Full Report
Last week, we analysed 56 cyber threat intelligence articles and summarised them along with the relevant metadata that was extracted. You can find below a short summary of 10 articles, related threats, tools, threat actors, a link to the source, and a number of extracted indicators of compromise (IoCs) from the original reports. More granular information, including TTPs, on all reports is available via RST Report Hub.Title: PROXY.AM Powered by Socks5Systemz BotnetLink: https://www.bitsight.com/blog/proxyam-powered-socks5systemz-botnetSummary: The Socks5Systemz proxy malware, which has been active since 2013, was first highlighted by Bitsight TRACE a year ago when it was associated with approximately 10,000 compromised systems. Subsequent investigations revealed that its botnet reached a peak of 250,000 compromised systems globally by late January 2024. Initially sold as a standalone product and utilized in conjunction with other malware variants like Andromeda and Trickbot, recent adaptations and a shift in distribution strategy—using loaders such as Privateloader and Smokeloader—resulted in the emergence of Socks5Systemz V2, maintaining a daily average of 85,000 to 100,000 bots. This malware's capability to serve as proxy exit nodes has facilitated illicit activities, and its association with proxy services hints at the existence of a larger reselling operation within the criminal ecosystem.Threats: socks5systemz privateloader smokeloader amadey andromeda trickbot bathnk_actor boostyproxy ngioweb nsocks_toolIndicators of compromise:-------------------------ip: 109[.]236[.]51[.]104, 109[.]235[.]81[.]104, 141[.]98[.]234[.]31, 81[.]31[.]197[.]38, 45[.]155[.]250[.]90, 152[.]89[.]198[.]214, 91[.]211[.]247[.]248, 185[.]208[.]158[.]248, 185[.]237[.]207[.]107, 185[.]208[.]158[.]202, 79[.]132[.]128[.]13, 176[.]10[.]111[.]126, 194[.]62[.]105[.]143, 195[.]154[.]176[.]209, 89[.]105[.]201[.]183, 46[.]8[.]225[.]74, 88[.]80[.]150[.]13, 195[.]154[.]174[.]225, 62[.]210[.]201[.]223, 185[.]141[.]63[.]209, 195[.]154[.]173[.]35, 195[.]154[.]174[.]12, 62[.]210[.]204[.]81, 62[.]210[.]204[.]131, 185[.]141[.]63[.]216, 195[.]154[.]185[.]134, 88[.]80[.]148[.]252domain: proxy[.]am, bddns[.]cc, design[.]proxy[.]am, hpf[.]proxy[.]am, api[.]proxy[.]am, proxyam[.]oneurl: https://proxy[.]amhash: - sha256=5260154782dd66c6a7b0e14c077c4b44ed1f483c6708495d0344edf8a14e2b27, - sha256=36cffd7d54385e0473cb7f7bf2d33910027428837725c4d3649ff1af2d88cb2b, - sha256=aa93289a23603efc27f70a7eb38f8e81fa7c30f4a5dff71f70c6f2ee583df619, - sha256=e185e43f039f7a97672db4a44597abd6d2bf49c08d7bc689318a098ec826bb00, - sha256=f6bbff3463d01da463091dc3347f5f42b32378353d2f7ddfab6285ecf0450c14, - sha256=a2a41ff58541f577ea1580932cc89642e987239a2fa1ccdb33a3029a520ecd0b, - sha256=fa3fe68c4a784c01e170098296b3212696b611e0239b69a40f4438532ca33e88, - sha256=54feb0e02729304c1c054e34c3bcb4e76be31b31ec2276187ccc4479378ce130, - sha256=0fc2f189aa3ebc1ff836079e49dac9758ab5e807d7ab4b42ff37c2376bcc2705, - sha256=bf34984756336bc78428f3f856be287ef364afa3330cac5facf019c39be73657, - sha256=b1e5b0e42e039b9711c435d691f1372ec663b2cb5a5d6a733d859d75a9f2d662, - sha256=f4456c54b840b5650d131ee27ffc9f23b7b3d8344cd88bd2dd2dbad05741e401, - sha256=c742642edeae783ffdc9efd52f514a5eef830ec115f8e723ee7cfd82ca7c0ba6, - sha256=dd075ec25d314f2d97d89065239ccb1d6c680d3f08ea94bf59f522545a1546c9, - sha256=75e722495c157a05b557580863f90b856d6ec229c7cb4974a008c823377369f5Title: Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service OperationLink: https://unit42.paloaltonetworks.com/packer-as-a-service-heartcrypt-malwareSummary: The article focuses on a newly identified packer-as-a-service (PaaS) called HeartCrypt, which has been under development since July 2023 and is utilized by malware operators to obfuscate malicious code within legitimate binaries, complicating detection efforts. Researchers discovered over 2,000 malicious payloads packed using HeartCrypt, affecting around 45 different malware families, including LummaStealer and Remcos, primarily through traces found on underground forums and malware samples. The analysis reveals HeartCrypt's advanced techniques, such as injecting malicious code, employing anti-sandbox methods, and modifying system registries for persistence, highlighting the challenges for cybersecurity defenders amid the growing commoditization of malware services.Threats: heartcrypt lumma_stealer quasar_rat redline_stealer remcos_rat rhadamanthys vidar_stealer xworm_rat raspberry_robin process_hollowing_technique venomrat hvnc_tool acr_stealer amadey dead_drop_technique xenorat purecryptor avemaria_rat njrat jester_stealer riseprostealer raccoon_stealer arrow_rat asyncrat darkgate 3losh danabot meterpreter_tool smokeloader mangoIndicators of compromise:-------------------------ip: 5[.]253[.]84[.]218, 5[.]161[.]190[.]139:8732, 149[.]28[.]222[.]15:44506, 193[.]142[.]146[.]21:2404, 78[.]142[.]18[.]221:2401, 194[.]110[.]172[.]149, 91[.]92[.]244[.]67:50500, 45[.]77[.]166[.]78:44506, 34[.]143[.]159[.]164, 207[.]246[.]113[.]185:46836, 193[.]142[.]146[.]64, 45[.]15[.]156[.]173, 103[.]183[.]115[.]60:9112, 94[.]228[.]166[.]40:4782, 45[.]200[.]149[.]147, 207[.]148[.]69[.]28:6608, 209[.]126[.]4[.]168, 5[.]161[.]190[.]139:13757, 80[.]76[.]49[.]148, 134[.]122[.]130[.]229, 91[.]151[.]89[.]158, 192[.]153[.]57[.]101, 94[.]156[.]8[.]65, 185[.]196[.]9[.]94, 193[.]233[.]133[.]152:35515, 193[.]233[.]132[.]10:50500, 5[.]253[.]86[.]233:2404, 185[.]196[.]10[.]188, 89[.]23[.]103[.]42, 45[.]159[.]189[.]140, 45[.]89[.]53[.]206:4663, 91[.]92[.]248[.]143:1000, 154[.]216[.]17[.]204domain: benchillppwo[.]shop, publicitttyps[.]shop, answerrsdo[.]shop, radiationnopp[.]shop, affecthorsedpo[.]shop, bargainnykwo[.]shop, bannngwko[.]shop, bouncedgowp[.]shop, ghostwritexmskz[.]shop, reverseproxy[.]con-ip[.]com, commisionipwn[.]shop, stitchmiscpaew[.]shop, ignoracndwko[.]shop, grassemenwji[.]shop, charistmatwio[.]shop, basedsymsotp[.]shop, complainnykso[.]shop, preachstrwnwjw[.]shop, obstacleosdsapq[.]shop, genesisloperalora09[.]con-ip[.]com:1880, topgamecheats[.]dev, associationokeo[.]shop, turkeyunlikelyofw[.]shop, pooreveningfuseor[.]pw, edurestunningcrackyow[.]fun, detectordiscusser[.]shop, relevantvoicelesskw[.]shop, colorfulequalugliess[.]shop, wisemassiveharmonious[.]shop, reinforcenh[.]shop, stogeneratmns[.]shop, fragnantbui[.]shop, drawzhotdog[.]shop, vozmeatillu[.]shop, offensivedzvju[.]shop, ghostreedmnu[.]shop, gutterydhowi[.]shop, highawaretemptersudwu[.]xyz, delaylacedmn[.]site, writekdmsnu[.]site, agentyanlark[.]site, bellykmrebk[.]site, underlinemdsj[.]site, commandejorsk[.]site, possiwreeste[.]site, famikyjdiag[.]site, sippytryedkwn[.]shop, dxpam[.]duckdns[.]org, wickedneatr[.]sbs, invinjurhey[.]sbs, laddyirekyi[.]sbs, exilepolsiy[.]sbs, bemuzzeki[.]sbs, exemplarou[.]sbs, isoplethui[.]sbs, frizzettei[.]sbs, putineveryone[.]ddns[.]net, ergfdsvhiebviured[.]con-ip[.]com, zabra2oto[.]theworkpc[.]com, sleepychanreal[.]com:4040, raven123[.]ddnsgeek[.]com, procesosespeciales855[.]casacam[.]net, agosto20[.]con-ip[.]com:7773, agosto13[.]con-ip[.]com:7775, doesnotkl[.]dynuddns[.]net, fabiangomezpu1405[.]con-ip[.]com:1661, estrillajuju[.]con-ip[.]com:1668, carrodecarrera[.]ydns[.]eu:1992, saviloe24[.]duckdns[.]org, libardino[.]linkpc[.]net:3019, septiembre16[.]con-ip[.]com:7771, word8328[.]duckdns[.]org, perezedc95[.]duckdns[.]org, assaasjdnsubdcdy[.]con-ip[.]com:1667, mayo006[.]con-ip[.]com:7770, fenvijsdfidfisdiodwhfuew[.]con-ip[.]com:1997, smallelementyjdui[.]shop, prideconstituiiosjk[.]shop, minorittyeffeoos[.]shop, appetitesallooonsj[.]shop, headraisepresidensu[.]shop, tendencyportionjsuk[.]shop, lineagelasserytailsd[.]shop, sofaprivateawarderysj[.]shop, sloganprogrevidefkso[.]shop, 9238db8un3ifd32d3423fwdsx[.]ydns[.]eu:5023, wastwfulldashiwnjs[.]shop, l34d3r[.]duckdns[.]org, 