Cyber Threat Breakdown July 2023

Here is the July 2023 breakdown of threats, with a short list of IoCs. The full IoC list for each specific threat is available from the Cymulate app. Reminder: The Cymulate BAS Immediate Threat capabilities can be configured to automatically update your SIEM list of IoCs, including hashes, URLs, domain names, etc. Note: The ‘.’ in the hash names has been replaced with a ‘·’ out of an abundance of security caution.

Table of Contents

The resurgence of the Ursnif banking Trojan Ransomware delivery URLs top campaigns and trends Newly identified RA Group compromises companies in U.S. and South Korea with leaked Babuk source code Amadey Threat Analysis and Detections India Cert Alert - Mallox Ransomware Targeting Unsecured MS SQL Servers Sliver C2 in circulation through domestic program developers New Reptile Rootkit Malware Attacking Linux Systems Using Port Knocking Fabricated Microsoft Crypto Wallet Phishing Site Spreads Infostealer Ransomware Spotlight Play First-ever Open-Source Software Supply Chain Attacks Manipulated Caiman: The Sophisticated Snare of Mexico's Banking Predator DDoS Botnet Targets Zyxel Vulnerability (CVE-2023-28771) A Look Into Space Pirates Unconventional Techniques Attack Vectors And Tools The Turla APT Group Uses Multiple Malware Families To Exfiltrate Data (CERT-UA6981) Ursnif campaign in Italy UAC-0006 Distributes SmokeLoader Through Phishing Emails (CERT-UA6999) Google Firebase Hosting Abused To Deliver Sorillus RAT FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware Reverse Engineering Walkthrough | Analyzing A Sample Of Arechclient2 Trojanized Application Preying on TeamViewer Users Cloudy With a Chance of Credentials | AWS-Targeting Cred Stealer Expands to Azure GCP APT36 Delivers Crimson RAT Using Pilgrimage Security Briefing Lure Threat Actor Launches ScarLeteel 2.0 Attackers Exploit (CVE-2023-36884) Unpatched Windows Zero-Day Vulnerability Infamous Meduza Stealer Underground Team Ransomware Demands Millions Threat Trend Report On Kimsuky Unleashing WhiteSnake Stealer US Cert Alert - (AA23-187A) Increased Truebot Activity Infects U.S. And Canada Networks Buddyransome Operation Brainleeches Targets Microsoft 365 Users Threat Profile UNC3944 TeamTNT Targets Cloud Native Environments PhonyC2 Framework Used By MuddyWater The suspected Maha grass organization uses the WarHawk backdoor variant Spyder to spy on many countries The DPRK strikes using a new variant of RUSTBUCKET Decrypted Akira Ransomware Word Document with an Online Attached Template New Qakbot (Qbot) activity

The resurgence of the Ursnif banking Trojan

The Ursnif banking trojan, described as May's most wanted malware, is making a resurgence across its customers' networks.

IoCs

Thebgjaficaah3_browsing7Gz·gz SHA1: 73e5dbafa25946ed636e68d1733281e63332441d MD5: 96f9d734c3cfdacceca70187cbc549b7 SHA256: 170e3e987e99867d8b4115b4a2d9dea074acb56383744d469a28c5611adeba22 Thebgjaficaah3_edr7Gz·gz SHA1: 73e5dbafa25946ed636e68d1733281e63332441d MD5: 96f9d734c3cfdacceca70187cbc549b7 SHA256: 170e3e987e99867d8b4115b4a2d9dea074acb56383744d469a28c5611adeba22 http://e9bja.com

Ransomware delivery URLs top campaigns and trends

Ransomware is increasingly being delivered via URLs as well as emails and third-party apps.

IoCs

rebgjafibghj14_browsingExe.exe Ransom Ransomwarebgjafibghj14_browsingExe·exe SHA1: f8eb2d6ee0e96fd79876a6a3332aacf834456570 MD5: d65a25b264b93cce242154d00aa670d1 SHA256: 0708d5027c26f96f5bf81b373348346149511a4b9f11391a979159185371bcc5 Ransomwarebgjafibghj2_browsingExe·exe SHA1: 44055a24f0957b4adb3f958e8270e2e513586ca4 MD5: 15dd4bbbddef99b7d49a5ab171bcc76d SHA256: d1ad11b98dd193b107731349a596558c6505e51e9b2e7195521e81b20482948d Ransomwarebgjafibghj21_browsingExe·exe SHA1: 8f500b68a893bf590c3c998c9d13869ded4bc32f MD5: 50e31a7045c839dc1172daf9e45d5b73 SHA256: ff6d6f616687fac25a1d77e52024838239e9a3bbb7b79559b0439a968ac384fe

Newly identified RA Group compromises companies in U.S. and South Korea with leaked Babuk source code

Talos recently discovered a new ransomware actor, RA Group, who emerged in April 2023 and seems to be using leaked Babuk source code in its attacks.

IoCs

Babukbgjahbidgd1_browsingExe·exe SHA1: fb3d23940ad5f9e06be813f182eb7dc2ddd09608 MD5: 15b1147bcc846fe5dd750a3b02b8e552 SHA256: 3ab167a82c817cbcc4707a18fcb86610090b8a76fe184ee1e8073db152ecd45e Babukbgjahbidgd1_edrExe·exe SHA1: fb3d23940ad5f9e06be813f182eb7dc2ddd09608 MD5: 15b1147bcc846fe5dd750a3b02b8e552 SHA256: 3ab167a82c817cbcc4707a18fcb86610090b8a76fe184ee1e8073db152ecd45e

Amadey Threat Analysis and Detections

The Amadey Trojan Stealer is one of the most prevalent forms of malware and has maintained a persistent botnet infrastructure since its emergence in 2018.

IoCs

Amadeybgjadjegjb32_browsingDll·dll SHA1: 85466c95625bcbb7f68aa89a367149d35f80e1fa MD5: 547bae937be965d63f61d89e8eafb4a1 SHA256: 015d60486e75035f83ea454e87afb38d11ec39643c33b07f61a40343078ee4f5 Amadeybgjadjegjb39_browsingExe·exe SHA1: a05ccc08270e040508ebc01900249cc04ad391ed MD5: f0c8df176843df1b9b13b849fc8a6639 SHA256: 89d30f7ba7b2af7f519d2fe066700fae723643e25b1859f32c60618956651710 Amadeybgjadjegjb35_browsingDll·dll SHA1: b9c871d12662eb294776bb7eda846eedf681c1af MD5: 076fcb9fd24a6fa50386d9e7cd8dd3cc SHA256: 3d5d48ea2b6f76af583e541602950d89b8d96a13654469df3bc58dcddf879e9d

India Cert Alert - Mallox Ransomware Targeting Unsecured MS SQL Servers

It has been observed that Mallox Ransomware is currently targeting unsecured Microsoft SQL Servers, using them as entry points into victims' ICT infrastructures to distribute the ransomware. It has also been observed that the threat actor group has used brute force techniques on publicly exposed MS SQL instances to gain initial access to the victims' network infrastructure.

