{
	"id": "39edc51c-0a4d-4849-a204-e23e5ef0b23a",
	"created_at": "2026-04-06T00:22:26.668769Z",
	"updated_at": "2026-04-10T03:20:31.23079Z",
	"deleted_at": null,
	"sha1_hash": "78cae2a983339ce6b8bc94bc125d11fcf6bc735c",
	"title": "MAR-10320115-1.v1 - TEARDROP | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 88106,
	"plain_text": "MAR-10320115-1.v1 - TEARDROP | CISA\r\nPublished: 2021-04-15 · Archived: 2026-04-05 19:34:02 UTC\r\nbody#cma-body { font-family: Franklin Gothic Medium, Franklin Gothic, ITC Franklin Gothic, Arial, sans-serif; font-size:\r\n15px; } table#cma-table { width: 900px; margin: 2px; table-layout: fixed; border-collapse: collapse; } div#cma-exercise {\r\nwidth: 900px; height: 30px; text-align: center; line-height: 30px; font-weight: bold; font-size: 18px; } div.cma-header { text-align: center; margin-bottom: 40px; } div.cma-footer { text-align: center; margin-top: 20px; } h2.cma-tlp { background-color: #000; color: #ffffff; width: 180px; height: 30px; text-align: center; line-height: 30px; font-weight: bold; font-size:\r\n18px; float: right; } span.cma-fouo { line-height: 30px; font-weight: bold; font-size: 16px; } h3.cma-section-title { font-size:\r\n18px; font-weight: bold; padding: 0 10px; margin-top: 10px; } h4.cma-object-title { font-size: 16px; font-weight: bold;\r\nmargin-left: 20px; } h5.cma-data-title { padding: 3px 0 3px 10px; margin: 10px 0 0 20px; background-color: #e7eef4; font-size: 15px; } p.cma-text { margin: 5px 0 0 25px !important; word-wrap: break-word !important; } div.cma-section { border-bottom: 5px solid #aaa; margin: 5px 0; padding-bottom: 10px; } div.cma-avoid-page-break { page-break-inside: avoid; }\r\ndiv#cma-summary { page-break-after: always; } div#cma-faq { page-break-after: always; } table.cma-content { border-collapse: collapse; margin-left: 20px; } table.cma-hashes { table-layout: fixed; width: 880px; } table.cma-hashes td{ width:\r\n780px; word-wrap: break-word; } .cma-left th { text-align: right; vertical-align: top; padding: 3px 8px 3px 20px;\r\nbackground-color: #f0f0f0; border-right: 1px solid #aaa; } .cma-left td { padding-left: 8px; } .cma-color-title th, .cma-color-list th, .cma-color-title-only th { text-align: left; padding: 3px 0 3px 20px; background-color: #f0f0f0; } .cma-color-title td,\r\n.cma-color-list td, .cma-color-title-only td { padding: 3px 20px; } .cma-color-title tr:nth-child(odd) { background-color:\r\n#f0f0f0; } .cma-color-list tr:nth-child(even) { background-color: #f0f0f0; } td.cma-relationship { max-width: 310px; word-wrap: break-word; } ul.cma-ul { margin: 5px 0 10px 0; } ul.cma-ul li { line-height: 20px; margin-bottom: 5px; word-wrap:\r\nbreak-word; } #cma-survey { font-weight: bold; font-style: italic; } div.cma-banner-container { position: relative; text-align:\r\ncenter; color: white; } img.cma-banner { max-width: 900px; height: auto; } img.cma-nccic-logo { max-height: 60px; width:\r\nauto; float: left; margin-top: -15px; } div.cma-report-name { position: absolute; bottom: 32px; left: 12px; font-size: 20px; }\r\ndiv.cma-report-number { position: absolute; bottom: 70px; right: 100px; font-size: 18px; } div.cma-report-date { position:\r\nabsolute; bottom: 32px; right: 100px; font-size: 18px; } img.cma-thumbnail { max-height: 100px; width: auto; vertical-align: top; } img.cma-screenshot { margin: 10px 0 0 25px; max-width: 800px; height: auto; vertical-align: top; border: 1px\r\nsolid #000; } div.cma-screenshot-text { margin: 10px 0 0 25px; } .cma-break-word { word-wrap: break-word; } .cma-tag {\r\nborder-radius: 5px; padding: 1px 10px; margin-right: 10px; } .cma-tag-info { background: #f0f0f0; } .cma-tag-warning {\r\nbackground: #ffdead; }\r\nNotification\r\nThis report is provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not\r\nprovide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial\r\nproduct or service referenced in this bulletin or otherwise.