0[.]tcp[.]ngrok[.]io, drawwyobstacw[.]sbs, condifendteu[.]sbs, ehticsprocw[.]sbs, vennurviot[.]sbs, resinedyw[.]sbs, enlargkiw[.]sbs, allocatinow[.]sbs, mathcucom[.]sbs, carrtychaintnyw[.]shop, quotamkdsdqo[.]shop, milldymarskwom[.]shop, metallygaricwo[.]shop, opponnentduei[.]shop, puredoffustow[.]shop, achievenmtynwjq[.]shop, chickerkuso[.]shop, aviatiiitwinq[.]shop, dcmayofornuevo[.]dynuddns[.]com, puerto4001[.]duckdns[.]org, trackboxing[.]dynuddns[.]net, doctorganador[.]duckdns[.]org, ufye28738bd3yv23d783[.]con-ip[.]com:5023, tryyudjasudqo[.]shop, eemmbryequo[.]shop, reggwardssdqw[.]shop, relaxatinownio[.]shop, tesecuuweqo[.]shop, tendencctywop[.]shop, licenseodqwmqn[.]shop, keennylrwmqlw[.]shop, teenaggerwwysm[.]shop, carracalbarmen[.]con-ip[.]com:1991, alfredoperezpu1405[.]con-ip[.]com:2500, alfredoperezpu1405[.]con-ip[.]com:1663, hhkhgklbnc[.]duckdns[.]org, confrewdsfgfs[.]con-ip[.]com:1661, azul[.]accesscam[.]org, septiembre13[.]con-ip[.]com, caffegclasiqwp[.]shop, stamppreewntnq[.]shop, stagedchheiqwo[.]shop, millyscroqwp[.]shop, evoliutwoqm[.]shop, condedqpwqm[.]shop, traineiwnqo[.]shop, locatedblsoqp[.]shop, applieddyooqnz[.]shop, octubre212024[.]giize[.]com, fuertefuerte[.]accesscam[.]org, octubre242024[.]casacam[.]net, rfast[.]duckdns[.]org:57840, enivomarzo12[.]dynuddns[.]com, blees7[.]duckdns[.]org:7770, offcordl[.]dynuddns[.]net, esteesdeldcr23[.]duckdns[.]org, fdsgofgjoefjiooe[.]con-ip[.]com:1665, newtestdn[.]dns[.]army:1700, mrtwinks[.]duckdns[.]org, ergwgfbrej[.]duckdns[.]org, juanruizpu1405[.]con-ip[.]com:1668, nwemarkets[.]com:5552, puerto4003-envios[.]mysynology[.]net, solumintir[.]duckdns[.]org:1994, eugeniapadillalora09[.]con-ip[.]com:1880, xwrmsistem[.]duckdns[.]org, proyectoxman1[.]casacam[.]net, stronglife[.]zapto[.]org, dcfdsfde[.]ydns[.]eu:1991, newera08[.]casacam[.]net, mfjnfijndifsiisihddd[.]con-ip[.]com:1668, demonstationfukewko[.]shop, liabilitynighstjsko[.]shop, alcojoldwograpciw[.]shop, incredibleextedwj[.]shop, shortsvelventysjo[.]shop, shatterbreathepsw[.]shop, tolerateilusidjukl[.]shop, productivelookewr[.]shop, peleinufele[.]kozow[.]com:32024, azul[.]accesscam[.]org:2609, closeconection[.]duckdns[.]org, uhd87327hd7b9jduwjlask[.]con-ip[.]com:5023, goatratedman[.]com:4050, extendedbreakfast[.]com:5140, dashboard[.]dynuddns[.]com, alvarolopezpu1458[.]con-ip[.]com:1661, dealleromwn[.]shop, octubre18[.]ydns[.]eu, octubre[.]dynuddns[.]com, abrilmarzonh[.]4cloud[.]click, segurosbolivar24[.]con-ip[.]com:2006, spikeduggli[.]buzz, jorgeperezpu145[.]con-ip[.]com:1661, mnnioudfd[.]duckdns[.]org, nwemarkets[.]com:9774, vcvfdjvodsuhvf[.]con-ip[.]com:1661, esteeselprpio[.]duckdns[.]org, castanojulian1111[.]chickenkiller[.]com, uego[.]con-ip[.]com, consolidado23[.]linkpc[.]net:3019, peanutclutchlowwow[.]shop, agosto14[.]con-ip[.]com:7773, agosto14[.]con-ip[.]com:7774, octubre2424[.]run[.]place:3019, rcmpx[.]duckdns[.]org:57870, hotsdefender[.]webredirect[.]org:2404, danielacorrealora09[.]camdvr[.]org:1880, 873d723jh90387gdbn283dn3[.]con-ip[.]com:5023, preferenciales12[.]duckdns[.]org, rafaborre27[.]duckdns[.]org, krakenstudio0612[.]casacam[.]net, puerto4000[.]duckdns[.]org, manuelabobadillalora09[.]con-ip[.]com:1880, agosto15[.]con-ip[.]com:7771, nuevodcsrat[.]duckdns[.]org, 29idjidpoiic903jnu92cvvvew[.]con-ip[.]com:5023, porfavor[.]duckdns[.]org:7770, octubre8[.]con-ip[.]com:7771, agosto6[.]con-ip[.]com:7775, comunion992[.]linkpc[.]net:3019, stay-daughters[.]gl[.]at[.]ply[.]gg, marzo15[.]con-ip[.]com:7770, renagtiondo[.]com, mywhitelab[.]ddns[.]net:2404, faststaynow[.]duckdns[.]org:5057, septiembre162[.]con-ip[.]com, pruebaoctubrenuevo[.]ydns[.]eu:3018, winswerx1[.]duckdns[.]org, fantasmads[.]ddns[.]net, xmagoo[.]duckdns[.]org, pepecasas123[.]net, pepecasas123[.]mywire[.]org, wins22jul[.]duckdns[.]org, gilbertomartinezlora09[.]con-ip[.]com:1880, mariobenjumealora09[.]con-ip[.]com:1880, front-nature[.]gl[.]at[.]ply[.]gg, robertobarbosalora09[.]con-ip[.]com:1880, absorptioniw[.]site, mysterisop[.]site, snarlypagowo[.]site, treatynreit[.]site, chorusarorp[.]site, abnomalrkmu[.]site, soldiefieop[.]site, questionsmw[.]store, mariabenitesedd[.]ydns[.]eu:1880, assaasjdnsubdcdy[.]con-ip[.]com:1661, dfgdfghghfhfh[.]con-ip[.]com:1665, jorgeperezpu145[.]con-ip[.]com, uoptyerdg[.]duckdns[.]org, globalserverwindows[.]duckdns[.]org, comercialnuevoan20[.]casacam[.]net, barebrilliancedkoso[.]shop, parallelmercywksoffw[.]shop, ohfantasyproclaiwlo[.]shop, landdumpycolorwskfw[.]shop, flourhishdiscovrw[.]shop, conferencefreckewl[.]shop, notoriousdcellkw[.]shop, liabiliytshareodlkv[.]shop, toothsomedicisivew[.]shop, diosayudamesenor[.]dynuddns[.]net, veinyjsuwk[.]site, octubre100[.]con-ip[.]com:7773url: http://167[.]235[.]207[.]130, https://steamcommunity[.]com/profiles/76561199651834633, https://t[.]me/raf6ik, https://195[.]201[.]118[.]191, https://t[.]me/pech0nk, https://steamcommunity[.]com/profiles/76561199751190313, https://65[.]108[.]55[.]55:9000, http://5[.]75[.]212[.]247:80, https://steamcommunity[.]com/profiles/76561199686524322, https://t[.]me/k0mono, https://188[.]245[.]87[.]202, https://steamcommunity[.]com/profiles/76561199747278259, https://t[.]me/armad2a, https://49[.]12[.]106[.]214, https://49[.]12[.]197[.]9, https://t[.]me/ae5ed, https://steamcommunity[.]com/profiles/76561199780418869, https://95[.]217[.]220[.]103, https://116[.]203[.]153[.]40, https://t[.]me/lpnjoke, https://steamcommunity[.]com/profiles/76561199786602107, https://steamcommunity[.]com/profiles/76561199658817715, https://t[.]me/sa9ok, https://5[.]75[.]253[.]161, https://steamcommunity[.]com/profiles/76561199743486170, https://t[.]me/s41l0, https://t[.]me/copterwin, https://steamcommunity[.]com/profiles/76561199689717899, http://188[.]40[.]248[.]148:80, https://37[.]27[.]31[.]150, https://t[.]me/g067n, https://steamcommunity[.]com/profiles/76561199707802586, http://91[.]202[.]233[.]181/any, https://t[.]me/edm0d, https://steamcommunity[.]com/profiles, https://128[.]140[.]125[.]116, https://t[.]me/r2d0s, https://steamcommunity[.]com/profiles/76561199654112719, https://tougn[.]website, https://95[.]217[.]28[.]72, https://steamcommunity[.]com/profiles/76561199794498376, https://t[.]me/asg7rd, https://95[.]217[.]135[.]112, https://steamcommunity[.]com/profiles/76561199698764354, https://t[.]me/r8z0l, http://147[.]45[.]78[.]18:80, https://t[.]me/fun88rockskek, https://135[.]181[.]31[.]18, https://t[.]me/iyigunl, https://steamcommunity[.]com/profiles/76561199761128941, http://107[.]191[.]36[.]218:80, http://192[.]227[.]94[.]170:80, https://65[.]109[.]11[.]145, https://steamcommunity[.]com/profiles/76561199644883218, https://t[.]me/neoschats, https://steamcommunity[.]com/profiles/76561199699680841, https://t[.]me/memve4erinhash: - sha256=7f4d6a371e872d8b4999d415401589c32adcfc6cfc26892cfa3316e4fccec270, - sha256=000d7d9f98d3040f2e366febd8f5c58a3335038982290ae333907890fe699e72, - sha256=001212590d5c2fd2fb18dc4366d526051dfafad2e655b909db30496673441e31, - sha256=00611bc2d5471b2c967ab91ca75a58070c5ddf1a2a18b0cb9988cd447c1e9fd0, - sha256=007a98a9dac8ccc34d6fb4ee6cf34188dc6c0bae0fc507115e64b19518b72e50, - sha256=01568de8658e767ee3669e2f5550bec292f1251ca82d20f550c7cf971b483f7a, - sha256=01c43d621ea272c9838753ac6bda61b3aa466298c024d7c7335a0207f9004928, - sha256=01fb6cd536cfadcb15f5a4b13de2d5605382db36d2b2bb6434b455f0d80fe0d4, - sha256=02badfbfd5bc33379b2661689e5b7bd6914a971ed9d41e65be062c01f6e6b3f2, - sha256=0513a96a4f549212ad24a7ee47bf22018e6b3c097cca871138bdc7e4d05cee6c, - sha256=0520a17e3d8e51c452f6a306e87bd11747f54061b550323aaa3effdcbc976ae3, - sha256=0537aa42d49f4582426dcac92368b7c61410f264f98ac92077356f609053f6b7, - sha256=054b1c2a6511ab68ace708daa654ce41faa2d96319887e7f2d662d7afed77228, - sha256=05f77810972591f88192833e3b3b8015584fb97c407ebc677d0dbd975cebea3e, - sha256=060d6f9c0505a7709281567b10bbc91256a073ecd4fef23e3de47f5ff7aa40de, - sha256=0848e727bba3960a0fbbdb403a4a8503658b872e621234b6999b14ff9eb855eb, - sha256=0949ae633b8214009cb1c52d1bb2ea9f5066e90c0c285fcaf3844b0580e2f587, - sha256=0965f85212e3c5fc2cd3e14499fd65b90c5aac7029a3d0afd61525284c5dc88f, - sha256=391c15890e7db90a5ab7dbcd1d9d8050bb54584c3283232c9a3d6c299a8d0ef7, - sha256=b19f406be8e31b70012e2256b375c5062181effcbae63c3b6021ea31eabecc0d, - sha256=45dd5da0789b46e5a62749b0afb186191d5c2183cdabc8c58bb0ca036da735b6, - sha256=0c04b6c3410b09724edb5f3ce6e8502ceeaa000475e7880bd255f3642decb890, - sha256=356b236fe8