IoCs

Mallboxbgjadhhiij1_browsingExe·exe SHA1: 8a1d92c8e5b7a5b3a6a34137c9eee01f89cd5564 MD5: 70c464221d3e4875317c9edbef04a035 SHA256: 6c743c890151d0719150246382b5e0158e8abc4a29dd4b2f049ce7d313b1a330 Mallboxbgjadhhiij_browsing7Exe·exe SHA1: c845638db9e1a24b9e8bacd8d82f2a72476e86ea MD5: c3c590f44df548ce324bfdaac6ec33a6 SHA256: 10eea0c13fd1a782c065627e23e7051edc1622f2eae5fbe138725369c12f4b6d Mallboxbgjadhhiij6_browsingExe·exe SHA1: 31cc6fa2e174d43e719f21a450bd9a5185054d6d MD5: a5328247106299a6ac54794c345a0380 SHA256: 36269d1892283991a9db23492cd8efcd68af74060384b9686219a97f76a9989e

Sliver C2 in circulation through domestic program developers

SparkRAT malware was distributed in the installation files of domestic VPN companies through posting SparkRAT being distributed and included in domestic VPN installation files [1] and Analysis of attack cases leading to MeshAgent infection in domestic VPN installation

IoCs

Sliverbgjadaajgj24_browsingExe·exe SHA1: c2994b2969f315b189a151d545b35a2c8ed6a2f9 MD5: b66f351c35212c7a265272d27aa09656 SHA256: ba4c8e065f601de46ae7844e81921c68726d09345f3db13fb6e3f5ea2d413dde Sliverbgjadaajgj2_browsing7Exe·exe SHA1: aaec03da8855551b2a02e10a1a854773a59d927c MD5: eefbc5ec539282ad47af52c81979edb3 SHA256: 5b018d8382e33713eba0b60b394e6f69edc0cd20aee7e384f5004403264d2781 Sliverbgjadaajgj19_browsingExe·exe SHA1: cd6e7411730f9a244df83bbc4a1e2384011a4fdb MD5: 5eb6821057c28fd53b277bc7c6a17465 SHA256: 87404431af48f776c9b83b5b57c1ddf43b05c7e986460b1a97473caf3c85f567

New Reptile Rootkit Malware Attacking Linux Systems Using Port Knocking

Reptile is a kernel module rootkit for Linux systems released as open source on GitHub. A rootkit is a malicious code that has the ability to hide itself or other malicious codes and its targets are mainly file processes and network communication. The hiding functions supported by Reptile include files and directories contents of files processes and network traffic in addition to the kernel module itself.

IoCs

Newbgjadaaiej8_browsingO·o SHA1: 2ca4787d2cfffac722264a8bdae77abd7f4a2551 MD5: d1abb8c012cc8864dcc109b5a15003ac SHA256: d182239d408da23306ea6b0f5f129ef401565a4d7ab4fe33506f8ac0a08d37ba Newbgjadaaiej1_browsingSh·sh SHA1: 0c6d838c408e88113a4580e733cdb1ca93807989 MD5: 1957e405e7326bd2c91d20da1599d18e SHA256: 1425a4a89b938d5641ed438333708d1728cfed8c124451180d011f6bbb409976 Newbgjadaaiej6_browsingElf·elf SHA1: 3cc2d6bf5215de3c24fb194c232a0411cede78e0 MD5: c3c332627e68ce7673ca6f0d273b282e SHA256: 4305c04df40d3ac7966289cc0a81cedbdd4eee2f92324b26fe26f57f57265bca

Fabricated Microsoft Crypto Wallet Phishing Site Spreads Infostealer

Cyble Research and Intelligence Labs analyzes Threat Actors spreading Luca Stealer disguised as a beta version of Microsoft Crypto Wallet.

IoCs

Fabricatedbgjacfeaee1_browsingExe·exe SHA1: 4238700742f6540119fc40f8f001fa1b5da99425 MD5: 2753fea9125455e452e1951295158bc5 SHA256: 480cea45f9c10159ef76555a0b86c25b232952b5cbc6da2862ff4b8cbb2943c1 Fabricatedbgjacfeaee1_edrExe·exe SHA1: 4238700742f6540119fc40f8f001fa1b5da99425 MD5: 2753fea9125455e452e1951295158bc5 SHA256: 480cea45f9c10159ef76555a0b86c25b232952b5cbc6da2862ff4b8cbb2943c1

Ransomware Spotlight Play

Play is shaping up to be a player on the rise within the ransomware landscape, with its operators likely to continue using the ransomware in the future.

IoCs

Ransomwarebgjacdgace4_browsingExe·exe SHA1: be17fe931305a82c891b7d7bfdecd644b4fb1219 MD5: b311256c0b964724258078affce39f01 SHA256: 5573cbe13c0dbfd3d0e467b9907f3a89c1c133c774ada906ea256e228ae885d5 Ransomwarebgjacdgace1_browsingExe·exe SHA1: 14177730443c65aefeeda3162b324fdedf9cf9e0 MD5: 223eff1610b432a1f1aa06c60bd7b9a6 SHA256: 006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55 Ransomwarebgjacdgace10_browsingExe·exe SHA1: 687a0ee18d18f7c1075b6509646ae2ea95af23b9 MD5: a72b78ad61f7e9cfcebbe444c92a2fc3 SHA256: e4f32fe39ce7f9f293ccbfde30adfdc36caf7cfb6ccc396870527f45534b840b

First-ever Open-Source Software Supply Chain Attacks

Two separate open-source software supply-chain attacks targeting the banking sector have been identified by researchers.

