Welcome to our

Cyber Security News Aggregator

.

Cyber Tzar

provide a

cyber security risk management

platform; including automated penetration tests and risk assesments culminating in a "cyber risk score" out of 1,000, just like a credit score.

Malware Arsenal used by Ember Bear (aka UAC-0056,Saint Bear, UNC2589, Lorec53, TA471, Nodaria, Nascent Ursa, LorecBear, Bleeding Bear, and DEV-0586) in attacks targeting Ukraine (samples)

published on 2023-02-18 07:59:00 UTC by Mila
Content:

 

2023-02-18

Ember Bear (aka UAC-0056,Saint Bear, UNC2589, Lorec53, TA471, Nodaria, Nascent Ursa, LorecBear, Bleeding Bear, and DEV-0586) is an Advanced Persistent Threat (APT) group believed to be based in Russia. 
Their primary targets have been diplomatic and government entities in Europe, particularly Ukraine, and the United States. They have also targeted various industries, including defense, energy, and technology.


Email me if you need the password (see in my profile)
 (209 MB. 218 samples listed in the hash tables below).

The malware arsenal collected here includes:
  • Elephant framework (GrimPlant (Backdoor) and GraphSteel (Stealer).)
  • Graphiron Backdoor
  • OutSteel (LorecDocStealer)
  • BabaDeda
  • Cobalt Strike (Beacon)
  • SaintBot Downloader
  • WhisperGate Wiper


APT Group Description

APT Group aliases:

UAC-0056 (UA CERT)
Ember Bear (Crowdstrike)
Saint Bear (F-Secure)
UNC2589 (Fireeye, IBM)
Lorec53 (NSFOCUS)
TA471 (Proofpoint)
Nodaria (Symantec)
Nascent Ursa (Palo Alto)
LorecBear
Bleeding Bear (Elastic)
DEV-0586 (MIcrosoft)

The group is a suspected Russian state-sponsored cyber espionage group that has been active since at least March 2021.
The group primarily targets Ukraine and Georgia, but has also targeted Western European and North American foreign ministries, pharmaceutical companies, and financial sector organizations.
The group is known for using various malicious implants such as GrimPlant, GraphSteel, and CobaltStrike Beacon, as well as spear phishing attacks with macro-embedded Excel documents.
In January 2022, the group performed a destructive wiper attack on multiple Ukrainian government computers and websites, known as WhisperGate.

The Lorec53 group is a new type of APT group first identified by NSFOCUS Security Labs, and was later identified as UAC-0056 by the Ukrainian Computer Emergency Response Center.
The Lorec53 group primarily targets government workers in Ukraine and Georgia, trying to steal various types of document data or leave backdoor programs for subsequent attacks.
The group exhibits organizational characteristics similar to other known attack groups, but also demonstrates independence and the possibility of cooperating with other APT groups.
The Lorec53 group uses various social engineering techniques, temporary domain names, and unique Trojan horses, and is good at using network facilities of other hacker groups.

The group's attack timeline shows alternating attacks against Georgia and Ukraine, and as time progressed, its attack activity increased significantly, and the quality of each component in the attack process became higher and higher.
The Lorec53 group has strong infiltration ability and flexible attack methods, capable of organizing large-scale and frequent phishing attacks and good at harnessing social engineering technologies and network resource management methods learned from other threat actors.


Malware Arsenal

  • Graphiron
    • Graphiron is a two-stage threat consisting of a downloader (Downloader.Graphiron) and a payload (Infostealer.Graphiron)
    • The downloader contains hardcoded command-and-control (C&C) server addresses
    • The downloader is configured to check against a blacklist of malware analysis tools and connect to a C&C server to download the payload, which is then added to autorun
    • The payload is capable of stealing information from Firefox and Thunderbird, private keys from MobaXTerm, SSH known hosts, stored passwords, taking screenshots, and exfiltrating data
    • The password theft is carried out using a PowerShell command
    • The payload communicates with the C&C server using port 443 and communications are encrypted using AES cipher
    • Graphiron has similarities with older Nodaria (UNC2589_EmberBear_BleedingBear_Nodaria) tools such as GraphSteel and GrimPlant but can exfiltrate more data such as screenshots and SSH keys
    • Nodaria is a threat group active since at least March 2021, mainly targeting organizations in Ukraine and has also been linked to attacks in Kyrgyzstan and Georgia
    • The group uses spear-phishing emails to deliver a range of payloads to targets and their previous tools include Elephant Dropper, Elephant Downloader, SaintBot, OutSteel, GrimPlant, and GraphSteel
    • Nodaria's earlier tools were written in Go and Graphiron appears to be the latest piece of malware authored by the same developers, using Go version 1.18.

  • Elephant (GrimPlant (Backdoor) and GraphSteel (Stealer))
    • The Elephant Framework consists of two core components: GrimPlant (Backdoor) and GraphSteel (Stealer).
    • GrimPlant allows remote execution of PowerShell commands and communicates with the C&C server using gRPC and encrypted with TLS.
    • GraphSteel exfiltrates data from infected machines by communicating with the C&C server using WebSockets and the GraphQL query language.
    • GraphSteel exfiltrates information about the infected system, files from various folders and drives, and credentials from various sources including wifi passwords, browser credentials, password vault, and SSH sessions.