d554369f76d635745d8ee5915bec76d07bf280460548cfd8b2da6d, - sha256=41a98844ffcee16144b7d48961cb6573bfad86ebeccb5f231af5882e199774cc, - sha256=87cb3e505b91088da96b2a66f717804140932581255d0a195f0df2ede2258e49, - sha256=04e8b67bfbcc576c64439bb6c6e7ae2a767cfe71a120f148f9c738982577873e, - sha256=099de377cdc27b701145d1ab34c71f5c63fe4511e3b3e74c0c4813a7e64c0f97, - sha256=0acb1809427093979ddae8bec5e6436a88c2b472cfb483e4f539ab8e2ca7f672, - sha256=0bfb5c9035c5bccea26456a7a873e7f682055c5621a3c2ada16f7db9e4b49a39, - sha256=0d9ee9b2c72c983eb0c90851a353b5ca9f2a66e70453c822916c3c4464aeaab8, - sha256=0daceeced78525806e2221ef5857a345077e118c853797c17c85023c6d8e4cb8, - sha256=0dc2e4861267051eb2e3dfe8c57ad10a7fbe8d20c55429b15ca64014f2c50eca, - sha256=0f90f094b3feeb87fe79416f42d583a8cf7d37c32e715856333846f9313b89f6, - sha256=0f9188163350f4562a4a2a86f490f99d593ef0940f0642ae7464c84677a00028, - sha256=10373926f6d4868e6970e5d1025bfe92e394dd7a6bcc576162e3397f5139ba90, - sha256=11892dbe32cebd618deb6dc36477829ef9fb8181d7ec887408f44c08bb5f675b, - sha256=161f73e22cadcc877a39104f32b3bc9042363c11cd490a9ee8681714148c22f3, - sha256=164beea0736231f25917cc0458e0ae9775504982256b3b51dfd209067c7c2e19, - sha256=1707eac4efc2ea46c2364b3f3332d75eb414915586c3d199c904240be23c9354, - sha256=18c2df2f2634643072361ced86bd12d503a3f9617a506e7fd01efadf1d095c81, - sha256=19a00488730bc7785390df8887b925f58aa649defbeed9b4ed27a66d5f8b3359, - sha256=1cd4ceb10f9445353969b740ae36c2471f68a40489f4c5402679480590d5b2e0, - sha256=1d40e7daa7a2fc748c85d3bf233649204163fc179f71d3ff2b3c7f426b0499ae, - sha256=1ded4207f46c167de383235dd94de12f4d144ed4e38b5131dad2fe0cad56fe84, - sha256=1e716acec0f8c78445db489b74b7c3ff027181e332377773f11530a7669f9693, - sha256=1e92a017cb91cf900d15f868988a96c02ca483097137da1478a98953ca6db6a3, - sha256=1e9426c5ad1d49235ac06d0c3e7d9d8e08fac6569c0946d569ab713fb3a7f20e, - sha256=1f98d9d0535d73965dac132490686e26e29a89eca7001fd7fb9a1bc82e5c9a93, - sha256=1f9f707123e3bb6988741a85e436d229f4c390af717949f7ef1f5257cb993e55, - sha256=1fd2972d72dfbc8b2b0c6bc7c43e3389e67d2bad651cca2583f4f4c7fa443fd1, - sha256=20007eeee7714925edf27094d9109025fdebaac26e1dbf97d51e8917276b6d3a, - sha256=20144b7fe9b7b3900c8240c1cee5003c0d2647eea6d98f310a71304600def8ea, - sha256=235be22a82cb8890d91c8cd29992fd044a3c802cc0bc55ee293e14ae54700cfb, - sha256=26e5f26a50b29efd559c1fe469831e7c31409351e922b386db911d8320f303f2, - sha256=270c0ba7e8fac9c92c6a94d03dfda65aef468d0d3a56eedf23ede0d2c3d4de95, - sha256=2832eac061fdbdf5431c134f2a22c5006964fab899bd21c918f6bb010cce32d9, - sha256=28a0366a432fda9d8ce5580ad76bdbf7b194b58e11a1330b415cb74ed856c6fd, - sha256=2b74c2685d3bc1504f20bb93af1a0bf3fb3ec2090b3298b8f025be4550789859, - sha256=2be849154e91a1aa43a1914c7253f08f0029854d309ab4e3d0e264a7424ee8cc, - sha256=2c9b999f3cb82c127bd9bad395dc73304bbddc1015de617cae367dc749e24703, - sha256=304eedf0c5b7d5fab844104a704741e6c9d4ebcb8515d19e85db979668bc3cb8, - sha256=310d4ec3b694aa3503a8d5a5adddbe1c0d87935b0fa01e640b0df602c1505234, - sha256=311934efae99b694091136c03c7277823018818578c5993e77ddbedd3ae1a166, - sha256=337a0dff907453cd0d54ac5ecf32647e65862a3022c214ddbca0403975536b02, - sha256=34c10230a2a1c5a92f3a3aee064fe14f653703719f9ab479fc57c853cb388190, - sha256=366effe5cdcdb1a27d7ded62d1bad9e75ec4be18e6315134208c076b5e73df32, - sha256=3878a0e50206a6d660b7234483c9d79c8db99c23d2fc281f09435bee25edd577, - sha256=3a45d80180a157ec0aa70298d5eef0cbc13740fcf6323f705bfc10525cb217a8, - sha256=3c5859206c81aaf8e9ae611f380aea0185dc67746410589b0ea77bc991c1d265, - sha256=3cdb3d9f4ea6e815270433385d7f8a1a4432aa18f11411cf7719fa58671f26ed, - sha256=3d47f583cdcd3a9e04a33f93333dd38b382fd3b7c82cfc7e09cb8dad5beecfe7, - sha256=3d7c57fd5e035b159d4f1460989924756a725db772787cf8ad67d543c510fe54, - sha256=3e6f8a670eb5507fb32d99c8e2ee8ac3dd3a03312793a3ce2c1cbb6eb69e3fd6, - sha256=3ed1506c27dc92c44fd3b21fdcbd4c196e6190c4de6ec68a5ad2cfedca36e5ce, - sha256=406ef6e503a9b005af95d6813f239803535eb7d9dab5cac2516b6ae9e3848cce, - sha256=4103fed41f19837a4ac6f6d5c82e82f43c3bf141247e7cac410c4cd93847f969, - sha256=4237fb3fe85bf5f0c3c19c45ae85f76d0c527cb5d531736a1430f6f8eb10e54a, - sha256=42a098586b632e65c8b350bab9846eb0943c54ffc6f81c44b18f5d8e772fe36b, - sha256=4404ab406750312cdabb565b04500d9b94be2e80894d9b5b869e45daf994acfd, - sha256=44e79edd7a2f9d5f9140db1b213091322d0629de1c3f02a8c42e029890503cda, - sha256=4534f19c76fcfcd817365b67e0feb22c2c59b00c43bc7ab5b6ac04975da21cc6, - sha256=45980fb785c9c2ccd9f1b84b2906453edcf5700a59d5561b5d7bb0f8da71da2a, - sha256=45ce39ce5eef5afd148e6bda2802b60f8bc388d279c1c2bb03d3795b207d4523, - sha256=470d98bde49951ecc819033f47492bbfc87be5767c5820e9f3190a4b8151c5a5, - sha256=479807c1f3eb9d9fab9b6ab2853604bcc97d9f090ae4fb14d66747fd66e5993e, - sha256=47e3b3c0e9633dbba588060bbd946d13658d2a49678d0ed0f4e21cc9d8370058, - sha256=48cff22bae20cb599fcdcec8b4fb41e4785ba5c19123a728fc4f8244f7a900f4, - sha256=48e1b13ffa233c40c0a24026d2c7236796b8fce6956235f29246a4717728ec42, - sha256=495897a0e9d55bbd06884df8b9b7c15d9c398e825538d7a235cbfb7d75d4b99e, - sha256=49735d3992131f165199287d0b5997dfa8e035a10177ea556e957d3cac7a1cb4, - sha256=4a9e11f3a1b5b7543f00f4f662b4602c5449c78f7181a139af3b804aa7316006, - sha256=4ca542b8871a292cc4d4c1aa0e3b8b4517a27ba227ff822eb870b5bb4b8a71d1, - sha256=4d7c1d874dc735c24586b32d080ad58a7c3559330b022746fb6fc1179a1ad522, - sha256=5299590e69d031fa7b4118551f59a41091fe97aa3513494c910f9a6011a6e6fe, - sha256=54595cdde8ac9332adc78143051b3cebd29e564b3f3ba7a390847dd6a30ac9b0, - sha256=599fe4c40cd392efc6becccecdb65ad61e18ad89c98a586ebda05f597b54111c, - sha256=59fe7e6e026da28b275c1fa65ac6f2bb0712793903fe1b77cbe148c15df0c927, - sha256=5aa1dc189fcbf09a77f1926e0a2d1c17d9b66e8bbbae1c1751622f544a67ee62, - sha256=5ab8a17246063f43e04f124c842427a9413d086796c1fd5e9d46917b308f5e74, - sha256=5c6118287d6b3c0a58b87bf6c4572bd132d96f713d31c7061f790871674430ac, - sha256=5cbf6d0a1f9a8ad1b482c9b7371249b91b1ac1041e9e08701ded8fb6503b00ad, - sha256=5ccdc48357a287efbf61754f092e9ef24718b9d1099883eda90b2b93f6d94ebc, - sha256=5d9d8bfd620209757123efaad61ffd8a48598ba8cbf5c5d795c9b35fd8618277, - sha256=5da1b29f6b0ce6127341d90ecdcf572963cb8d27a5f4ba1b072f58614404976c, - sha256=5ed664e59239f2bc96b4ac1a07cf1af18834d467b1868c79d960d3122e0c9547, - sha256=5fb8926926dc18f997e3bbce351518fcca0ffd382099e59154402e2da3a3858c, - sha256=606d23a8f451eeeb802261b8c279da0185d061d971e01139da4435f75eab56e4, - sha256=60837ecb4271e7348591ab1d8ee69dabf9071677694fb024493497af43855f25, - sha256=6083df167c2c313759ad4885919f556172343bc787f28780429e7272ff7a05da, - sha256=612cdcd8164c3820950dcc5276dd1a41782ffe424ace86e065de964de21f6871, - sha256=61b0a39405d071a95d7a8302b308cbf65ce4db0df029efea1af8a24ae9a94ca4, - sha256=62afa3a8d6a4c924491c2897acc4ba6fa053108ecc54d8c97503ed2aaa58e2c0, - sha256=62b3b8180936fd37593dca45af592225ca18bb410a45cdc79fa15726ca7efcf2, - sha256=6322d14ec5869367ae5b64fa81eb5958371640fdaa0dac6d5dcdfea35925cf94, - sha256=67a6c50a05b7eabf847559671c95f011a534395e4c84eb9e3b1ad3a7cf072187, - sha256=688530cee5f95e2040e9d0b5198cb0f530cbccd0160df3827882905f7002879e, - sha256=69569b6a988642b3bc36370470f71e2471df37b1b441c54f53c8e30b940d79bb, - sha256=696a181467746f96cf98cb52d83460fa08ce6baa44d2ddb809a95c6807fb35fe, - sha256=6b6e6a393ad1b3ab46c39b82fefdc51ab0fbfe639ee1d4df3a379ffb74480cdb, - sha256=6be338592a07efe9cedccbeeb21c9b06bb32587fd8ab7d280e2e2d8dc84c17a1, - sha256=6c5b19853d6cec2a3f41aac0e437e1ef8241c97925c5154917c92382ae7c7b8f, - sha256=6e6c7b6870291847bb97423e17c9eee895d10f44ed6ab7093ee578d8d86fd606, - sha256=6f4774324d33fab7b2ed9ddd09d417a2a4a44f65510c8504307810d63a3e1078, - sha256=707d9cf7b6c65e87d3b3d656f9643371b5ff629db8bac714a252c41988b83306, - sha256=71fc81dacb3b48b07278fb1b7eb71fbb7526354cc784b9ffa76b626a4d50a11d, - sha256=74554ddbee138be6723c9e2808d22525cfbcdb4450e712935073ef29dcf426a3, - sha256=745bb1bf24225162b5d44873f99807f1f9a90ee34d71e2af0104e6accd6b2d8e, - sha256=749e45ffd6abdd0c7e9217242d20c486c84527759548420cbe66f9ad0445e9fa, - sha256=76d79d6ed1c7aacb7c6fce4136a67d3495c99bfca3f2eb03678c277263dba74c, - sha256=77ffb29827c2e94dd69821c3cd1eb74866b597a530fdff94c0a88cbbe7bc6642, - sha256=794c5c420ebee929b7815025fff40