IoCs

Firsteverbgjacahebh52_browsingExe·exe SHA1: 921c5c8d5dd416ae69d880b1af9eb52d6c3ab1db MD5: 58a4f9eed576b9bc14e1a06afd52f00e SHA256: 4eb44e10dba583d06b060abe9f611499eee8eec8ca5b6d007ed9af40df87836d Firsteverbgjacahebh51_browsingExe·exe SHA1: 0f6a8dd9c9651ff94f45d916a3a20d210dc3747c MD5: 494bd8c8d2fbdbbb53855cc1a533a1ef SHA256: 4e54c430206cd0cc57702ddbf980102b77da1c2f8d6d345093819d24c875e91a Firsteverbgjacahebh49_browsingExe·exe SHA1: 626e4db197fb18f8d67ceba5014d28deb54afa75 MD5: 5a789786e5996cfdceb8866993b02fd2 SHA256: f4a57a3b28c15376dbb8f6b4d68c8cb28e6ba9703027ac66cbb76ee0eb1cd0c9

Manipulated Caiman: The Sophisticated Snare of Mexico's Banking Predator

Manipulated Caiman has been active for at least two years, targeting primarily the citizens of Mexico. Based on Perception Point's research, the potential revenue the group has accumulated is over $55 million. There have been over 4K victims in total, with over 140 victims in the past two months alone. Manipulated Caiman uses a wide arsenal of tools against victims, though its ultimate goal is to gain access to victims' bank accounts. Manipulated Caiman employs spear phishing with malicious attachments to deliver malware, such as URSA, SMTP brute force client, malicious extension installer, net info checker, and spammer client.

IoCs

Manipulatedcaimanbgjabaaibd14_browsingJs·js SHA1: 4de75077763084db3c52692a67976773f30f5db3 MD5: a5dae68f1a5125a3ada5034bc64ada11 SHA256: 45e03985103b25828e3d01a415958639db0aed53564455908dab35c803e69fcd Manipulatedcaimanbgjabaaibd_browsing7Exe·exe SHA1: 664baee4f00fd5a3ef74185c8597ce6c5a0410e4 MD5: d4d08923c80aee492140795f5393d056 SHA256: 203cc5d525b0583b3db0552fd4af4cfd970bdd8b97ae8d210ee95c4c9f971e44 Manipulatedcaimanbgjabaaibd11_browsingExe·exe SHA1: 41f5559b4ed3c9a23279f87fb0ff8fdea40d0d58 MD5: cf9bcbb9844f34e004044a1b0f3e2cf1 SHA256: 7a7ac75052a6e43cfabbabc30c5b6e01c253a49080a37ada098ee84011c6b897

DDoS Botnet Targets Zyxel Vulnerability (CVE-2023-28771)

Threat actors are taking advantage of a command injection vulnerability to infect Zyxel devices with a DDoS botnet. The flaw is due to the improper handling of error messages and could be exploited by sending malicious packets. The malware can perform a range of attacks, including udpflood, synflood, greflood, ackflood, tcpflood, tcp2flood, udp2flood, socketflood, udpconnflood, wraflood, and vseflood.

IoCs

Ddosbgijibiigd_browsing77Elf·elf SHA1: 588ed1ba11384f855d23c4d272bf1b5c5b5a2348 MD5: f2a714d2c99f091a380883be26338a7f SHA256: 85d3d93910bfb8410a0e82810d05aa67a6702ce0cdfc38d1d01f2f9471d20150 Ddosbgijibiigd_browsing78Elf·elf SHA1: e682c58bbff74568632cca6470c84612573ea212 MD5: 1f9cd01cb9bfafcdfec2a6fe93d3d73f SHA256: a6729c047d776294fa21956157eec0b50efa7447b8e2834b05be31080767006f Ddosbgijibiigd_browsing79Elf·elf SHA1: 85e96d75e1940323ce306bdc480b9fab47ef5a0c MD5: be2f2959ae20d42131b58f37f241749c SHA256: 42b4e116c5d2d3e9d4777c7eaa3c3835a126c02673583c2dfb1ae2bf0bf0db48

A Look Into Space Pirates Unconventional Techniques Attack Vectors And Tools

The Space Pirates APT group has evolved from previous years, including new tools, tactics, techniques, and procedures in their operations. The main goal of the group seems to be the theft of sensitive information from educational institutions, private security companies, aerospace manufacturers, agricultural producers, defense energy, and infosec companies located in Russia and Serbia, according to researchers. The tools used by the group include penetration testing tools and open-source malware. However, they have started to use other private solutions like Deed RAT or Voidoor, which uses GitHub as its main command and control channel in their attacks.

IoCs

Abgijibigeg18_browsingDll·dll SHA1: 84ca568879ca62448d035d56bec816a11188b831 MD5: 8002cd74e579a44a78b2c8e66f8f08a4 SHA256: 8c3e0fdddc2c53cf7961f770080e96332592c847839ccf84c280da555456baf0 Abgijibigeg21_browsingDll·dll SHA1: 3f8ee1e875cbb01e145a09db7d857b6be22bdd92 MD5: 972a1a6f17756da29d55a84d7f3f23a4 SHA256: b6860214fcc1ef17937e82b1333672afa5fcf1c1b394a0c7c0447357477fe7c9 Abgijibigeg22_browsingDll·dll SHA1: e986b238cb5fe037718172d965a41c12c85bbdd0 MD5: 633ccb76bd17281d5288f3a5e03277a0 SHA256: ceca49486dd7e5cf8af7b8f297d87efe65aba69124a3b61255c6f4a099c4a2ab

The Turla APT Group Uses Multiple Malware Families To Exfiltrate Data (CERT-UA6981)

The Turla APT group used multiple malware families to carry out espionage attacks. The initial infection vector consisted of spear phishing emails with malicious attachments. The malware was used to collect and exfiltrate a range of data, including passwords, bookmarks history, and cookies and data from KeePass Azure Google Cloud and AWS.

IoCs

Thebgijibifhf1_browsingDll·dll SHA1: b2fa58da8af06e49c626a8377551fd25e359d73d MD5: 491e462bf1213fede82925dea5df8fff SHA256: ba2c8df04bcba5c3cfd343a59d8b59b76779e6c27eb27b7ac73ded97e08f0f39 Thebgijibifhf1_edrDll·dll SHA1: b2fa58da8af06e49c626a8377551fd25e359d73d MD5: 491e462bf1213fede82925dea5df8fff SHA256: ba2c8df04bcba5c3cfd343a59d8b59b76779e6c27eb27b7ac73ded97e08f0f39

Ursnif campaign in Italy

An investigation by Kostas from the DFIR Report covering an Ursnif campaign in Italy.