\r\nThis document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries\r\nminimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to\r\nstandard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the\r\nTraffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.\r\nSummary\r\nDescription\r\nThis report provides detailed analysis of malicious artifacts associated with a sophisticated supply chain compromise of\r\nSolar Winds Orion network management software, identified by the security company FireEye as TEARDROP.\r\nTEARDROP is a loader designed to decrypt and execute an embedded payload on the target system. The payload has been\r\nidentified as the Cobalt Strike Beacon Implant (Version 4) and provides a remote operator command and control capabilities\r\nover a victim system through an encrypted network tunnel. The capabilities include the ability to rapidly exfiltrate data, log\r\nkeystrokes, take screenshots, and deploy additional payloads.\r\nFor a downloadable copy of IOCs, see: MAR-10320115-1.v1.stix.\r\nSubmitted Files (2)\r\n1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c (1817a5bf9c01035bcf8a975c9f1d94...)\r\nb820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07 (b820e8a2057112d0ed73bd7995201d...)\r\nDomains (2)\r\nervsystem.com\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b\r\nPage 1 of 12\n\ninfinitysoftwares.com\r\nFindings\r\n1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c\r\nTags\r\nbackdoordroppertrojan\r\nDetails\r\nName 1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c\r\nSize 321024 bytes\r\nType PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows\r\nMD5 35abfb98dac5bf48f7ac0e67afc9bdb7\r\nSHA1 9185029c2630b220a74620c8f3d04886a457e1cf\r\nSHA256 1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c\r\nSHA512 93f1336e3bc7ac01561f0ad7ce5fec7ae078e55db0f5b0cf0663cb5dbbe2acb08f27490da179e27579debc04843bf02f047456c516bf0345ba827\r\nssdeep 6144:NQGxkGwaxIOkqNQI7LI8L/pOXlZg2gv+rtcOHNManxm2wf:NtxpgyNQIo8LePWOHWgTa\r\nEntropy 7.922861\r\nAntivirus\r\nBitDefender Generic.Teardrop.1.244AC43A\r\nClamav Win.Dropper.Teardrop-9808996-3\r\nEmsisoft Generic.Teardrop.1.244AC43A (B)\r\nLavasoft Generic.Teardrop.1.244AC43A\r\nMicrosoft Security Essentials Trojan:Win64/Cobaltstrike.RN!dha\r\nSymantec Backdoor.Teardrop\r\nYARA Rules\r\nrule CISA_10320115_01 : TEARDROP trojan backdoor\r\n{\r\n   meta:\r\n       Author = \"CISA Code \u0026 Media Analysis\"\r\n       Incident = \"10320115\"\r\n       Date = \"2020-12-31\"\r\n       Last_Modified = \"20201231_1800\"\r\n       Actor = \"n/a\"\r\n       Category = \"Trojan Backdoor\"\r\n       Family = \"TEARDROP\"\r\n       Description = \"Detects variants of TEARDROP malware\"\r\n       MD5_1 = \"f612bce839d855bbff98214a197489f7\"\r\n       SHA256_1 = \"dc20f4e50784533d7d10925e4b056f589cc73c139e97f40c0b7969728a28125c\"\r\n       MD5_2 = \"91e47c7bc9a7809e6b1560e34f2d6d7e\"\r\n       SHA256_2 = \"b37007db21a7f969d2c838f3bbbeb78a7402d66735bb5845ef31df9048cc33f0\"\r\n       MD5_3 = \"91e47c7bc9a7809e6b1560e34f2d6d7e\"\r\n       SHA256_3 = \"1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c\"    \r\n   strings:\r\n       $s0 = { 65 23 FB 7F 20 AA EB 0C B8 16 F6 BC 2F 4D D4 C4 39 97 C7 23 9F 3E 5C DE }\r\n       $s1 = { 5C E6 06 63 FA DE 44 C0 D4 67 95 28 12 47 C5 B5 EF 24 BC E4 }\r\n       $s2 = { 9E 96 BA 1B FB 7F 19 5A 8C 06 AB FA 43 3B F0 83 9E 54 0B 02 }\r\n       $s3 = { C2 7E 93 FC 02 B9 C6 DE 2B AF C6 C2 BE 2C 88 02 B4 1D 03 F5 }\r\n       $s4 = { 48 B8 53 4F 46 54 57 41 52 45 C7 44 24 60 66 74 5C 43 C6 44 24 66 00 48 89 44 24 50 48 B8 5C 4D\r\n69 63 72 6F 73 6F }\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b\r\nPage 2 of 12\n\n$s5 = { 48 83 F8 FF 48 8D }\r\n       $s6 = { 8B 0A 48 83 C2 04 8D 81 FF FE FE FE F7 D1 21 C8 25 80 80 80 80 }\r\n       $s7 = { 5B 5E 5F 5D 41 5C 41 }\r\n       $s8 = { 4E 00 65 00 74 00 77 00 6F 00 72 00 6B 00 20 00 53 00 65 00 74 00 75 00 70 00 20 00 53 00 65 