631494e870a90af779
CobaltStrike
c3cd38ef21032f1410a496a7ca71239619a8d9aa289e70f05f42893def8129e0
CobaltStrike
f74f5eb8416d9522e703877e104ac7923cc3efeedaa1138b6221726b0d359096
CobaltStrike
f8c94e76f4d756924bf929b32f85158bc81911ce4a606af67e37460405e0ad3f
CobaltStrike
+ 645 additional samples on MalwareBazaar
Result
Malware family:
teardrop
Create hunting rule
Score:
  10/10
Tags:
family:teardrop backdoor dropper
Link:
https://tria.ge/reports/210129-n9emelcpg2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07
MD5 hash:
bd842c41b4c1b3c2deb475d7a3876599
SHA1 hash:
f7e61eb028b399b74c73883a2fccedbe56ecea2e
Link:
https://www.unpac.me/results/f2195022-7101-4c4c-a6e4-98e5ba42d382/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Dropper_Win64_TEARDROP_1
Create hunting rule
Author:FireEye
Description:This rule is intended match specific sequences of opcode found within TEARDROP, including those that decode the embedded payload. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory.
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/craiu/status/1355075391443111938
  
Link
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds
  
Link
https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
  
Link
https://tria.ge/210129-5gnz8fc932
  
Link
https://hybrid-analysis.com/sample/b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07?environmentId=120
Joe
Joe Sandbox
https://www.joesandbox.com/analysis/346109/0/html
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/114766/

Comments