IoCs

Ursnifbgijhigahi1_browsingDll·dll SHA1: 0f661ba97e702021988fa372fde43bd3165f1cfe MD5: b565aa423ca4ba6e8c6b208c22e5b056 SHA256: 894668791d06262dd16740235faa3b1672e2cb5cf171954f29abaca421c09265 Ursnifbgijhigahi4_browsingPs1·ps1 SHA1: 5a7021b7b1d05321f95b8464339688007ac502ea MD5: 665a152dc746deaaab11e1c0af4b513e SHA256: 6e8b848e7e28a1fd474bf825330bbd4c054346ad1698c68e7a59dd38232a940a Ursnifbgijhigahi1_edrDll·dll SHA1: 0f661ba97e702021988fa372fde43bd3165f1cfe MD5: b565aa423ca4ba6e8c6b208c22e5b056 SHA256: 894668791d06262dd16740235faa3b1672e2cb5cf171954f29abaca421c09265

UAC-0006 Distributes SmokeLoader Through Phishing Emails (CERT-UA6999)

The UAC-0006 threat actor sent spear-phishing emails with malicious attachments to infect devices with SmokeLoader. The attachments consisted of ZIP files containing either VBS or HTML files that were used to download the malicious payload. Obfuscation was used for defense evasion, while a scheduled task was created for persistence.

IoCs

Uac0006bgijhdcdcg13_browsingHtml·html SHA1: b83f21187381638dba7ee3b4b53f5a1302590484 MD5: b3ee60f2626bc1ba158ea2b82cf5ec3d SHA256: d138da2039ef93b0b511bc380f3be1f53a9859e616973afae6059d0225cb40cf Uac0006bgijhdcdcg14_browsingZip·zip SHA1: d2bf555971ddeff7fd03f506838872df4ae444cf MD5: f634458ac460762c0e9e3b8b7c29cb09 SHA256: be33946e29b3f0d2f3b1b68042bd6e81f64a18da0f0705d104a85f1bee207432 Uac0006bgijhdcdcg15_browsingZip·zip SHA1: cee7d9254e3014e122c3aca3db15767c8f404fd9 MD5: d2d02a414a886ad60a5f25c081f8c11b SHA256: f664f4122f5cf236e9e6a7aabde5714dfe9c6c85bd4214b5362b11d04c76763d

Google Firebase Hosting Abused To Deliver Sorillus RAT

Adversaries were found abusing Google's Firebase Hosting service to deliver the legitimate Sorillus remote administration tool. The initial infection vector consisted of phishing emails with malicious attachments. The attachments contained an HTML file that used the HTML Smuggling technique to infect devices with Sorillus. The remote tool can steal video keystrokes system information and credentials from web browsers.

IoCs

Googlebgijhdccbi4_browsingZip·zip SHA1: b422408ee20b3a939c498640feeec475356f1f40 MD5: e93b8dddfc9715f1785ff8f554d538a8 SHA256: c65c347ce9c62b8765831f0deb11be08eb8818c036587c1a2b0da2dab7aa5d7a Googlebgijhdccbi5_browsingHtml·html SHA1: 7742903c880aa45f7702d9c54b2b6c1a3715ba00 MD5: 5f74bc4dc4ed13805295ae2f249450bb SHA256: 5733f7b22ed1f1e86ea177c4beb44e424284a3cf14b3cf09c2cf85ddf6678e45 Googlebgijhdccbi6_browsingHtml·html SHA1: acbcc56226cbbbe41e8112f71bbd2436aef82f83 MD5: 29fc65f116072a072d52dac21d33335f SHA256: ee793fe7b529925b6ffde42f64aac8a3842957a9fe2c229e46dbb9568789d6ea

FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware

Symantec Threat Hunter Team recently observed the Syssphinx (aka FIN8) cyber-crime group deploying a variant of the Sardonic backdoor to deliver the Noberus ransomware.

IoCs

Fin8bgijhbhgec4_browsingPs1·ps1 SHA1: 4e693689526ee28290ddd9cdd242a3c5f0383b8d MD5: 10e75f522c3a52532d124e507d1d6561 SHA256: 1d3e573d432ef094fba33f615aa0564feffa99853af77e10367f54dc6df95509 Fin8bgijhbhgec9_browsingDll·dll SHA1: ea50aa7c4d8b3097a2e7d8a4c575b08cfabbbdd8 MD5: bd265f2d3e827e2ffa22417a6334d5fa SHA256: 48e3add1881d60e0f6a036cfdb24426266f23f624a4cd57b8ea945e9ca98e6fd Fin8bgijhbhgec10_browsingDll·dll SHA1: 12c3b36ee26b031e6c7b80b7e34b48489bfd108d MD5: 2dad0e66463869b2565449e4c9e84417 SHA256: 4db89c39db14f4d9f76d06c50fef2d9282e83c03e8c948a863b58dedc43edd31

Reverse Engineering Walkthrough | Analyzing A Sample Of Arechclient2

SentinelOne found an initial loader that was implemented in AutoIt and uses Process Hollowing to load a .NET-based payload they reconstructed the string decryption method enabling them to partially deobfuscate the loader.

IoCs

Reversebgijgjcegg1_browsingExe·exe SHA1: 2a4062e10a5de813f5688221dbeb3f3ff33eb417 MD5: c56b5f0201a3b3de53e561fe76912bfd SHA256: 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d Reversebgijgjcegg3_browsingExe·exe SHA1: 054742329f83a5d177dd1937992e6755f43c420e MD5: e10a54c88b0055b69165618590583805 SHA256: a835602db71a42876d0a88cc452cb60001de4875a5e91316da9a74363f481910 Reversebgijgjcegg1_edrExe·exe SHA1: 2a4062e10a5de813f5688221dbeb3f3ff33eb417 MD5: c56b5f0201a3b3de53e561fe76912bfd SHA256: 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

Trojanized Application Preying on TeamViewer Users

Cyble Research & Intelligence Labs analyzes a trojanized version of the TeamViewer application and how it distributes njRAT.