00 72\r\n00 76 00 69 00 63 00 65 }\r\n       $s9 = { 64 6C 6C 00 4E 65 74 53 65 74 75 70 53 65 72 76 69 63 65 4D 61 69 6E }\r\n       $s10 = { 41 31 C0 45 88 04 0A 48 83 C1 01 45 89 C8 41 39 CB 7F }\r\n   condition:\r\n       ($s0 or $s1 or $s2 or $s3) or ($s4 and $s5 and $s6 and $s7 and $s8 and $s9 and $s10)\r\n}\r\nrule FireEye_20_00025665_01 : TEARDROP APT dropper\r\n{\r\n   meta:\r\n       Author = \"FireEye\"\r\n       Date = \"2020-12-13\"\r\n       Last_Modified = \"20201213_1916\"\r\n       Actor = \"n/a\"\r\n       Category = \"Hacktool\"\r\n       Family = \"TEARDROP\"\r\n       Description = \"This rule looks for portions of the TEARDROP backdoor that are vital to how it functions.\r\nTEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and\r\nload the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt\r\nStrike BEACON into memory.\"\r\n       MD5_1 = \"\"\r\n       SHA256_1 = \"\"\r\n   strings:\r\n       $sb1 = { C7 44 24 ?? 80 00 00 00 [0-64] BA 00 00 00 80 [0-32] 48 8D 0D [4-32] FF 15 [4] 48 83 F8 FF [2-64]\r\n41 B8 40 00 00 00 [0-64] FF 15 [4-5] 85 C0 7? ?? 80 3D [4] FF }\r\n       $sb2 = { 80 3D [4] D8 [2-32] 41 B8 04 00 00 00 [0-32] C7 44 24 ?? 4A 46 49 46 [0-32] E8 [4-5] 85 C0 [2-32]\r\nC6 05 [4] 6A C6 05 [4] 70 C6 05 [4] 65 C6 05 [4] 67 }\r\n       $sb3 = { BA [4] 48 89 ?? E8 [4] 41 B8 [4] 48 89 ?? 48 89 ?? E8 [4] 85 C0 7? [1-32] 8B 44 24 ?? 48 8B ?? 24 [1-\r\n16] 48 01 C8 [0-32] FF D0 }\r\n   condition:\r\n       all of them\r\n}\r\nrule FireEye_20_00025665_02 : TEARDROP APT dropper\r\n{\r\n   meta:\r\n       Author = \"FireEye\"\r\n       Date = \"2020-12-13\"\r\n       Last_Modified = \"20201213_1916\"\r\n       Actor = \"n/a\"\r\n       Category = \"Hacktool\"\r\n       Family = \"TEARDROP\"\r\n       Description = \"This rule is intended match specific sequences of opcode found within TEARDROP, including\r\nthose that decode the embedded payload. TEARDROP is a memory only dropper that can read files and registry\r\nkeys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows\r\nservice and has been observed dropping Cobalt Strike BEACON into memory.\"\r\n       MD5_1 = \"\"\r\n       SHA256_1 = \"\"\r\n   strings:\r\n       $loc_4218FE24A5 = { 48 89 C8 45 0F B6 4C 0A 30 }\r\n       $loc_4218FE36CA = { 48 C1 E0 04 83 C3 01 48 01 E8 8B 48 28 8B 50 30 44 8B 40 2C 48 01 F1 4C 01 FA }\r\n       $loc_4218FE2747 = { C6 05 ?? ?? ?? ?? 6A C6 05 ?? ?? ?? ?? 70 C6 05 ?? ?? ?? ?? 65 C6 05 ?? ?? ?? ?? 67 }\r\n       $loc_5551D725A0 = { 48 89 C8 45 0F B6 4C 0A 30 48 89 CE 44 89 CF 48 F7 E3 48 C1 EA 05 48 8D 04 92 48\r\n8D 04 42 48 C1 E0 04 48 29 C6 }\r\n       $loc_5551D726F6 = { 53 4F 46 54 57 41 52 45 ?? ?? ?? ?? 66 74 5C 43 ?? ?? ?? ?? 00 }\r\n   condition:\r\n       (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b\r\nPage 3 of 12\n\nPE Metadata\r\nCompile Date 2018-12-09 10:37:58-05:00\r\nImport Hash 0a331624686ac9055694d7ddd9c0815d\r\nCompany Name None\r\nFile Description Network Setup Service\r\nInternal Name None\r\nLegal Copyright © Microsoft Corporation. All rights reserved.\r\nOriginal Filename NETSETUPSVC.DLL\r\nProduct Name Microsoft® Windows® Operating System\r\nProduct Version 10.0.14393.0\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\nd990149684ac611b98b9d389766a7e17 header 1024 2.584189\r\n5fbd9948fd72f083803635022111fd99 .text 23552 6.358535\r\n122bd1d155ed0c51226ea0b38872e13d .data 286720 7.998098\r\n9d8aead5ec18fa55740a34a7eaa3c2bb .rdata 1536 3.673323\r\n7b5aab64a2810cf05bd80323f8aa17d4 .pdata 1536 3.660221\r\n8b15f6849b0bf0f60bd81b23988f5ca7 .xdata 1024 2.883941\r\nd41d8cd98f00b204e9800998ecf8427e .bss 0 0.000000\r\n091c8665b4cd95cc583105c223f156aa .edata 512 0.967748\r\nc94c470079ed994735caebed176cd925 .idata 2560 4.429320\r\nc806ece4d1aa4e25beb529c6e7dc947d .CRT 512 0.253231\r\n9f168cc07fa95e573b1f74a2e4614f79 .tls 512 0.331828\r\n5b06dd2d5de3cb635e5e15313a541789 .rsrc 1024 2.933337\r\n99450283e3e0c313f697d0165f585598 .reloc 512 1.239038\r\nRelationships\r\n1817a5bf9c... Connected_To ervsystem.com\r\nDescription\r\nThis file is a malicious 64-bit DLL, identified as a variant of the TEARDROP loader. The malware attempts to read the first\r\n64-bytes of a file named \"festive_computer.jpg\" (Figure 1). It does not utilize the data it reads from this file and it will\r\ncontinue executing even if this file is not present on the target system.