b48d7f8981fadaa578dc522f95f30144e61, - sha256=7a07116fe66c2288abd5511f09b30da56b11a2fff49bc9c2efe793b6b8342ff5, - sha256=7aa4e2b65495e6e77069a6c211fab7a64db0373ff2c6492fa0177f5edce43389, - sha256=7d5c2be07e27f1ee25850b537337e520f823b1cddc2acbf22c4fe01f3a94b8df, - sha256=7e3015b04d355414d86c2a2124380d31d5f11b7b5996acb081b6f8a8fca0ee45, - sha256=7f68acaaa1fde023747d47b2e66515a3ed9408a80e3ec1596d8a76aec0a9437f, - sha256=7fd1c60a9db98539700314f893c6b8408ee83fe4655b70f040b61a853821f99c, - sha256=b939904d34dee658462a3963eab58ea198b07f42fad912b8c73f53fc2f7de559, - sha256=7fefc8a574e655e534f74b031a23616d1a72b876ee3daad9ffd24fe49a3847ec, - sha256=813cbee9920207ad9683a367b90ccd92821ac761453e3a2e18bb68af74c457dd, - sha256=818f21b679e26ea67dbe65df1deb5c728214c9007793ac18cb9ecd139dc9aa88, - sha256=82c0608d335a64c32af8041ec8212df46d742fffbdb89bfffd58fa34a90ae654, - sha256=82dc456673c70d3e2b6e7b8b2a6c06488dd2bffe2f3320f6ee54352514a316b1, - sha256=82f9a9e5d6837b58bed5f8f8571afc31b570a5d2db6befe3459b09f161114e37, - sha256=84702a49d1fecf7a4267701c105a714d34250e3c31ec2495660edeac53f54ceb, - sha256=85ff8d9d2f577cedd1ebee022dfbc8192fdb5ee16e39dc9f03743739b6d5c4e7, - sha256=87f954a96ff46df18d7103c05102f23441838d3c0f157380466764dfac2079e2, - sha256=8a4b53fd2a5246edb67124673b2c324db27b443f856c7193d8c5417d793835b1, - sha256=8dc7fbdfac755d60ce05b1c223c174ba13abd78eb01aa538b37c0b812ece3aa5, - sha256=8de2fd12c142b386f6465f4fe39ab08bed03823e0a01fd0ea2794b2c21710e62, - sha256=8e042392a04fc5aa858ba8f96ebdae676e2b959217e2d5c43252632337144da6, - sha256=8e6c2886d27ae580561350564d94625f0151ad0ae5b64c0a58ffce8ffeb01ffa, - sha256=8e761990bd71d47cdb207f1492a9e4ade71ad95c1eaed69a3826e9ee5b74306a, - sha256=8f959c31ab0f7560c0ceaccb3ed44abe8c531eacf9d6689c1b0bb9cf7cc1446b, - sha256=93769b51b829c4aa014a10179e40ff91492dbb70986d2b0af8b86901a4fae25c, - sha256=9423522a796f3190f1e434382e3760294527dae11844bd9aece3ee70899a74c6, - sha256=967516fbdc5dfb43e1f3ab8f5a6713e226b4b0d1a556c1933381086587a5b2db, - sha256=97175f477ed70cb8ab8e64165325586111a3946433bbae9e03b8273ac0602e3e, - sha256=9910510ef16cd791eacb868d63f33db54c7ca6343a470b97bbda3ab53a0af1e1, - sha256=9a3a26bd98c511627d2b384bce4c46c538a67f24c66459acd0af467fca4bdd08, - sha256=9a42637e8c5229a0b84c28892e030c5b9d07cd32ccb5bdc0cc6f0633113c8fe2, - sha256=9af467c9392af012bf687f347c0192296d131791b4c7cb74d1dac1622db8f8cb, - sha256=9bd724fbb3e9c42122711c756c27fd8ceaf01f48e5d59a8935f4b67fb8246b3c, - sha256=9d96d963705e996e6618f11bc32894e0ce5bc1410db62f43ed79ea546e93d743, - sha256=a306e433e72c97ac9016f9f260f882362d7dfa8735f86384ee70046304430e25, - sha256=a3d2ef71d5d8a5f7b1e489f15836d7f4bafcfcdccad2d9dfbfa14fb34e65fd17, - sha256=a555018ed03a0b191f64f625b75cebd9f62c194c7b1c1a66b91266f2f1c1b6c4, - sha256=a71beab2c962f82db197b85a490c8f7ab82d8bb1a861b85f95635cca10223fcc, - sha256=a9aa8684fd492083ee04b150344411dea5d3560e87d4dafe7cca03889789689f, - sha256=aa8e104dcdc6c58d726bd32d3ac32b3eae96ae2ffa591d9c9303f57f3d046e35, - sha256=aab1bf3a2a549c076a55b67c11c3af04813380b87c1a2d45cdddf52d25c15bd5, - sha256=acbb983043b2caf0a96657216843a985a11622ce7480c3e508c7c86f5bbf5f3c, - sha256=ad74615b5d256862ab5a39e0f2de098697720477f131c9d23e0feb84eb5fd2cf, - sha256=ae531e01c4b447d0c359f1f560e1385ca9eaf0f8b9e2e401e460138d3862b693, - sha256=ae8af3e049e812d26f5001815de7cf20d74c21fcb013b7b1ea7bac95ea0c71d4, - sha256=af5d3982301079392cdbc9a49380bee3263bf4d2880764663b1ee5282fe1f268, - sha256=b0507186720c3648901c7d0fdb6e6a2c49d26e337de269e297a218405972db87, - sha256=b18834f77db73c92a2b1eac771b7c61b37e2f76d6145cdafbfd340a4db085961, - sha256=b1a7d59539e789763e967266520191c1c5e76671d3955caf69eb8491952b14d9, - sha256=b2a4a9e9cd0fbce0d8bb0e6d7bd34aacca346ad20e0835064366a557bba2e20b, - sha256=b3c82c1dbbcdf802412c2ff189b8116324aaa10605be260c648ccc641e69a181, - sha256=b42cdcccb051d01c545545fd81495973fdd758c7d5b7faa5d7dd3fa98f31c173, - sha256=b55b384d5879073363a91c85a9b723cc98f6281c46087ccc41a94f77940c81fd, - sha256=b59c2e678091c29d38b16d7558f6d06bb0f7b926d3aee1c38582dbfb78edd97a, - sha256=b60f40dba25031b65c2ee81748340738b7607179792b0f0ab2c383b822f4bffa, - sha256=b61015f0bd80498627928ee270e0a0e604b52998ff943254072241748c708c39, - sha256=b7dc735524a606b0ee3ccab89eb43be79329dc994026501a3f5ae809597f3f45, - sha256=ba23ee91a54d3da0e2142a90def9ea6ead953621fdbb2c9a568ab68247993b90, - sha256=b9c4d2230791ed768840805975a2513ac67ef59e05af75a85230b467afc377d3, - sha256=ba4e57be7998467a7fb5471ea6e6d5ee9d6233de96bf2699efe9e8c45b21b039, - sha256=bb37d80cb884d9499e52e498fdc6e234e0cc972ab16cb5e5859287a02f6e01c5, - sha256=bf8b480cdeeac23e87309d65c95d6528607011796a9b3ad48c4ae29325dd2c93, - sha256=bfa0cd295ca0f66b7a1a1d30b7e9923d8de1bd2191dfe73b16b7a31d6e737165, - sha256=c04095e017a0f3911c40181c5175e5f50f5aff5e3ece9287a4df7a699599db6c, - sha256=c1669b870d0530d4d74f1f5afe58b2954670be9c1f047558f0d0d24809bbf0a7, - sha256=c1bafafaa114d62fc3140b1147dd5e5afc6b003581810306ce9e15621f2bd7eb, - sha256=c2337180084757ac67238cea6bb477ec84210742355d4a02bec52a7fbf3d8511, - sha256=c4e122367f23ca841666dac54c6a42a937e0b8255f7594ded6f4d150fce18538, - sha256=c691c7260a144c141abb520099b6d406e87ef75d16bd74c5f1cea900223cdb9f, - sha256=c7862bcc809a9effd31035b7e92fe57fd368318894874b8239198ee4e0dcbf74, - sha256=dcf90d69b4a83839e6b741986745c373a2c386a1a5518cab19133fda1f7f6e16, - sha256=c7969e2249fc0180887315b88855ce017d4377b6550a2631b3c821f226e9e861, - sha256=c7d0fae10223094c6d09aefac6207fe632b55405f57671e0de06276876f67e32, - sha256=c8d0bbcfda19f38c51dd772e5457b60ff59eb028799dca1fe4ce5d72b281b452, - sha256=cb4aa6105938c53f9f2b2f8e6f5f36bfe96419c56e73cdee53d48f4c393379f4, - sha256=cbf2ceb3c5ebc6f1d8c09f3098176ded9503800cba77cfefa25ea9e0a8085ae3, - sha256=cc00a259ec4ebde015fe0fad59f369ae23def081caa787ad0652f7d6b2fe6de0, - sha256=cc261a096421b7d33dc306496e1a8f4ab37f84188c3d05514ee68b5dfe860252, - sha256=d08285f3f36f0c79df6d4cb82b9b045859d25c96a223c16702b6043ea8950f6e, - sha256=d3231042d20e7e02069279a9470ede4daddf70137cf1122550e4bdc354ba1473, - sha256=d4e07d9cc1eaa08e84d2679f89829a4e8dec000b6ad1c793c3500df77f746b69, - sha256=d56a6d41ab8dd698a4ed4290f7bc49e49cef37704bcc947104e5c7dc33db8c13, - sha256=d622b2d8d7d33bcc427ced8f3dc2f0458c60131190d401070bc3de8fb3bc5786, - sha256=d6362028ce8ee6c56bc74d2d0192d511d5d18f8ade96a70ee40000c26c0c3455, - sha256=d7530b4cea5801c7bf84d8769dc3e6433d9fc807ae492ca39bd008ea365f16f8, - sha256=d7cc9dcc8ae28fc65fe7ca41441231501c455dd6e6f2311ffbc8ca6d134f5ac7, - sha256=dada501a3ecd363542202cb3897f0d0152f1481f8f63436ace881031651f8640, - sha256=dae577c72041d51f181eeb6f2006c96a426ef2814b73252d089d7826c3ae4812, - sha256=dc6439f061339d1addbce55511e88e41081ef6b36c9611e3939d9914bf211e61, - sha256=de36e0af9cd7e32d781be2ab937a7dca33a9f93dcbecd06ff944641e5196c51f, - sha256=df58d81c1f9e99e829b04af328c72cce4fbc6ee848b0c7df150113d9e52c0d49, - sha256=e0bff837ffc9cdaeadec0987da697923356ff7134ddef075325fedfe0f4c910c, - sha256=e0d1f8817a29fcd6e49c38a59b3828bfc9a76a49167e545307b79bfb387d0ec5, - sha256=e0dce2c77838ca85988193df3fdf60a9e8d3124564700a5daaa466cdaf5392fb, - sha256=e0f8597fbde807a20dd853711c5cfda779eb18d389277c4a2db63948202723f7, - sha256=e1431911ef43d4af90f89b0adfdccea150bbcd0fd0eb57907878ec5c4573038c, - sha256=e3f51122f1c4ce17d243e0262e948cf4ee991f3f49e44cb8d276decacf14f3dd, - sha256=e5c752c17a8553d77b0751b49ecdcde62e10978185c9f3cdd7b253a92096b09c, - sha256=e5f6b05e58adcca40c37a12ebd6b930d50d99d6e913fdfa46dc852318940c2b4, - sha256=e6fe3b4fadb70e524e14f05582fbcf5109a1c9e77160a89078d4d6eb09a8a667, - sha256=e75b1a0848b1250d747c6ab6ba1c1fdd13cc7a3b1aafca9638a2ba1d3b958e8f, - sha256=e891320afc71746992cafbe3899c54999838519170e2ba3f1cc57ef5994b085d, - sha256=eaa103a6a63dad21dc2baf4bd6b4d74fc589f4a1371c81899edce25c27f62268, - sha256=eada4d07fcd5f9254873d857f9fd658a160e3b04f3568a295901c0337004622d, - sha256=ebe7bff77210dc2a0abbfd66b0d177199196a7f1b07701ebd4bef9a04bbbc411, - sha256=ec8344a4125b21078498e0eece9384d98601f07f2a5b59d063dad7688102fd1d, - sha256=eccb22533708e9915223c46a48b932ca1707c04e4b47a4371d2f8b1acac3bd2f, - sha256=edd192a65b9a5d7df1076294077e896a872bf8c6c1ab8799415f1ddaf32e0144, - sha256=ef7dab4a3cca0dd55feffc2796a652a08434419da50f3678