IoCs

Trojanizedbgijgefgee1_browsingExe·exe SHA1: 9b9539fec7d0227672717e126a9b46cda3315895 MD5: 11aacb03c7e370d2b78b99efe9a131eb SHA256: 224ae485b6e4c1f925fff5d9de1684415670f133f3f8faa5f23914c78148fc31 Trojanizedbgijgefgee2_browsingExe·exe SHA1: b2f847dce91be5f5ea884d068f5d5a6d9140665c MD5: 8ccbb51dbee1d8866924610adb262990 SHA256: 9bcb093f911234d702a80a238cea14121c17f0b27d51bb023768e84c27f1262a Trojanizedbgijgefgee1_edrExe·exe SHA1: 9b9539fec7d0227672717e126a9b46cda3315895 MD5: 11aacb03c7e370d2b78b99efe9a131eb SHA256: 224ae485b6e4c1f925fff5d9de1684415670f133f3f8faa5f23914c78148fc31

Cloudy With a Chance of Credentials | AWS-Targeting Cred Stealer Expands to Azure GCP

Throughout June 2023, an actor behind a cloud credentials stealing campaign has expanded their tooling to target Azure and Google Cloud Platform (GCP) services. Previously this actor focused exclusively on Amazon Web Services (AWS) credentials.

IoCs

Cloudybgijdhcafh9_browsingSh·sh SHA1: 61da5d358df2e99ee174b22c4899dbbf903c76f0 MD5: f7df739f865448ac82da01b3b1a97041 SHA256: 3f129141bfb73aca77a4605088af86138b3ea6f9cb14e5c50dbf2352983a2142 Cloudybgijdhcafh8_browsingSh·sh SHA1: 6123bbca11385f9a02f888b21a59155242a96aba MD5: 92d6cc158608bcec74cf9856ab6c94e5 SHA256: 8b7414c268b54a50b0499a6a9f6d32d0beb34db8d3624aa660578b353ba30204 Cloudybgijdhcafh5_browsingElf·elf SHA1: 37cb34a044c70d1acea5a3a91580b7bfc2a8e687 MD5: 87c8423e0815d6467656093bff9aa193 SHA256: 0f37a4b3eb939b1a1750a7a132d4798aa609f0cd862e47f641dd83c0763d8c8f

APT36 Delivers Crimson RAT Using Pilgrimage Security Briefing Lure

APT36 activity has been observed delivering a PowerPoint presentation containing a malicious macro. The document contains a lure that seems targeted at Indian government entities. Allowing the macro to execute will drop and execute Crimson remote access trojan (RAT) on the victims' machine. The .NET-based Crimson RAT can be used to perform reconnaissance, exfiltrate data C2 communication, and execute additional commands and payloads.

IoCs

Apt36bgijdaafca_browsing79Exe·exe SHA1: 88ea01712e88378af42f6d8d2da58982e59d0756 MD5: c93cb6bb245e90c1b7df9f3c55734887 SHA256: ce43a5f80b6e5285722b929ea912d455a3c725276ae126c1348ff95df3f7f6e9 Apt36bgijdaafca81_browsingZip·zip SHA1: 93c29543bef15309da3266074cb05a533f7f2e5c MD5: 66d65a321d7ad9f0d33c70e888e589ff SHA256: dbf8b14503b1670432b574a32a928b73e325f3088604a267503c987d97659551 Apt36bgijdaafca80_browsingDocx·docx SHA1: 87d492d00d4aa50623254c3c408b40519a10c21b MD5: 0ad121b4eb1ef9c491181c5ab8fe1ed7 SHA256: 6778381dd3a660599b36483e7403aea67f49a944ae15449e19131e1a98fe24ae

Threat Actor Launches ScarLeteel 2.0

The ScarLeteel campaign was discovered in early 2023 and continues to target cloud environments steal data improve defenses, and mine for cryptocurrency. Initial access is carried out by exploiting public-facing web applications while additional tools, including AWS-CLI Pacu and Peirates are used to carry out the infection process. The threat actor was also found to have installed a Mirai Botnet variant to provide DDoS capabilities.

IoCs

Threatbgijdaabfc3_browsingSh·sh SHA1: 5919531f7649adc01afea8e78704da7c67eaf2cc MD5: c451822e6030fb55095692ef395ff50b SHA256: 99e70e041dad90226186f39f9bc347115750c276a35bfd659beb23c047d1df6e Threatbgijdaabfc2_browsingSh·sh SHA1: b2231de3f2de5ec00aba450762919459abf6250d MD5: 3bcef172739dea6c5fe93375d5e14b8a SHA256: 00a6b7157c98125c6efd7681023449060a66cdb7792b3793512cd368856ac705 Threatbgijdaabfc4_browsingSh·sh SHA1: 5611cb5676556410981eefab70d0e2aced01dbc5 MD5: b9113ccc0856e5d44bab8d3374362a06 SHA256: 3769e828f39126eb8f18139740622ab12672feefaae4a355c3179136a09548a0

Attackers Exploit (CVE-2023-36884) Unpatched Windows Zero-Day Vulnerability

A zero-day vulnerability (CVE-2023-36884) affecting Microsoft Windows and Office products is being exploited by attackers in the wild. To date, the exploit has been used in highly targeted attacks against organizations in the government and defense sectors in Europe and North America. The vulnerability was disclosed yesterday (July 11) by Microsoft, which said that an attacker could create a specially crafted Microsoft Office document that enables remote code execution on the target's computer. In order for the exploit to succeed, the victim needs to open the malicious file. No patch has been released yet for the vulnerability. However, Microsoft is still investigating the issue and said a patch may be rolled out in its monthly release process or in an out-of-cycle security update. The company provided some mitigation guidance in its advisory.

IoCs

Attackersbgijcceegh1_browsingDocx·docx SHA1: 2400b169ee2c38ac146c67408debc9b4fa4fca5f MD5: d227874863036b8e73a3894a19bd25a0 SHA256: a61b2eafcf39715031357df6b01e85e0d1ea2e8ee1dfec241b114e18f7a1163f Attackersbgijcceegh4_browsingLnk·lnk SHA1: dd0dc5ecc7818a1dd3077e0a0570b36966fb1c67 MD5: 8ed058fa2fa7fa89400c8fcaf9fccad6 SHA256: d3263cc3eff826431c2016aee674c7e3e5329bebfb7a145907de39a279859f4a Attackersbgijcceegh1_edrDocx·docx SHA1: 2400b169ee2c38ac146c67408debc9b4fa4fca5f MD5: d227874863036b8e73a3894a19bd25a0 SHA256: a61b2eafcf39715031357df6b01e85e0d1ea2e8ee1dfec241b114e18f7a1163f

Infamous Meduza Stealer

Meduza Stealer recently appeared on Russian forums and is being sold to subscribers in 1-month and 3-month subscriptions. The malware is written in C++ and targets Chromium and Gecko-based browsers CryptoWallets and Password Managers. The info stealer shares similarities with the Aurora Stealer however, the Meduza Stealer is actively being developed. Speculation suggests the same developers are involved in the development of Meduza in addition to this recent infostealer the developers offer malware development services in Java JavaScript, TypeScript, Kotlin, and Python programming languages.