\r\nAfter attempting to read the file \"festive_computer.jpg,\" it will decrypt and execute an embedded code buffer using an XOR\r\nbased stream cipher (Figure 2). Below is the key utilized by the cipher algorithm to decrypt the embedded code buffer:\r\n—Begin Cipher Key—\r\nC27E93FC02B9C6DE2BAFC6C2BE2C8802B41D03F53365B25AEE1A67D0E9525171F5F7149045E5D1F672176CA686C3C7A0D34E5FF1FBCBF6C\r\n—End Cipher Key—\r\nThe embedded code buffer has been identified as the Cobalt Strike Beacon (version 4) Remote Access Tool (RAT).\r\nDisplayed below is the embedded Beacon configuration data:\r\n—Begin Cobalt Beacon Configuration Data—\r\nPort                             - 443\r\nSleepTime                 - 7200000\r\nMaxGetSize                - 1399696\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b\r\nPage 4 of 12\n\nJitter                            - 18\r\nMaxDNS                     - 255\r\nC2Server                     - ervsystem.com/2019/Two-Man-Point-The-Brands/\r\nUserAgent                    - Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR\r\n3.5.30729; rv:11.0) like Gecko\r\nHttpPostUri                 - /2019/Users-Case-Documentation-And-Yourselt/\r\nMalleable_C2_Instructions        - Remove 38 bytes from the end\r\n                                Remove 1554 bytes from the beginning\r\n                                Base64 decode\r\nHttpGet_Metadata                 - Referer: https://yahoo.com/\r\n                                Host: ervsystem.com\r\n                                Accept: */*\r\n                                Accept-Language: en-US\r\n                                Accept-Encoding: gzip, deflate\r\n                                Connection: close\r\n                                PHPSESSID=\r\n                                Cookie\r\nHttpPost_Metadata                - Referer: https://yahoo.com/\r\n                                Host: ervsystem.com\r\n                                Accept: */*\r\n                                Accept-Language: en-US\r\n                                Connection: close\r\n                                name=\"uploaded_1\";filename=\"04373.avi\"\r\nContent-Type: text/plain\r\n                                p\r\nSpawnTo                         - b'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00'\r\nPipeName                         -\r\nDNS_Idle                         - 9.9.9.9\r\nDNS_Sleep                        - 0\r\nSSH_Host                         - Not Found\r\nSSH_Port                         - Not Found\r\nSSH_Username                 - Not Found\r\nSSH_Password_Plaintext     - Not Found\r\nSSH_Password_Pubkey         - Not Found\r\nHttpGet_Verb                     - GET\r\nHttpPost_Verb                    - POST\r\nHttpPostChunk                    - 0\r\nSpawnto_x86                     - %windir%\\syswow64\\msiexec.exe\r\nSpawnto_x64                     - %windir%\\sysnative\\print.exe\r\nCryptoScheme                     - 0\r\nProxy_Config                     - Not Found\r\nProxy_User                     - Not Found\r\nProxy_Password                 - Not Found\r\nProxy_Behavior                 - Use IE settings\r\nWatermark                        - 892810033\r\nbStageCleanup                    - True\r\nbCFGCaution                     - False\r\nKillDate                         - 0\r\nbProcInject_StartRWX             - False\r\nbProcInject_UseRWX             - False\r\nbProcInject_MinAllocSize         - 7281\r\nProcInject_PrependAppend_x86     - b'\\x90'\r\n                                Empty\r\nProcInject_PrependAppend_x64     - b'\\x90\\x90\\x90'\r\n                                Empty\r\nProcInject_Execute             - ntdll:RtlUserThreadStart\r\n                                CreateThread\r\n                                NtQueueApcThread\r\n                                SetThreadContext\r\nProcInject_AllocationMethod     - NtMapViewOfSection\r\nbUsesCookies                     - True\r\nHostHeader                     -\r\n—End Cobalt Beacon Configuration Data—\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b\r\nPage 5 of 12\n\nScreenshots\r\nFigure 1 - Screenshot of the code structure that tries to read \"festive_computer.jpg\" from disk.\r\nFigure 2 - Screenshot of TEARDROP using an algorithm to decrypt the embedded code buffer which contains the Cobalt\r\nStrike Beacon remote access tool (RAT).\r\nervsystem.com\r\nTags\r\ncommand-and-control\r\nURLs\r\nervsystem.com/2019/Two-Man-Point-The-Brands/\r\nPorts\r\n443 TCP\r\nWhois\r\nDomain Name: ERVSYSTEM.COM\r\nRegistry Domain ID: 2222911627_DOMAIN_COM-VRSN\r\nRegistrar WHOIS Server: whois.epik.com\r\nRegistrar URL: http://www.epik.com\r\nUpdated Date: 2020-09-04T23:23:29Z\r\nCreation Date: 2018-02-04T08:45:05Z\r\nRegistrar Registration Expiration Date: 2022-02-04T08:45:05Z\r\nRegistrar: Epik, Inc.\r\nRegistrar IANA ID: 617\r\nRegistrar Abuse Contact Email: abuse@epik.com\r\nRegistrar Abuse Contact Phone: +1.4253668810\r\nReseller:\r\nDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited\r\nRegistry Registrant ID:\r\nRegistrant Name: Privacy Administrator\r\nRegistrant Organization: Anonymize, Inc.\r\nRegistrant Street: 704 228th Ave NE\r\nRegistrant City: Sammamish\r\nRegistrant State/Province: WA\r\nRegistrant Postal Code: 98074\r\nRegistrant Country: US\r\nRegistrant Phone: +1.4253668810\r\nRegistrant Phone Ext:\r\nRegistrant Fax:\r\nRegistrant Fax Ext:\r\nRegistrant Email: ervsystem.com@anonymize.com\r\nRegistry Admin ID:\r\nAdmin Name: Privacy Administrator\r\nAdmin Organization: Anonymize, Inc.\r\nAdmin Street: 704 228th Ave NE\r\nAdmin City: Sammamish\r\nAdmin State/Province: WA\r\nAdmin Postal Code: 98074\r\nAdmin Country: US\r\nAdmin Phone: +1.4253668810\r\nAdmin Phone Ext:\r\nAdmin Fax:\r\nAdmin Fax Ext:\r\nAdmin Email: ervsystem.com@anonymize.com\r\nRegistry Tech ID:\r\nTech Name: Privacy Administrator\r\nTech Organization: Anonymize, Inc.\r\nTech Street: 704 228th Ave NE\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b\r\nPage 6 of 12\n\nTech City: Sammamish\r\nTech State/Province: WA\r\nTech Postal Code: 98074\r\nTech Country: US\r\nTech Phone: +1.4253668810\r\nTech Phone Ext:\r\nTech Fax:\r\nTech Fax Ext:\r\nTech Email: ervsystem.com@anonymize.com\r\nName Server: NS3.EPIK.COM\r\nName Server: NS4.EPIK.COM\r\nDNSSEC: signedDelegation\r\nURL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/\r\nRelationships\r\nervsystem.com Connected_From 1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c\r\nDescription\r\nThis domain is the command and control (C2) for the sample\r\n\"1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c.\"\r\nb820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07\r\nTags\r\nbackdoortrojan\r\nDetails\r\nName b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07\r\nSize 530432 bytes\r\nType PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows\r\nMD5 bd842c41b4c1b3c2deb475d7a3876599\r\nSHA1 f7e61eb028b399b74c73883a2fccedbe56ecea2e\r\nSHA256 b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07\r\nSHA512 110a10662342b0d5716c3307c51fa8a591bf621049d8d291aa44f8ab864ab075064651750334619292e9362136e328c14dd637033c244d4255\r\nssdeep 12288:NMINVoXxVuxcowWRjZ9dpOLg8UU8YhUhKEcBvg+:2rxIwU19eL4oUAEun\r\nEntropy 7.533146\r\nAntivirus\r\nBitDefender Trojan.Teardrop.C\r\nESET a variant of Generik.NFGRBKQ trojan\r\nEmsisoft Trojan.Teardrop.C (B)\r\nLavasoft Trojan.Teardrop.C\r\nMicrosoft Security Essentials