b7ee59b88f26eb04, - sha256=efdc724800be5d9872770cb1dd346815b4feb534a256b44d43dfc8b72488f05d, - sha256=f092b7606233d1512530c5680b4e4ea17212f24024374bfd96061cd7260a0ffa, - sha256=f263cbd36fdf367fc9ef32bd9f80f0f459a0a09a5aff4a8f387e771ae20d31b0, - sha256=f3c880591e06396f588d5b45c599ba6aef1aae4065d0d55b3560e3547242b697, - sha256=f45120409a844d92a030ebd460309bf48e0ba3deeb8fb341b155554be4b03c3a, - sha256=f5022957c6f40fc599a45019a635847b229ad94f5c9e636602f5952f3bb662a7, - sha256=f5a1ebc9c77a22d4907d6ccbf9be2eeba994d35882cbe79955309863c93d8cb9, - sha256=f5fa9ef14b3deaafb1eb040bac64eb4945bae4795723bdfef6a43a04339f70ba, - sha256=f85e2a0cf2bf6c8f5c7657fbcd3fff12a72385d2b1382994f75853566812b0a3, - sha256=f8650a0f5e6f8dcaa40fec55f5ae8e3a299f7a085557fea4eafa44ce6bbda06b, - sha256=fa21fa9b327cab8e4d615ab196b9da0156e5ebadf9fa7f7af2da83dbed1067fc, - sha256=fa244cc3fa7784bd21fc95a6e7a311686b6875ba0b770a1e6383481edc95973a, - sha256=fa40bc120367a0035e72eccef07576cb16ff36b08dd051e751a481de1f2dbf9f, - sha256=fb93b35a327f72fbda95a1f785e658a938fe86086f232b3781333551742e1641, - sha256=fbcaf5798179ba00092f98c6edb5bb86414970c61e059cfdf5ab3ac8d3fc16a5, - sha256=fc25ed1a9b3d16798d3a105e22dd484693a5452c1419f94a58e22a5388891504, - sha256=fca010ff672c62a6c92f94a12b78fa1e019f37cc0dfc622e29813991e6875ca7, - sha256=fcc5d7800d4b249f6f3b3a083c4ae1d626a7e97b0364afcb499064e882b66b28, - sha256=fd65a36e69c42ab79d3511669560c83de0aad638a178029363aff56afe144911, - sha256=fe810f2f7406764ede9dbed620a2c029755bc3459d2712f6b2e45030edb8aa43, - sha256=ff6afa0a84c58aa0d8a64df82680040ab58bf50e1cd2a8eb3e317f7f47843ecd, - md5=0e470dbc439d9e4dd2d21356c7bb2ff1, sha256=ccf57b07f8ba315a9b94342e0ec76d38e0095249e38b2e2b4a005fc199d12181, - md5=2cd47fa043c815e1a033c67832f3c6a5, sha256=03d2efb0706bab18e7b594b985f20bd316d9e074dc3906ebefe7ab4baffe5722, - sha256=05ae5ba43084943a2366f64d6ea6495a18cbf52738a6109de317e09629723783, md5=a933350d1a85cf3797edd973ca74c44c, - md5=9e87ffa15d95120a3f4c94e945bf4479, sha256=07177a2cc9ea981ef0d694eb9ef15516a9da72efa4a2f18cad65532fd4d1e190, - sha256=0a0dcf40a73e7f7a00a488367b7b0cadc4ff3ac7818cf22a46cd3e24ff5cf6e3, md5=e4c95706ca9ca1f557526e6bb6442743, - sha256=8e521953f01b56f163a5d7ca777cdbef86f1d9291bf994d3ba35cb0e89729da0, md5=b0317c8a9682b5cd58eb6644cd15afbf, - md5=f9136e384b87d4d1afc9628498bfd212, sha256=15dc5d3ff1b6a02a897f1ab58f1aa6411f79479e7b04fc8b96f12db2c6c69d43, - sha256=d5c70041e09a2304f4b9fe55ff804d72947e3bfa22b200312d2eae1ca60423bf, md5=5362ee03faa36cb4df3995b084785a49, - sha256=18d82eb444dd427953ad3bf5dcb5aeb8913d785320009891dd0e71500a07626e, md5=5b0092ed2396c3bd3b4369a6d64ff8d5, - md5=86cdb103bee8f4f4e4bb432e59bb138d, sha256=91e3a3d0cb48bbc343badd86994ebf1858671fd1a9408534e60bbca47198c45e, - md5=dffa1c92c00a5b0366971806315d888c, sha256=1e7785fad31758029e909c287e5f1798639ec48d4431a45a12b6701cd6e33270, - md5=340f978f88bd6dbd5bf1c7a58db870ee, sha256=23b0b54d1383b9ac94376ea8bbaf0b300cefab64ee61053b50c8553a4a7ad93d, - sha256=7167bf5b03b02439900fe494f21ecaa00127e039e5f43c2814882c9b543b61fd, md5=52fab4aba90af6988e653d18facd533a, - md5=de9b6ac899e7fc69f55a36e15bcd05fe, sha256=2a4a5dd292f61bc749a25978da5db1f25a1b399a6d739305a5625c9c3c430918, - sha256=e11a0afc8d50c55f0c879bd0c9e5a0e3fe218fd47a30fd4128f4cbf5f817dd65, md5=b6c491a32a67abeaf5119b1e1658cbf5, - sha256=ff4a8be4e90fd047718103a1527a2d0a452f76fdbd2c18de9d98d7c2ab4926c6, md5=e72b904ddbeb179c52fd89afd403808c, - sha256=4e4e85c783e001bc88e531428589550291cfde824a12368765dd7cca701f904a, md5=7fda7755e86e281b99e6a26b2c8e3a3c, - sha256=368e1391adb5f1c558033a5eb1436fc16661924e7016b56d94dc19defc21d9e3, md5=81c264a95a2a254a5a3aed4b39eeab80, - sha256=37f4db3ec19120703cdfc716656e2af547088802c264bcaa34806cb4b2612d19, md5=0d8c3c4c423a1d4f37d3e60828a45bcf, - sha256=39a55348da6772b444792bb09282c7450010850442d6c00b7a8f04a9eaf96226, md5=67ac5211c5815c7efeccb748c0a1748f, - sha256=42c18f233d6e89be69298fecfc935b14a0d69447a22e2a3195e50131261b038e, md5=ee0d1ad887302e80e5ec85ff356de25f, - sha256=43ab8d538551ee2d920b1780bced4a7e97a3e9cf8d6f47b6634219120c1ca3de, md5=abe3e54a3613d116838d60717005f335, - sha256=4b42ed6bfed1bd64fbcc07e4ef108ae715802d54f2d7b1268aeab39d8a2966e8, md5=d60d347b92e1af41287c54a0914b0c7a, - sha256=5287ce4a9e8c523486887ca8da6134aec32d3a6cf6e77a0617b3ae1dd3193162, md5=39d074da85b9c76311c2845b4578ccde, - md5=4eb0e36642aedece1a37c769e012327a, sha256=5aec1bdb65d91129f58844c126bd3e3f324b1db33b400a875497c10fd08f031d, - sha256=d2b4c65b6c4d7085f6362ccdde01c0e5801393ccfd27d3ee1883b23e61d49921, md5=589ee363882e3928f66cf7b837bad87c, - md5=19f8c902304415c9489790a0ba0ec86f, sha256=5eeb62aa52a36d263ab636ca89ff9d2b208c49aa7da6f2d9053364fa7e970f96, - sha1=7970c2029edbb83e6bd65073be18684ac9ff3f48, sha256=60ee569d82800e734e8202fb63118174d7ef7cdf75c078f0ceb19d5d80975f56, - sha256=a3a4b56daac71b1ce0b62f548c200323e603555438c7fb1452268bca37c8e94f, md5=a3f6c84d59cca3bf307367052516f5ab, - sha256=6b143ed5a1c3865302656c7efa3b4f4806ae208fd995167617bcc49677601d13, md5=6f1edfb348c95f54b26b789c5c0862d6, - sha256=6c86bdd53a414f6522501d54738ca618f8dfccb4c31ad80618aad4934f1aecc5, md5=090efd65e3d48dcede34a8f086aea95f, - sha256=777892a4b1b38fb5895f899e08b10c32ffb55cda03615d8e1844b22c002da446, md5=375ba8def4e675d2dc93336e56de93f1, - sha256=7d597bb449c2f24194319179e51fcaf3cdcbb0464319c113e233a7b9eda3e57a, md5=751e57280863e817fc9be2ebcbefab43, - sha256=809204d2979b2018756ca18a0d6a33812c96c3b6cfeff4788f705fb976c5b026, md5=fe9112c3a3eac3347e039b2736b0234d, - md5=a5c3210d8a48c157a6878c927e9ab298, sha256=816276f8a28efd4134c8bba50f2a4271ddda713706f9e805701f3b15a1318e77, - sha256=8a9d1cf4089c57e19bbeb819b57cd3a458d067d65dc03d39c25dcc35cc9ce229, md5=c20517ab558a9dc90a2795945c7e97bb, - sha256=9c843456235244f095b5e021ca82e4805cd94ac732ae8b7a35a021f18117637c, md5=f273b648551ae369a1d767cb8954fbc7, - md5=99a9950fed7b1d95c81a34479cfbefe2, sha256=f6af00a58dfd72806fcf6b9549cd9c871c127410e7b84d92acb734c16054bc73, - md5=97de0f3158a4cd79332a65946ad1fa0f, sha256=be1bd8d34829f7087209c8ef55d3f8c87a048519e859a89bc92de6f9680aff0d, - md5=3c951c47054dae7d8cf6d7734bb18d5f, sha256=c0ed712baa4ff2bcdb8df1f7d52328bc10c629f0ee6d314d816cf6bd4ed59350, - sha256=c65cf347f560bdefdaea56eaeddbe94ef8ff32da132939d9cf5c40c4fd173908, md5=ae6c97426d51968e4ea8fbf1a257086c, - md5=bcefebc9332faa7344a2c9f6c3749f77, sha256=c68b80b60bd6648b1fe8092a911fbbdb376b8fbbd6b884875fb13ad87c7c7ac1, - md5=76735f37b51b311760231d72c47c19a5, sha256=d26905886a1f3e12a5af7e473ef805a346b8c89f68a2855128745b26212f78d6, - md5=bfcc82acb81ee1b7e3db743b64f95e74, sha256=d825098c3ec079b7b309155ed35e1e6e59c6bf1ef2144f6ef2a553033a204a54, - md5=40bfc938b9af6a10b5f8b3b4398e4941, sha256=d84490b501877d621d3bb83299b2b5c3cc49414d6cdb685f0f30d08face21afe, - sha256=da3a95d70153f65481b2ddaf4555ca680183db970a042181af023ad6b11544d0, md5=9db6399aa2b7a1b51a8e22badfb28038, - sha256=dc204e1b625a80b71bdabdb6bc9904cda994e6ad2b669efbfbc245c2f9044f23, md5=76cbe7285d359b94fa187d4a0248fddb, - sha256=df8049f5d37d2099ecf39ede46f5d3a9d96b17dd2b0b3819ec9e6762bc1127bc, md5=402b3d38589286f4a2cedcac64921325, - sha256=dfe9ac9d0d6304a92daaaff1b65178ed1e62cbac44583b773cb1292051c21cfb, md5=98ec66814e23e9b7a397c9e963bd6058, - sha256=e2f48a73e05008fdc0391d8f982cfb44c3b8eca591377179bb53059879fd1430, - sha256=ea9d43358580e77ba214782691e1d2a4a258efc5c22a9e9dd526aa0649419ba0, md5=c990048c9793413bd33973486b91e57f, - sha256=ee231cb499908ddca8cba88cd674f9e30931457363eec6100734363772005548, md5=a1f03eedd789a0a461a24566b6c35aea, - sha1=a6fd37588684d6da697e9a56880f9f2b49ce5ee3, sha256=ee4e7f4fbfe7fee56f16b21eb0e33833e67f53ce020d0f8b6d0d58b646afd78f, - sha256=02207bd351797f35a127b08d3efd6ef7f1335888fa3a3a22d21f9b8b10b41700, - md5=9375cff0413111d3b88a00104b2a6676, - sha256=085a5ea0e085c1ec078df7771d6d4796a0d595b1c88d104568a37544c5bf4652, - sha256=08b302febb6fee2f577bb42cc0dc2683bec71ce5e58a17587fa19e09692de5c1, - sha256=0ac7b4738db9ba0bf36fd8b0a26b03c0e6bbc705de0aac02f427b62fd8858d4a, - sha256=0dd890ccee2823c77b7b8417e1eadcf77e47177812ad715b59531386738c79ab, - sha256=187cd18caa83a2a938e801288eeb95f2475f9efe97ab62a42314d7cdfc88b33d, - sha256=2b1b8be71aeb2a4b42444bc53bf660c76a5d4ccaaaffb92b602cc6ab