IoCs

Infamousbgijcbdjad19_browsingExe·exe SHA1: 9261a29f0d94a6c9a30521a28ed57bd62b1b4cad MD5: 8659732b1e658a65fe4f65bedae7835b SHA256: afbf62a466552392a4b2c0aa8c51bf3bde84afbe5aa84a2483dc92e906421d0a Infamousbgijcbdjad14_browsingExe·exe SHA1: 21b0057bf675fe420d42df7427fbdd41ef4faffa MD5: fa81c42c6d79564d0356ed01a4490d90 SHA256: a73e95fb7ba212f74e0116551ccba73dd2ccba87d8927af29499bba9b3287ea7 Infamousbgijcbdjad18_browsingExe·exe SHA1: 1540c398646158e3a563bb7f55e3ab2a784ff62c MD5: 7915d2f34f49cec0bf4e1c089ab1556b SHA256: cbc07d45dd4967571f86ae75b120b620b701da11c4ebfa9afcae3a0220527972

Underground Team Ransomware Demands Millions

Underground Team ransomware utilizes the ShellExecuteW() function to execute multiple commands for deleting volume shadow copies modifying the registry, and stopping the MSSQLSERVER service. After completing the encryption process the malware creates a CMD file to delete specific files and clear the event logs. Finally, the ransom note is dropped, informing victims to make a ransom payment for gaining access to the decryption key.

IoCs

Undergroundbgijafbfig39_browsingExe·exe SHA1: fb4ad5d21f0d8c6755eb4addba0ac288bd2574b6 MD5: 059175be5681a633190cd9631e2975f6 SHA256: d4a847fa9c4c7130a852a2e197b205493170a8b44426d9ec481fc4b285a92666 Undergroundbgijafbfig39_edrExe·exe SHA1: fb4ad5d21f0d8c6755eb4addba0ac288bd2574b6 MD5: 059175be5681a633190cd9631e2975f6 SHA256: d4a847fa9c4c7130a852a2e197b205493170a8b44426d9ec481fc4b285a92666

Threat Trend Report On Kimsuky

The Kimsuky APT group continues evolving its tactics and techniques to compromise further systems. This time researchers have noticed the usage of new Top-Level Domains (TLD) to lure victims, including some of them with Korean characters. Also known tools such as FlowerPower RandomQuery or AppleSeed have been modified, including new features to try to stay under the radar.

IoCs

Threatbgijafbfgb38_browsingChm·chm SHA1: 128fac6c2a68dd844fe51a86308a38136c9e8027 MD5: 002fd493096214a9a44d82acb7f1ac30 SHA256: 76b2f8df4578d65d5b6d57af8784584c1bcf86402d964b567db58e63723b636c Threatbgijafbfgb38_edrChm·chm SHA1: 128fac6c2a68dd844fe51a86308a38136c9e8027 MD5: 002fd493096214a9a44d82acb7f1ac30 SHA256: 76b2f8df4578d65d5b6d57af8784584c1bcf86402d964b567db58e63723b636c

Unleashing WhiteSnake Stealer

WhiteSnake Stealer was discovered in early 2022 and can collect data from browsers, emails, client messages, apps, and crypto-wallets. The malware can also gather and exfiltrate system information location data and keystrokes to command-and-control servers in a ZIP archive. Communication between the infected device and the threat actor is carried out over Tor.

IoCs

Unleashingbgijafbdca1_browsingExe·exe SHA1: 087a787a34ee05478bfa07b50fd39c8367b0a157 MD5: a338043c6b5260df6b7ce4c4ec3d1b80 SHA256: f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50 Unleashingbgijafbdca2_browsingExe·exe SHA1: c7fac0793d14413bdb2b6240dff2a2ce33b50ba4 MD5: a65e9165a47ed2cd2f168bf71db4181e SHA256: c219beaecc91df9265574eea6e9d866c224549b7f41cdda7e85015f4ae99b7c7 Unleashingbgijafbdca1_edrExe·exe SHA1: 087a787a34ee05478bfa07b50fd39c8367b0a157 MD5: a338043c6b5260df6b7ce4c4ec3d1b80 SHA256: f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50

US Cert Alert - (AA23-187A) Increased Truebot Activity Infects U.S. And Canada Networks

Organizations in the United States and Canada are the targets of variants from the Truebot malware family. Initial access is achieved by exploiting a remote code execution vulnerability in the Netwrix Auditor application (CVE-2022-31199) or through phishing campaigns with malicious redirect hyperlinks. Various malicious software and tools are used to carry out the attacks, including Raspberry Robin Flawed Grace Cobalt Strike and the Teleport data exfiltration tool.

IoCs

Truebotbgiiijfbga1_browsingExe·exe SHA1: 4f4f8cf0f9b47d0ad95d159201fe7e72fbc8448d MD5: 12011c44955fd6631113f68a99447515 SHA256: c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3 Truebotbgiiijfbga4_browsingExe·exe SHA1: afda13d5365b290f7cdea701d00d05b0c60916f8 MD5: e4a42cbda39a20134d6edcf9f03c44ed SHA256: 47f962063b42de277cd8d22550ae47b1787a39aa6f537c5408a59b5b76ed0464 Truebotbgiiijfbga6_browsingExe·exe SHA1: 03916123864aa034f7ca3b9d45b2e39b5c91c502 MD5: 338476c2b0de4ee2f3e402f3495d0578 SHA256: a67df0a8b32bdc5f9d224db118b3153f66518737e702314873b673c914b2bb5c

Buddyransome

Buddyransome is ransomware that encrypts data and appends the ".buddyransome" extension to filenames. Also, it drops the "HOW_TO_RECOVERY_FILES.txt" text file (a ransom note). An example of how Buddyransome renames files: it changes "1.jpg" to "1.jpg.buddyransome", "2.png" to "2.png.buddyransome", and so forth.