Trojan:Win64/Cobaltstrike.RN!dha\r\nSymantec Backdoor.Teardrop\r\nYARA Rules\r\nrule FireEye_20_00025665_02 : TEARDROP APT dropper\r\n{\r\n   meta:\r\n       Author = \"FireEye\"\r\n       Date = \"2020-12-13\"\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b\r\nPage 7 of 12\n\nLast_Modified = \"20201213_1916\"\r\n       Actor = \"n/a\"\r\n       Category = \"Hacktool\"\r\n       Family = \"TEARDROP\"\r\n       Description = \"This rule is intended match specific sequences of opcode found within TEARDROP, including\r\nthose that decode the embedded payload. TEARDROP is a memory only dropper that can read files and registry\r\nkeys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows\r\nservice and has been observed dropping Cobalt Strike BEACON into memory.\"\r\n       MD5_1 = \"\"\r\n       SHA256_1 = \"\"\r\n   strings:\r\n       $loc_4218FE24A5 = { 48 89 C8 45 0F B6 4C 0A 30 }\r\n       $loc_4218FE36CA = { 48 C1 E0 04 83 C3 01 48 01 E8 8B 48 28 8B 50 30 44 8B 40 2C 48 01 F1 4C 01 FA }\r\n       $loc_4218FE2747 = { C6 05 ?? ?? ?? ?? 6A C6 05 ?? ?? ?? ?? 70 C6 05 ?? ?? ?? ?? 65 C6 05 ?? ?? ?? ?? 67 }\r\n       $loc_5551D725A0 = { 48 89 C8 45 0F B6 4C 0A 30 48 89 CE 44 89 CF 48 F7 E3 48 C1 EA 05 48 8D 04 92 48\r\n8D 04 42 48 C1 E0 04 48 29 C6 }\r\n       $loc_5551D726F6 = { 53 4F 46 54 57 41 52 45 ?? ?? ?? ?? 66 74 5C 43 ?? ?? ?? ?? 00 }\r\n   condition:\r\n       (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2018-03-09 23:23:43-05:00\r\nImport Hash 3417123af2f473f771d46841bfce6d48\r\nCompany Name None\r\nFile Description GetText: library and tools for native language support\r\nInternal Name None\r\nLegal Copyright © 2015 Free Software Foundation \u003cwww.fsf.org\u003e\r\nOriginal Filename libintl3.dll\r\nProduct Name libintl3.dll\r\nProduct Version 0.14.4.1952\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n1ae8ec5795f9a3cad5d54e569634d668 header 1024 2.703747\r\n989e04fb5dc1eb83a3055a3fea30fb7a .text 209408 6.327319\r\nd2bcd776a8ca1ed76feb8344d0739f1a .data 286720 7.998501\r\nfdbd0954169972c21876938dbd536da3 .rdata 1536 3.636101\r\n7eddb104f4aad897faffc33762e896cf .pdata 7680 5.364572\r\n8232395ce211b61e4df169c38afdb7f6 .xdata 3072 1.658757\r\nd41d8cd98f00b204e9800998ecf8427e .bss 0 0.000000\r\nadd3d2ca7de32da5c3a5d2718129d600 .edata 15872 5.809199\r\n8e6af2ae43eb16502507eeb8c7c03aa5 .idata 2560 3.983544\r\n768bf26d947f32101953daeeea4a19b1 .CRT 512 0.238291\r\n60227c557d35a7f2cf79a13c284b1dab .tls 512 0.335735\r\n2d007e3e5c7f7423ed5c43b129f03f34 .rsrc 1024 2.956911\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b\r\nPage 8 of 12\n\nMD5 Name Raw Size Entropy\r\nddbe94bbe8aeacf9cb120fe816659354 .reloc 512 1.215071\r\nRelationships\r\nb820e8a205... Connected_To infinitysoftwares.com\r\nDescription\r\nThis file is a malicious 64-bit DLL, identified as a variant of the TEARDROP loader. During runtime, the malicious\r\napplication decodes and executes an embedded code buffer using an XOR based stream cipher. Displayed below is the key\r\nutilized by the cipher algorithm to decrypt the embedded code buffer:\r\n—Begin XOR Cipher Key—\r\nAFAFD51031EE936AFC50B611CDC70E7E62A7BAFCA72B43DB0023915BBBBAC016A5331CB28EE6E3DF0804B24004D219EE7ED24C7B41D9\r\n—End XOR Cipher Key—\r\nThe embedded code buffer contains the malicious identified as Cobalt Strike Beacon (version 4) RAT. Displayed below is\r\nthe embedded Beacon configuration data:\r\n—Begin Cobalt Beacon Configuration Data—\r\nBeaconType                     - HTTPS\r\nPort                             - 443\r\nSleepTime                        - 14400000\r\nMaxGetSize                     - 1049217\r\nJitter                         - 23\r\nMaxDNS                         - 255\r\nC2Server                         - infinitysoftwares.com,/files/information_055.pdf\r\nUserAgent                        - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/81.0.4044.92 Safari/537.36\r\nHttpPostUri                     - /wp-admin/new_file.php\r\nMalleable_C2_Instructions        - Remove 313 bytes from the end\r\n                                Remove 324 bytes from the beginning\r\n                                XOR mask w/ random key\r\nHttpGet_Metadata                 - Referer: https://twitter.com/\r\n                                Host: infinitysoftwares.com\r\n                                Accept: */*\r\n                                Accept-Language: en-US\r\n                                Accept-Encoding: gzip, deflate\r\n                                Connection: close\r\n                                PHPSESSID=\r\n                                Cookie\r\nHttpPost_Metadata                - Host: infinitysoftwares.com\r\n                                Accept: */*\r\n                                Accept-Language: en-US\r\n                                Connection: close\r\n                                name=\"uploaded_1\";filename=\"33139.pdf\"\r\nContent-Type: text/plain\r\n                                r\r\nSpawnTo                         - b'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00'\r\nPipeName                         -\r\nDNS_Idle                         - 208.67.220.220\r\nDNS_Sleep                        - 0\r\nSSH_Host                         - Not Found\r\nSSH_Port                         - Not Found\r\nSSH_Username                     - Not Found\r\nSSH_Password_Plaintext         - Not Found\r\nSSH_Password_Pubkey             - Not Found\r\nHttpGet_Verb                     - GET\r\nHttpPost_Verb                    - POST\r\nHttpPostChunk                    - 0\r\nSpawnto_x86                     - %windir%\\syswow64\\print.exe\r\nSpawnto_x64                     - %windir%\\sysnative\\msiexec.exe\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b\r\nPage 9 of 12\n\nCryptoScheme                     - 0\r\nProxy_Config                     - Not Found\r\nProxy_User                     - Not Found\r\nProxy_Password                 - Not Found\r\nProxy_Behavior                 - Use IE settings\r\nWatermark                        - 943010104\r\nbStageCleanup                    - True\r\nbCFGCaution                     - False\r\nKillDate                         - 0\r\nbProcInject_StartRWX             - False\r\nbProcInject_UseRWX             - False\r\nbProcInject_MinAllocSize         - 8493\r\nProcInject_PrependAppend_x86     - b'\\x90\\x90'\r\n                                Empty\r\nProcInject_PrependAppend_x64     - b'\\x0f\\x1f\\x00'\r\n                                Empty\r\nProcInject_Execute             - ntdll:RtlUserThreadStart\r\n                                CreateThread\r\n                                NtQueueApcThread\r\n                                SetThreadContext\r\nProcInject_AllocationMethod     - NtMapViewOfSection\r\nbUsesCookies                     - True\r\nHostHeader                     -\r\n—End Cobalt Beacon Configuration Data—\r\nScreenshots\r\nFigure 3 - Screenshot of the XOR based cipher utilized by this TEARDROP variant to decode an embedded Cobalt Strike\r\nBeacon payload.\r\ninfinitysoftwares.com\r\nTags\r\ncommand-and-control\r\nURLs\r\ninfinitysoftwares.com/files/information_055.pdf\r\nPorts\r\n443 TCP\r\nWhois\r\nDomain Name: infinitysoftwares.com\r\nRegistry Domain ID: 2356151174_DOMAIN_COM-VRSN\r\nRegistrar WHOIS Server: whois.namesilo.com\r\nRegistrar URL: https://www.namesilo.com/\r\nUpdated Date: 2021-01-01T07:00:00Z\r\nCreation Date: 2019-01-28T07:00:00Z\r\nRegistrar Registration Expiration Date: 2021-01-28T07:00:00Z\r\nRegistrar: NameSilo, LLC\r\nRegistrar IANA ID: 1479\r\nRegistrar Abuse Contact Email: abuse@namesilo.com\r\nRegistrar Abuse Contact Phone: +1.4805240066\r\nDomain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited\r\nRegistry Registrant ID:\r\nRegistrant Name: Domain Administrator\r\nRegistrant Organization: See PrivacyGuardian.org\r\nRegistrant Street: 1928 