0366202d, - sha256=3301f2b58611f44949aa360520806090aeabd3eb88cfbddce254579ff7966e04, - sha256=337ea5023b686cef1161d504abcd0e313eac5bfb586738a7a99d005f3899db77, - sha256=3e6642f7100bb72137d68b5aa34a2d1f1a75722ab7d2b15987bbdeb84bc3265e, - sha256=3e9dc00f7570354ba5099d43f1df7e6c6703632f24e57d8a58c5d0bbe1f61e4d, - sha256=4af6877b9e52c8ce27aadf8d95429dc5fbcbbe663a3bff94367aafabea6327a8, - sha256=4cfa85c4c0f8f87d50db5aad247599d099816582e67bdff21877af254f3e52de, - sha256=508d8872ec6b59c7583991947baafc80cc0788fad7d0215874360bb48523559e, - sha256=5288fb718ebc59210f968c247ea263159bb14c8b1e336dae9ddf17d85edaa418, - sha256=5cf2e959a847aec8f88ae72498de80f943385f2a82f06cf7bb71d12c5b49d2b9, - sha256=62919dc688726421395003025abf1bbcd405048fb5b7c544139a538e5bdc45b0, - sha256=62cb60775d9215595457d37fd5a8ecc52d0c8474948a3e20acf5e1b01594e239, - sha256=6bb9fcba87faf95868f5480586f55e97c3734019503aa9bdd6972cf93bb4d102, - sha256=7ce13f8eff2d3bc5aedbb0b624b9aef6ae0e0391414d5c345b0d2db139290787, - sha256=8dca20407ba9cecc0a6d87adafbcccebc37d865caedee29af0e54f718f150966, - sha256=93b533bc390adceda0347abfd1c1c65682b20a22c19483a1ebd30918acbbfd96, - sha256=9793a21d1a2074106d2123fdf40c23a57aab35f7f0afe2eb254d888fc5abe5f9, - sha256=97dc03d1700efcffed27aad93ec05b36a404a6919f93f6c60e95e5c4a9d65cd9, - sha256=9e0258a3894bd522fe9e21b89074c24014605e9ffb767121180f3d75db12f8ef, - sha256=abcdcdd4493167cbb3ba78c04424355d069c930b4f56a3386af8e9b45c40ed16, - sha256=b51ebd58f411ad5fa6724005ab27bb23b4c4d7c15d4d54e066fd55055ef87a9f, - sha256=bd25e7c40ce4856973e988f5e86804ad945191ecce1c095b3ac354101870e5e5, - sha256=c6c5b09801e1b072f9fc1c0ae1bda204137be1d194eb6187f5f1948543dced4a, - sha256=cf367483090fca26a20295f8696bb2b78952bb340d54cf146009a3bef4a0adee, - sha256=d51c29ad01d4f7a479b2e8797ff8a086ddd461de33d3e2ba39f5cd226d5c267c, - sha256=d78e3e77e039c6206c59d8de22d5bc897af8eed615e13bd0af33f067e14b8b07, - sha256=daf3764587bb8a9fe64c03699faf852107df6e9abc840b30be4fee77eddd7da7, - sha256=dba94a0f18f503848c9e2fc452b8bbb5684c49b97e05b83fc159602ef3c970e7, - sha256=dbc2d8f4e0808059c5e5481ae74393598e5265167e708b267d907874bd7381c6, - sha256=e4348ea6b4e98e96760105b7b9c9612370ac3a338bdca989e98fff87612c4d3d, - sha256=e9b07ed4490fea74cf5b0bb98bbe1f3d0262f68f3df3bf32ab2df978a1005969, - sha256=eb287ca6bc137141d82775a34ad1cd2f2aa10a22defae90c113a74ed38dda208, - sha256=ede149b1de958af88945f4744c1d95584615686a6db9d914069c0c7227ebe56b, - sha256=ef136083843810fb5fbb2fdb4ae38aa5403c765535ee77c4d2169442ac1e1ebc, - sha256=f30f6678ae4d09c772c58422885ccb19993e5b3a60829fda5d2952f6ad1bc146, - sha256=f5a5e69528ddadb7b7345238884a622eb259728d9c5c1ac69476e5b7af2c545a, - sha256=f63faeb1bc31fd54621fb2fbcf5430682af5a97e17ae97b4363c42643072b8b0, - sha256=fa401a2b2a81beb78852587e2c717cf8a7f623b8ac2f55bc399609428f6237b6, - sha256=fb26dcd89930afef0012125087704a3564d8ef0a37c3c6c021b42071ad273cebTitle: Mauri Ransomware Threat Actors Exploiting Apache ActiveMQ Vulnerability (CVE-2023–46604)Link: https://asec.ahnlab.com/en/85000Summary: The AhnLab Security Intelligence Response Center (ASEC) has identified ongoing attacks exploiting the CVE-2023-46604 vulnerability in the Apache ActiveMQ server, primarily targeting unpatched systems in Korea. The findings highlight the use of Mauri ransomware by threat actors, alongside the deployment of tools such as CoinM miners and Quasar RAT for remote access and data theft. The attackers are leveraging malicious techniques, including remote code execution through modified XML configuration files, backdoor creation, and RDP access enabling, to execute a range of malicious commands and maintain control over infected systems. Indicators suggest that the involvement of Chinese-speaking attackers may be present, given the detected installation files on the download server.Threats: mauricrypt coinminer cobalt_strike andariel_group hellokitty ladon_tool netcat_tool anydesk_tool z0miner frpc_tool quasar_rat hezb mimusIndicators of compromise:-------------------------ip: 18[.]139[.]156[.]111domain: url: http://18[.]139[.]156[.]111:83/pocw[.]xml, https://t[.]me/calojohn666, http://18[.]139[.]156[.]111:83/Google[.]zip, http://18[.]139[.]156[.]111:83/a[.]exe, http://18[.]139[.]156[.]111:83/brave[.]exe, http://18[.]139[.]156[.]111:83/c[.]ini, http://18[.]139[.]156[.]111:83/chrome[.]exehash: - md5=07894bc946bd742cec694562e730bac8, - md5=25b1c94cf09076eb8ce590ee2f7f108e, - md5=2c93a213f08a9f31af0c7fc4566a0e56, - md5=2e8a3baeaa0fc85ed787a3c7dfd462e7, - md5=3b56e1881d8708c48150978da14da91eTitle: APT-C-08 (Manlinghua) Organization’s New Attack Component Analysis ReportLink: https://www.ctfiot.com/219079.htmlSummary: APT-C-08, known as Manlinghua, is a cyber threat group with ties to a South Asian government, actively attacking neighboring countries with a focus on various targets, including government institutions and military sectors. Discovered by 360 Security Brain, the group employs phishing tactics through deceptive emails containing compressed CHM documents to initiate malicious activities, including sending back critical system information via scheduled tasks. Key components of their approach include the utilization of a Shellcode loader and a file collector to download and execute payloads, primarily leveraging the open-source remote control tool Havoc. Their attack techniques consistently involve enticing users to open CHM documents, with a focus on persistence through malicious commands embedded within these files, while utilizing system commands to facilitate further exploits.Threats: bitter_group kiwi2 kugelblitz havocIndicators of compromise:-------------------------ip: 173[.]46[.]80[.]38:80, 72[.]18[.]215[.]108:443domain: ebeninstallsvc[.]com:80url: http://ebeninstallsvc[.]com/uplh4ppy[.]php?mn=machine, http://ebeninstallsvc[.]com/uplh4ppy[.]php, https://www[.]sporcketngearforu[.]com/dune64[.]bin, https://www[.]sporcketngearforu[.]com/shl[.]tar[.]gz, http://www[.]goalvaidclub[.]com/oct24[.]bin, http://www[.]goalvaidclub[.]com/shl[.]tar[.]gzhash: - md5=fd5f2cf4b8df27f27dc2e6bddc1a7b2e, - md5=88c9cfcf76a94c34b85eb1f07b197ffe, - md5=551946ef51f09df63feea377335a211f, - md5=ac808a0f7eaea2b267e68b56ec868d60Title: Anatomy of Celestial Stealer: Malware-as-a-Service RevealedLink: https://www.trellix.com/blogs/research/anatomy-of-celestial-stealer-malware-as-a-service-revealedSummary: The Trellix Advanced Research Center has uncovered Celestial Stealer, a JavaScript-based infostealer available as Malware-as-a-Service (MaaS) on Telegram. This malware targets Chromium and Gecko-based browsers, various applications including Steam and cryptocurrency wallets, and employs sophisticated obfuscation techniques to avoid detection, including anti-analysis methods and code injection capabilities. Distributed through platforms like VR Chat ERP, Celestial Stealer can be customized by subscribers and utilizes two Command and Control (C2) servers to communicate with its victims while stealing a wide range of sensitive data, including cookies, saved passwords, and browsing history, ultimately posing a significant and evolving cybersecurity threat.Threats: w4sp babel_tool junk_code_technique typosquatting_technique fakecop growtopia process_hacker_tool megadumper_toolIndicators of compromise:-------------------------ip: domain: capguru-solver[.]com, zerostone[.]discloud[.]app, gonnacrack[.]discloud[.]app, nodeupdater[.]discloud[.]app, spinit[.]discloud[.]app, python-developers[.]net, counters-strike2[.]org, unity-api[.]net, now-here[.]fun, prnt-screen[.]com, api-unreal[.]comurl: https://nodeupdater[.]discloud[.]app/Node, https://cdn[.]discordapp[.]com/attachments/1257095872119050412/1289229793019035658/VRChatERPSetup[.]zip?ex=66f8104f&is=66f6becf&hm=c7644bcbfb336dbd7ba6cc1d23799884d6063563c8258f08f5ee0079f3fdf798&, https://python-developers[.]net/ex, https://python-developers[.]net/dc?celestial_customerId=hash: - sha256=74c28e5c79639e2e653c8e18e64e488fec3337f29be3a450b93d6a2559e4669b, - sha256=5a6638f509e7b6dd1a8df35cc705531cd94f25e0346c13e54f4f8731f1c3651a, - sha256=3c3c144a31c283e5e3296967515af01b0dd99954b0ed4124041cfdd8a8c90978, - sha256=d4f3fc469e10c9a2fec6f266285556a21a84e39ff76488d3f502545dcd316d5a, - sha256=2992586924a5cf67f918b38339d74df62ea5dcd90a38d78110a7aa4f9c974548, - sha256=61c0610c84a0c75aee1f5d97d24cce2995834f177aa423f9509554017bec3cee, - sha256=04debe522bc88e152d840a727bb0c6516994896d5bd74e3a48c89e2ef4c8e730, - sha256=a8a302a3299a778cdf5cacbc54057d681798baf4899c26427599a37ee681e857, - sha256=f31bbd1a2a16bcdd990e6332a41c9b473d0437b669a04678e4d0ef06d5dab781, - sha256=6802c39e0be7b82eaa25b98b061e324e812281f4fdd6a7ff05dcd9370ceb886e, - sha256=ac16f44c05bb5e800f1cbd66a1256e717652f2244c99074300d8f64bec2503f5, - sha256=bc609bdadaf2beb8e4a0fd8aad10145f2d31bc27a8f70e40187e4f58f7e152a0, - sha256=26f89cee38263c449c8e154c8b35768593e8171c30dd638328c16294ac36f18d, - sha256=52180322da77c5fd2ecf33b692dee89c3d9391ddb15b40ec93b94db9f26833ed, - sha256=c65dd9691bbc93805ac6a1c755000075546843293f5695cf8f8719e0563db3d0, - sha256=e8284902c9d1c3d28ebfda230acc509ef5be47786590d3d647818d205a4a78f9, - sha256=c78fb7d3eda7014a84ee4618b3e28b1f5551f8e487b29a7179aebb219eeb0877, - sha256=19251875426af36307335bdeaeb770079f6ebfb095aec6f70eebb2145559ac0f, - sha256=5c97a829fecf7a0aa989b976bfe37759a2ad65ebbcacad39a2876955b16c2ad8, - sha256=1b3526c18894b0b120dc5cfd691da7aaba6e6db94dbe99d3d2d6da41e7bb4eab, - sha256=13f8ad68dce69c845801ea016feb4644c771b5193971cf631af07fb3a816ca02, - sha256=5fc66fa832517bae0ee3306def7ad55081a409d380d72f1c6c36362a9cbbc3be, - sha256=c70601eda62ac6a9b9135f9273299f90b443d8d11dfcfec4f836fb9da07a9dfa, - sha256=0b44254d019ccc1cc197741396c4cb70e2e3e9f6a7139cb661f8b98adcbf7a60, - sha256=cd5c8dea6e20e80bee93d3e3fc3e1a841fdbad316b444c8e79cced619d6d1e5bTitle: Black and white: Glutton Trojan lurks in mainstream PHP frameworks, secretly invading for a yearLink: https://blog.xlab.qianxin.com/glutton_stealthily_targets_mainstream_php_frameworks/Summary: On April 29, 2024, an advanced PHP Trojan known as Glutton was discovered, spreading the ELF version of the Winnti backdoor Trojan. Initial detection stemmed from suspicious activity linked to IP 172.247.127.210, leading to an investigation that unveiled Glutton's complex behavior involving information theft, backdoor installation, and malicious code execution within popular PHP frameworks such as BT, ThinkPHP, Yii, and Laravel. Analysis indicated a modular design with multiple components designed to enhance adaptability and evade detection, targeting systems in both China and the United States across various industries. The campaign notably aimed at black and gray market entities for financial gain, with the malware's capabilities encompassing data collection and PHP code modification. Despite similarities to the Winnti backdoor, the attribution of Glutton remains uncertain due to its technical weaknesses, such as unencrypted communications and unobfuscated code samples.Threats: glutton winnti_group hackbrowserdata donot_groupIndicators of compromise:-------------------------ip: 172[.]247[.]127[.]210, 156[.]251[.]163[.]120domain: thinkphp1[.]com, cc[.]thinkphp1[.]com, v6[.]thinkphp1[.]com:9988url: udp://v6[.]thinkphp1[.]com:9988, udp://v20[.]thinkphp1[.]com:9988, http://v6[.]thinkphp1[.]com/client/bthash: - md5=ac290ca4b5d9bab434594b08e0883fc5, - md5=3f8273575d4c75053110a3d237fda32c, - md5=c1f6b7282408d4dfdc46e22bbdb3050f, - md5=96fef42b234920f3eacfe718728b08a1, - md5=ad150541a0a3e83b42da4752eb7e269b, - md5=ad0d88982c7b297bb91bb9b4759ce0ab, - md5=17dfbdae01ce4f0615e9a6f4a12036c4, - md5=8fe73efbf5fd0207f9f4357adf081e35, - md5=8e734319f78c1fb5308b1e270c865df4, - md5=31c1c0ea4f9b85a7cddc992613f42a43, - md5=722a9acd6d101faf3e7168bec35b08f8, - md5=69ed3ec3262a0d9cc4fd60cebfef2a17, - md5=f8ca32cb0336aaa1b30b8637acd8328d, - md5=00c5488873e4b3e72d1ccc3da1d1f7e4, - md5=4914b8e63f431fc65664c2a7beb7ecd5, - md5=6b5a58d7b82a57cddcd4e43630bb6542, - md5=ba95fce092d48ba8c3ee8456ee4570e4Title: Analysis of Nova: A Snake Keylogger ForkLink: https://any.run/cybersecurity-blog/nova-keylogger-malware-analysisSummary: The article analyzes Nova, a newly discovered variant of the Snake Keylogger family, by Mostafa ElSheimy, highlighting its credential-stealing and keylogging capabilities. Initially identified in November 2020, this variant utilizes advanced evasion techniques, including a protector written in AutoIt and heavily obfuscated code, to avoid detection. Nova targets various browsers and email clients, particularly extracting data from Google Chrome and employing methods such as FTP, SMTP, or Telegram for data exfiltration. Written in VB.NET, the malware demonstrates adaptability by extracting a wide range of sensitive information and making DNS requests to ascertain the victim's location, with its source code explicitly referencing "NOVA." The analysis utilized ANY.RUN's Interactive Sandbox for threat investigation.Threats: snake_keylogger credential_stealing_technique spear-phishing_technique process_hollowing_technique dotnet_reactor_tool credential_harvesting_techniqueIndicators of compromise:-------------------------ip: domain: reallyfreegeoip[.]orgurl: https://reallyfreegeoip[.]org/xmlhash: - md5=9375cff0413111d3b88a00104b2a6676, - sha256=68f5247bd24e8d5d121902a2701448fe135e696f8f65f29e9115923c8efebee4, - sha256=afb1dae7a6f2396c3d136e60144b02dd03c59ab10704918185d12ef8c6d7ec93, - sha256=66dbb9c8deadea9f848b1b55405738d8a65a733c804f1444533607c20584643eTitle: Attack Exploiting Legitimate Service by APT-C-60Link: https://blogs.jpcert.or.jp/en/2024/12/APT-C-60.htmlSummary: In August 2024, the APT-C-60 group executed a cyber attack on a Japanese organization, using a malicious email disguised as a job application to distribute malware via a Google Drive link. This led to the download of a VHDX file containing the SpyGrace backdoor, specifically version 3.1.6, which was persistent through COM hijacking. Similar malware campaigns emerged between August and September 2024, indicating a pattern of exploitation of legitimate services and a focus on East Asian countries, highlighting a coordinated effort by APT-C-60 and an ongoing threat in the region.Threats: camouflaged_hunter_group com_hijacking_technique spygraceIndicators of compromise:-------------------------ip: 103[.]6[.]244[.]46, 103[.]187[.]26[.]176domain: url: http://103[.]187[.]26[.]176/a78550e6101938c7f5e8bfb170db4db2/command[.]asp, http://103[.]187[.]26[.]176/a78550e6101938c7f5e8bfb170db4db2/update[.]asp, http://103[.]187[.]26[.]176/a78550e6101938c7f5e8bfb170db4db2/result[.]asp, http://103[.]187[.]26[.]176/a78550e6101938c7f5e8bfb170db4db2/server[.]asp, http://103[.]187[.]26[.]176/a78550e6101938c7f5e8bfb170db4db2/listen[.]asp, https://c[.]statcounter[.]com/12959680/0/f1596509/1, https://c[.]statcounter[.]com/13025547/0/0a557459/1, https://bitbucket[.]org/hawnbzsd/hawnbzsd/downloads, https://bitbucket[.]org/hawnbzsd/hawnbzsd31/downloads, https://bitbucket[.]org/ffg84883/3r23ruytgfdxz/raw/8ebddd79bb7ef1b9fcbc1651193b002bfef598fd/cbmp[.]txt, https://bitbucket[.]org/ffg84883/3r23ruytgfdxz/raw/8ebddd79bb7ef1b9fcbc1651193b002bfef598fd/icon[.]txt, https://bitbucket[.]org/ffg84883/3r23ruytgfdxz/raw/8ebddd79bb7ef1b9fcbc1651193b002bfef598fd/rapd[.]txthash: - sha1=fd6c16a31f96e0fd65db5360a8b5c179a32e3b8e, - sha1=4508d0254431df5a59692d7427537df8a424dbba, - sha1=7e8aeba19d804b8f2e7bffa7c6e4916cf3dbee62, - sha1=c198971f84a74e972142c6203761b81f8f854d2c, - sha1=6cf281fc9795d5e94054cfe222994209779d0ba6, - sha1=cc9cd337b28752b8ba1f41f773a3eac1876d8233, - sha1=5ed4d42d0dcc929b7f1d29484b713b3b2dee88e3, - sha1=8abd64e0c4515d27fae4de74841e66cfc4371575, - sha1=3affa67bc7789fd349f8a6c9e28fa1f0c453651f, - sha1=fadd8a6c816bebe3924e0b4542549f55c5283db8, - sha1=4589b97225ba3e4a4f382540318fa8ce724132d5, - sha1=1e5920a6b79a93b1fa8daca32e13d1872da208ee, - sha1=783cd767b496577038edbe926d008166ebe1ba8c, - sha1=79e41b93b540f6747d0d2c3a22fd45ab0eac09ab, - sha1=65300576ba66f199fca182c7002cb6701106f91c, - sha1=d94448afd4841981b1b49ecf63db3b63cb208853, - sha1=b1e0abfdaa655cf29b44d5848fab253c43d5350a, - sha1=33dba9c156f6ceda40aefa059dea6ef19a767ab2, - sha1=5d3160f01920a6b11e3a23baec1ed9c6d8d37a68, - sha1=0830ef2fe7813ccf6821cad71a22e4384b4d02b4Title: cShell DDoS