IoCs

Buddyransombgiiiijacb1_browsingExe·exe SHA1: adebd8a52b6dc9ad35dee583eae8d93e0040b837 MD5: f7b5b9fd8c7020dedb138ef75190dffc SHA256: 8843bafbb4a43a6c7a77c62a513908d1e2352ae5f58bd8bfa6d604bc795dcd12 Buddyransombgiiiijacb2_browsingExe·exe SHA1: 393c2a157d52301405d1594cbcb694c6d2931296 MD5: 50881c434db8730bfc5e67bccf573ec2 SHA256: 2c9599396f8267baa20e89bab33b323ae98497f855534a8b2a629af502539cfe Buddyransombgiiiijacb1_edrExe·exe SHA1: adebd8a52b6dc9ad35dee583eae8d93e0040b837 MD5: f7b5b9fd8c7020dedb138ef75190dffc SHA256: 8843bafbb4a43a6c7a77c62a513908d1e2352ae5f58bd8bfa6d604bc795dcd12

Operation Brainleeches Targets Microsoft 365 Users

Operation Brainleeches consisted of malicious open-source packages and commodity phishing attacks designed to steal credentials from their victims. The packages posted to npm mimicked legitimate modules and were downloaded around 1000 times, while the phishing attacks consisted of emails with malicious attachments. Victims were presented with fake login forms asking for their Microsoft 365 username and password.

IoCs

Operationbgiihibied11_browsingJs·js SHA1: 6c2d2d3c2e68bf3df88a41033a536d16c59c2f9d MD5: 861392914a5e5a6c15182239533176b6 SHA256: 4e74205220e3dba621a73eda505397606d59ff3a3dc68aa3575be37c95fd7cd6 Operationbgiihibied11_edrJs·js SHA1: 6c2d2d3c2e68bf3df88a41033a536d16c59c2f9d MD5: 861392914a5e5a6c15182239533176b6 SHA256: 4e74205220e3dba621a73eda505397606d59ff3a3dc68aa3575be37c95fd7cd6

Threat Profile UNC3944

UNC3944 is a financially motivated threat actor group that has been active since May 2022. They primarily target telecommunications and Business Process Outsourcing (BPO) organizations gaining initial access through social engineering tactics such as phishing and SIM swapping attacks. They have been observed impersonating IT personnel to convince individuals to share their credentials or grant remote access to their computers. They exploit vulnerabilities such as CVE-2015-2291 and utilize tools like STONESTOP and POORTRY to terminate security software and evade detection. The group demonstrates a deep understanding of the Azure environment and leverages built-in tools for their attacks. Once initial access has been gained UNC3944 has been observed conducting reconnaissance of various environments, including Windows, Linux, Google Workspace Azure Active Directory, Microsoft 365, and AWS, as well as conducting lateral movement and downloading additional tools to exfiltrate VPN and MFA enrollment data in select cases. The group has also been known to establish persistence through legitimate remote access tools such as AnyDesk LogMeIn and ConnectWise Control.

IoCs

Threatbgiigjfhhb_browsing78Exe·exe SHA1: a3ed5cbfbc17b58243289f3cf575bf04be49591d MD5: 7f9309f5e4defec132b622fadbcad511 SHA256: 6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421 Threatbgiigjfhhb_browsing73Exe·exe SHA1: a804ebec7e341b4d98d9e94f6e4860a55ea1638d MD5: 04a88f5974caa621cee18f34300fc08a SHA256: 9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c Threatbgiigjfhhb_browsing74Exe·exe SHA1: 6debce728bcff73d9d1d334df0c6b1c3735e295c MD5: 6fcf56f6ca3210ec397e55f727353c4a SHA256: 8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104

TeamTNT Targets Cloud Native Environments

The TNT threat group is suspected to be behind malicious infrastructure that is used to attack cloud-native environments. Four distinct container images were found uploaded to Docker Hub public registry with less than 100 pulls. Successful infections would result in devices infected with malware and crypto miners, including the Tsunami backdoor, which has been in operation since at least 2002.

IoCs

Teamtntbgiigjfdih2_browsingElf·elf SHA1: 37cb34a044c70d1acea5a3a91580b7bfc2a8e687 MD5: 87c8423e0815d6467656093bff9aa193 SHA256: 0f37a4b3eb939b1a1750a7a132d4798aa609f0cd862e47f641dd83c0763d8c8f Teamtntbgiigjfdih1_browsingElf·elf SHA1: 664888ea84d0caf23d8367c0f8b1c8ef34f4ebb4 MD5: ba1b03bc2c262d724c0616eba9d7828b SHA256: 50450b61d0536764d0dd7836c543742eb744a19dd4132c4b8cd7501f658d05cf Teamtntbgiigjfdih2_edrElf·elf SHA1: 37cb34a044c70d1acea5a3a91580b7bfc2a8e687 MD5: 87c8423e0815d6467656093bff9aa193 SHA256: 0f37a4b3eb939b1a1750a7a132d4798aa609f0cd862e47f641dd83c0763d8c8f

PhonyC2 Framework Used By MuddyWater

The MuddyWater APT group also known as Mango Sandstorm was found to be using a new C2 framework labeled PhonyC2. The framework uses random UUIDs (Universal Unique Identifiers) to make tracking URLs more difficult. Multiple PowerShell scripts are used to start a multi-threaded webserver and a command line listener serving the C2 framework payloads and receiving commands from the command-and-control servers.

IoCs

Phonyc2bgiigaijja5_browsingPs1·ps1 SHA1: ddfed3c7232d9ad6ed7179907435a1cc58aba7ac MD5: 6301cc00fcf591a2f3195187a271e006 SHA256: 2f14ce9e4e8b1808393ad090289b5fa287269a878bbb406b6930a6c575d1f736 Phonyc2bgiigaijja9_browsingJs·js SHA1: 8bbd4c46185e11c665eb92418def409f3c9d70aa MD5: f0dda7bc24000b871d358a5b68c2cd27 SHA256: b38d036bbe2d902724db04123c87aeea663c8ac4c877145ce8610618d8e6571f Phonyc2bgiigaijja10_browsingJs·js SHA1: 4172fc34d7f69cd950a23f3bdc15451b9236c863 MD5: 06f260d727ed11820c9cc2f171e0bc62 SHA256: 1c95496da95ccb39d73dbbdf9088b57347f2c91cf79271ed4fe1e5da3e0e542a

The suspected Maha grass organization uses the WarHawk backdoor variant Spyder to spy on many countries

Maha Grass, also known as Patchwork, White Elephant, Hangover, Dropping Elephant, etc, Qi Anxin internal tracking number APT-Q-36. The organization is generally considered to have a South Asian background. Its earliest attack activities can be traced back to November 2009 and it has been active for more than 10 years. The organization mainly conducts cyber espionage activities against countries in the Asian region targeting organizations in the fields of government, military, electric power industry, scientific research, education, diplomacy, and economy.