E. Highland Ave. Ste F104 PMB# 255\r\nRegistrant City: Phoenix\r\nRegistrant State/Province: AZ\r\nRegistrant Postal Code: 85016\r\nRegistrant Country: US\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b\r\nPage 10 of 12\n\nRegistrant Phone: +1.3478717726\r\nRegistrant Phone Ext:\r\nRegistrant Fax:\r\nRegistrant Fax Ext:\r\nRegistrant Email: pw-531dcecd9bbebe6f78f00ff61cc84da6@privacyguardian.org\r\nRegistry Admin ID:\r\nAdmin Name: Domain Administrator\r\nAdmin Organization: See PrivacyGuardian.org\r\nAdmin Street: 1928 E. Highland Ave. Ste F104 PMB# 255\r\nAdmin City: Phoenix\r\nAdmin State/Province: AZ\r\nAdmin Postal Code: 85016\r\nAdmin Country: US\r\nAdmin Phone: +1.3478717726\r\nAdmin Phone Ext:\r\nAdmin Fax:\r\nAdmin Fax Ext:\r\nAdmin Email: pw-531dcecd9bbebe6f78f00ff61cc84da6@privacyguardian.org\r\nRegistry Tech ID:\r\nTech Name: Domain Administrator\r\nTech Organization: See PrivacyGuardian.org\r\nTech Street: 1928 E. Highland Ave. Ste F104 PMB# 255\r\nTech City: Phoenix\r\nTech State/Province: AZ\r\nTech Postal Code: 85016\r\nTech Country: US\r\nTech Phone: +1.3478717726\r\nTech Phone Ext:\r\nTech Fax:\r\nTech Fax Ext:\r\nTech Email: pw-531dcecd9bbebe6f78f00ff61cc84da6@privacyguardian.org\r\nName Server: NS1.DNSOWL.COM\r\nName Server: NS2.DNSOWL.COM\r\nName Server: NS3.DNSOWL.COM\r\nDNSSEC: unsigned\r\nURL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/\r\nRelationships\r\ninfinitysoftwares.com Connected_From b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07\r\nDescription\r\nThis domain is the C2 for the sample \"b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07.\"\r\nRelationship Summary\r\n1817a5bf9c... Connected_To ervsystem.com\r\nervsystem.com Connected_From 1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c\r\nb820e8a205... Connected_To infinitysoftwares.com\r\ninfinitysoftwares.com Connected_From b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07\r\nRecommendations\r\nCISA recommends that users and administrators consider using the following best practices to strengthen the security\r\nposture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators\r\nprior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b\r\nPage 11 of 12\n\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).\r\nAdditional information on malware incident prevention and handling can be found in National Institute of Standards and\r\nTechnology (NIST) Special Publication 800-83, \"Guide to Malware Incident Prevention \u0026 Handling for Desktops and\r\nLaptops\".\r\nContact Information\r\nDocument FAQ\r\nWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in\r\na timely manner. In most instances this report will provide initial indicators for computer and network defense. To request\r\nadditional analysis, please contact CISA and provide information regarding the level of desired analysis.\r\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide\r\ninformation regarding the level of desired analysis.\r\nCan I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to\r\nthis document should be directed to the CISA at 1-844-Say-CISA or SayCISA@cisa.dhs.gov .\r\nCan I submit malware to CISA? Malware samples can be submitted via three methods:\r\nWeb: https://malware.us-cert.gov\r\nE-Mail: submit@malware.us-cert.gov\r\nFTP: ftp.malware.us-cert.gov (anonymous)\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.\r\nFebruary 8, 2021: Initial Version|April 15, 2021: Updated with Attribution Statement\r\nSource: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b"
	],
	"report_names": [
		"ar21-039b"
	],
	"threat_actors": [],
	"ts_created_at": 1775434946,
	"ts_updated_at": 1775791231,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/78cae2a983339ce6b8bc94bc125d11fcf6bc735c.pdf",
		"text": "https://archive.orkl.eu/78cae2a983339ce6b8bc94bc125d11fcf6bc735c.txt",
		"img": "https://archive.orkl.eu/78cae2a983339ce6b8bc94bc125d11fcf6bc735c.jpg"
	}
}