Bot Attack Case Against Linux SSH Server (screen, hping3)Link: https://asec.ahnlab.com/ko/85070/Summary: The AhnLab Security Intelligence Center (ASEC) has identified a new DDoS malware named cShell, specifically targeting poorly managed Linux servers via compromised SSH services. Discovered through honeypot monitoring, cShell is developed in the Go language and utilizes Linux tools like screen and hping3 for executing DDoS attacks. Upon gaining access, the attacker installs additional malware called "cARM," establishing persistence on the system by registering as a service and employing various DDoS commands. The malware's early development stage is indicated by "Test" in the source code, and it can connect to a command and control (C&C) server to receive further instructions and updates, emphasizing its reliance on existing Linux utilities and methods for managing malicious activity.Threats: cshell zipper atmosphere synflood_technique ackflood_technique udpflood_techniqueIndicators of compromise:-------------------------ip: 195[.]178[.]110[.]6, 45[.]148[.]10[.]176, 45[.]148[.]10[.]203, 45[.]148[.]10[.]46, 51[.]81[.]121[.]129domain: url: http://51[.]81[.]121[.]129/cARM, http://51[.]81[.]121[.]129/sshell[.]service, https://pastebin[.]com/raw/2AhnDGts, https://pastebin[.]com/raw/7beUg9vK, https://pastebin[.]com/raw/8kGSNMFrhash: - md5=29d6ef7365c18d243163a648fa6cd697, - md5=cd8bf4ce178ef5ddac77933d03ffb381Title: Glutton: A New Zero-Detection PHP Backdoor from Winnti Targets Cybercrimals.Link: https://blog.xlab.qianxin.com/glutton_stealthily_targets_mainstream_php_frameworks-enSummary: The cyber threat intelligence report from XLab's Cyber Threat Insight and Analysis System (CTIA) details the detection of anomalous activity on April 29, 2024, involving the distribution of an ELF-based Winnti backdoor linked to an IP address, 172.247.127.210. During the investigation, a new PHP backdoor named Glutton was uncovered, which demonstrated the capacity to infect various PHP frameworks and included a Data Exfiltration System, as well as multiple modular payloads like task_loader and l0ader_shell. The report notes that the attack's Command and Control (C2) server, 156.251.163.120, was active throughout the attack, and infections were predominantly observed in China and the United States, with the campaign's focus on exploiting cybercrime resources for profit.Threats: glutton winnti_group donot_group hackbrowserdataIndicators of compromise:-------------------------ip: 172[.]247[.]127[.]210, 156[.]251[.]163[.]120domain: thinkphp1[.]com, cc[.]thinkphp1[.]com, v6[.]thinkphp1[.]com:9988url: udp://v6[.]thinkphp1[.]com:9988, udp://v20[.]thinkphp1[.]com:9988hash: - md5=ac290ca4b5d9bab434594b08e0883fc5, - md5=3f8273575d4c75053110a3d237fda32c, - md5=c1f6b7282408d4dfdc46e22bbdb3050f, - md5=96fef42b234920f3eacfe718728b08a1, - md5=ad150541a0a3e83b42da4752eb7e269b, - md5=ad0d88982c7b297bb91bb9b4759ce0ab, - md5=69ed3ec3262a0d9cc4fd60cebfef2a17, - md5=17dfbdae01ce4f0615e9a6f4a12036c4, - md5=8fe73efbf5fd0207f9f4357adf081e35, - md5=8e734319f78c1fb5308b1e270c865df4, - md5=31c1c0ea4f9b85a7cddc992613f42a43, - md5=722a9acd6d101faf3e7168bec35b08f8, - md5=f8ca32cb0336aaa1b30b8637acd8328d, - md5=00c5488873e4b3e72d1ccc3da1d1f7e4, - md5=4914b8e63f431fc65664c2a7beb7ecd5, - md5=6b5a58d7b82a57cddcd4e43630bb6542, - md5=ba95fce092d48ba8c3ee8456ee4570e4This article was generated with the assistance of an artificial intelligence language model, ChatGPT.
Analysis Summary
The provided article snippet describes the ongoing activity of the *PROXY.AM* service, which leverages the *SOCKS5Systemz* botnet to provide private proxy services, likely for malicious purposes. Crucially, the snippet *lacks* specific dates for the initial compromise, detailed response actions, or granular attack methodology beyond the mention of associated malware families.
Here is the structured summary based on the available context:
# Incident Report: PROXY.AM & SOCKS5Systemz Botnet Proliferation
## Executive Summary
PROXY.AM, an operation powered by the SOCKS5Systemz botnet, has been active since at least 2013, using compromised systems globally to offer private proxy services to hide malicious activities. The operation peaked in January 2024, affecting approximately 250,000 systems. The primary mechanism involves maintaining persistence via malicious commands delivered through the botnet infrastructure.
## Incident Details
- **Discovery Date:** Not explicitly stated (Inferred ongoing monitoring since 2013/January 2024 peak).
- **Incident Date:** Activity ongoing since 2013, peaking January 2024.
- **Affected Organization:** Multiple systems worldwide (Botnet context).
- **Sector:** Cross-sector (as a service powering other attacks).
- **Geography:** Global.
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown (Ongoing campaigns).
- **Vector:** Not specified, but likely malware infection resulting in botnet enlistment.
- **Details:** Systems are compromised to become part of the SOCKS5Systemz botnet.
### Lateral Movement
- Not detailed in the provided context.
### Data Exfiltration/Impact
- The immediate impact is the compromise of systems to serve as unauthorized proxies (SOCKS5Systemz). The context suggests these proxies facilitate generalized malicious activity.
### Detection & Response
- **How it was discovered:** Analysis of the SOCKS5Systemz infrastructure (implied by the report date).
- **Response actions taken:** Not detailed in the provided context.
## Attack Methodology
*Note: Methodology describes the capabilities of the underlying botnet, not a specific incident.*
- **Initial Access:** Via malware loaders associated with the botnet (e.g., Smokeloader, Amadey).
- **Persistence:** Malicious commands used to maintain access on compromised hosts.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Use of private proxies to obscure the true source of malicious traffic.
- **Credential Access:** Related malware families (e.g., TrickBot) imply credential theft capability.
- **Discovery:** Not detailed.
- **Lateral Movement:** Not detailed.
- **Collection:** Not detailed.
- **Exfiltration:** Not detailed.
- **Impact:** Provision of anonymized proxy services using compromised resources.
## Impact Assessment
- **Financial:** Potential financial impact is high due to the scale (250,000 systems) and the potential downstream misuse by customers of the proxy service.
- **Data Breach:** Potential for data breach depends on the subsequent activities conducted *through* the proxies.
- **Operational:** Significant operational disruption to the 250,000 compromised systems, which are being used as infrastructure.
- **Reputational:** Damage to the reputation of services utilizing these proxies, and to the users whose systems are infected.
## Indicators of Compromise
*Note: IPs listed below are defanged.*
- **Network indicators (IPs):** 109[.]236[.]51[.]104, 141[.]98[.]234[.]31, 81[.]31[.]197[.]38, 45[.]155[.]250[.]90, 152[.]89[.]198[.]214, 91[.]211[.]247[.]248, 185[.]208[.]158[.]248, 185[.]237[.]207[.]107, 185[.]208[.]158[.]202, 79[.]132[.]128[.]13 (List truncated).
- **File indicators:** Associated threat actors/malware include: socks5systemz, privateloader, smokeloader, amadey, andromeda, trickbot, bathnk_actor, boostyproxy, ngioweb, nsocks_tool.
- **Behavioral indicators:** Hosting of SOCKS5 type proxy services on compromised hosts without authorization.
## Response Actions
*Note: Specific cleanup actions for this "service" infrastructure were not provided in the summary.*
## Lessons Learned
- The longevity of botnet operations (since 2013) demonstrates significant resilience.
- The strategy of offering utility services (like private proxies) lowers the barrier to entry for subsequent criminal activity.
## Recommendations
- Enhance endpoint detection mechanisms to identify known malware loaders associated with this ecosystem (Smokeloader, Amadey).
- Scrutinize outbound network traffic for suspicious SOCKS5 proxy usage originating from endpoints.
- Regularly audit scheduled tasks or persistence mechanisms for unexpected malicious commands.