IoCs

Thebgiifccegi9_browsingExe·exe SHA1: 739766a8ca2884015452b760c896475036d138a6 MD5: eb9068161baa5842b40d5565130526b9 SHA256: f5766ece18b863c7747d739b4a0b944cdb13e9993dbc3401d4ea1923dbb0578a Thebgiifccegi10_browsingExe·exe SHA1: e687209a0d65ec72077f774b87a2b89049d1a20b MD5: 53b3a018d1a4d935ea7dd7431374caf1 SHA256: 137d47864fb79c1a892265690bc8c64d67945847058b5a49ad5785ac902ae105 Thebgiifccegi13_browsingExe·exe SHA1: 4aa0c88ec03aff7fbf83d1679715dff91a47f025 MD5: 1f4b225813616fbb087ae211e9805baf SHA256: b41d54a9686b312f9e114f62e6bf11e21c8e97dda477d488ca19e2afa45efc9e

The DPRK strikes using a new variant of RUSTBUCKET

This variant of RUSTBUCKET, a malware family that targets macOS systems, adds persistence capabilities not previously observed and, at the time of reporting, is undetected by VirusTotal signature engines. Elastic Defend behavioral and prebuilt detection rules provide protection and visibility for users. We have also released a signature to prevent this malware execution.

IoCs

Thebgiiecjcjg122_browsingMacho·macho SHA1: 182760cbe11fa0316abfb8b7b00b63f83159f5aa MD5: f90b544f89cfbe38aee18024d7c39e40 SHA256: 9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747 Thebgiiecjcjg125_browsingMacho·macho SHA1: 831dc7bc4a234907d94a889bcb60b7bedf1a1e13 MD5: 352715d5770b53768bf9f23d810ad55f SHA256: 7fccc871c889a4f4c13a977fdd5f062d6de23c3ffd27e72661c986fae6370387 Thebgiiecjcjg126_browsingMacho·macho SHA1: 3cc19cef767dee93588525c74fe9c1f1bf6f8007 MD5: e2699d59c3602893698c5958f485c6c2 SHA256: ec8f97d5595d92ec678ffbf5ae1f60ce90e620088927f751c76935c46aa7dc41

Decrypted Akira Ransomware

Researchers for Avast have developed a decryptor for the Akira ransomware and released it for public download. The Akira ransomware appeared in March 2023 and since then, the gang claims successful attacks on various organizations in the education, finance, and real estate industries, amongst others.

IoCs

Decryptedbgiieciiji1_browsingExe·exe SHA1: 923161f345ed3566707f9f878cc311bc6a0c5268 MD5: c7ae7f5becb7cf94aa107ddc1caf4b03 SHA256: 3c92bfc71004340ebc00146ced294bc94f49f6a5e212016ac05e7d10fcb3312c Decryptedbgiieciiji2_browsingExe·exe SHA1: f070a115100559dcaf31ce34d9e809a3134b2511 MD5: af95fbcf9da33352655f3c2bab3397e2 SHA256: 7b295a10d54c870d59fab3a83a8b983282f6250a0be9df581334eb93d53f3488 Decryptedbgiieciiji3_browsingExe·exe SHA1: db9ba4f42942b27e1690c6d8a1bbd5b9d188fe49 MD5: e44eb48c7f72ffac5af3c7a37bf80587 SHA256: 8631ac37f605daacf47095955837ec5abbd5e98c540ffd58bb9bf873b1685a50

Word Document with an Online Attached Template

SANS analyst found a Word document that behaves like a dropper.

IoCs

Matryoshkabgiididgjd2_browsingRtf·rtf SHA1: b0f62e50605e27aad587a927b281400bf74c77d2 MD5: aad0a0df8d6cdd67b95a57e38edb0036 SHA256: a7056b7ae82c04e4ff2e674ddf76d08ac7e89baa4d18bc17059eaba9c522cb3d Matryoshkabgiididgjd1_browsingDocx·docx SHA1: 7ef52b3b5b24fa474ed73479414b053812a8fae0 MD5: 9c7bf7b8a7a33174e3b449e87abe0b31 SHA256: 5070e8a3fdaf3027170ade066eaf7f8e384c1cd25ce58af9155627975f97d156 Matryoshkabgiididgjd3_browsingExe·exe SHA1: 1efefa84046a43da9a99a7d0c2f982d76bb8a8fb MD5: e51d6eea3b64bd2db84f7401750b77cd SHA256: 9d6ead1f911aa56ad0d3bb44131f22f0064d7c553c86d1d518d35247af49d488

New Qakbot (Qbot) activity

Qakbot using the Obama-series distribution tag has been active recently on Tuesday, 2023-06-20 (obama269), Wednesday, 2023-06-21 (obama270), and Thursday, 2023-06-22 (obama271).

IoCs

Qbotbgiidicbbd1_browsingDll·dll SHA1: 2e1a1291c0606ed7205b9506cf1e73cc58df38ac MD5: bc48507c05a4ac575e5c398a39c5da86 SHA256: 98bf24844d138dfd50188f3325f13ea3a1cde4d650900ae1d6820a2b1d4a59fd Qbotbgiidicbbd2_browsingJs·js SHA1: 44273d6acf083eeb75e38f4108b5fb01033dfae7 MD5: 60685270bf241a7a9eac9e1591e574dc SHA256: c465f039b08c3320fdce5f63992b5363b96c21d6e3b1da1df1e38caf65482caa Qbotbgiidicbbd3_browsingZip·zip SHA1: f2e3380b10709e6f8d1e4fbd860471945212302d MD5: d39fc74d05d1e7f33b80ec0731339d8a SHA256: d32e1cc5c161ae0fd8ae6c11cb6df5bce79690d1c533b4a5b9140ed8cb005f21 That is all for now! Stay cyber safe, and see you next month!