  • GraphSteel Backdoor
    • GrimPlant is a simple backdoor allowing for remote execution of PowerShell commands. Communication with the C2 server uses port 80 and is based on gRPC. The communications are encrypted with TLS, and its certificate is hardcoded in the binary. GraphSteel backdoor is designed to exfiltrate data from infected machines. Communication with the C&C server uses port 443 and is encrypted using the AES cipher. GraphQL query language is used for communication.
    • Attacks reported: GraphSteel & GrimPlant used in email phishing attacks on Ukrainian government organizations on April 26, 2022, March 28, 2022 and March 11, 2022 (Source: CERT-UA). GraphSteel and GrimPlant are both written in the Go language.
    • GrimPlant is a simple backdoor allowing for remote execution of PowerShell commands. Communication with the C2 server uses port 80 and is encrypted with TLS.
    • GraphSteel is designed to exfiltrate data from infected machines. Communication with the C&C server uses port 443 and is encrypted using AES cipher. GraphQL is used for communication.
    • APT responsible: UNC2589 (Ember Bear, Lorec53, UAC-0056)
    • Attacks reported: GraphSteel & GrimPlant were used in email phishing attacks on Ukrainian government organizations on April 26, March 28, and March 11, 2022 (Source: CERT-UA)

  • GrimPlant Backdoor
    • GrimPlant is a simple backdoor allowing for remote execution of PowerShell commands. Communication with the C2 server uses port 80 and is based on gRPC. The communications are encrypted with TLS, and its certificate is hardcoded in the binary. GraphSteel backdoor is designed to exfiltrate data from infected machines. Communication with the C&C server uses port 443 and is encrypted using the AES cipher. GraphQL query language is used for communication.
    • Attacks reported: GraphSteel & GrimPlant used in email phishing attacks on Ukrainian government organizations on April 26, 2022, March 28, 2022 and March 11, 2022 (Source: CERT-UA) GraphSteel and GrimPlant are both written in the Go language.
    • GrimPlant is a simple backdoor allowing for remote execution of PowerShell commands. Communication with the C2 server uses port 80 and is encrypted with TLS.

  • OutSteel (LorecDocStealer)
    • OutSteel malware is used in spear-phishing campaigns with malicious attachments.
    • The main payload is an infostealer that steals files from the victim's machine and uploads them to a Command and Control (C2) server.
    • The downloader used to load the infostealer is BabaDeda crypter.
    • The malware is believed to be state-sponsored, carried out by a hacker group called Lorec53.
    • The group is suspected of conducting espionage attacks against government employees in Georgia and Ukraine.
    • The BabaDeda crypter acts as an installer and executes shellcode stored encrypted in a file, such as xml or pdf.
    • The BabaDeda crypter is an evasive malware that has the purpose to load a malicious payload stored in another file.
    • The BabaDeda crypter is used to load a second BabaDeda crypter in the second phase of the attack.
    • The final payload is Outsteel, which sends the stolen files to a specified URL.
    • SaintBot Downloader

  • BabaDeda
    • BabaDeda Crypter is dropped by a downloader, which can be delivered via a file with the extension ".cpl"
    • The ".cpl" file is designed to automatically execute when double-clicked, making it easier for uneducated users to trigger the malware
    • BabaDeda Crypter is installed by an MSI file that is downloaded by LorecCPL downloader
    • The final payload is delivered as a main malicious binary named "mathparser.exe"
    • Capabilities of BabaDeda Crypter:
    • BabaDeda Crypter has the ability to install itself onto the victim's system
    • The malware can execute a main malicious binary, which could perform various malicious activities such as data theft, information exfiltration, or other malicious actions.

  • SaintBot Downloader
    • SaintBot malware was observed in a targeted email sent to an individual at an energy organization in Ukraine on Feb 1, 2022.
    • The email was a spear phishing attempt that used social engineering tactics to convince the targeted individual to open the attached malicious Word document.
    • The document instructed the user to double-click icons with exclamation points which, in turn, ran malicious JavaScript.
    • The JavaScript file ran a PowerShell one-liner that downloaded an executable from a URL and saved it to a specific location.
    • The URL was hosting a malicious executable that was a loader, acting as the first stage of several in the overall infection chain.
    • The infection chain resulted in the installation and execution of OutSteel (a document stealer), SaintBot (a loader Trojan), a batch script turned into an executable that disables Windows Defender, and a legitimate Google Chrome installation executable.
    • The initial loader was signed using a certificate related to the Electrum Bitcoin wallet.
    • The first-stage loader was a simple wrapper for later stages that decrypt DLLs and load them into memory.
    • The DLL is obfuscated but contains anti-analysis functionality that refuses to execute inside a virtual machine.
    • The DLL is another stager that will decrypt and execute four embedded binaries.
    • The four embedded binaries are OutSteel, SaintBot, an executable that runs a batch script to disable Windows Defender, and the Google Chrome installer

  • Cobalt Strike (Beacon)
    • Cobalt Strike is a commercial penetration testing tool that is used by threat actors as a backdoor agent named 'Beacon' on target machines. It is a versatile tool that is used by a wide range of threat actors, including APT groups and ransomware operators, for downloading and executing malicious payloads.
    • The Beacon implant is a file-less, stage-less or multi-stage shellcode that is loaded either by exploiting a vulnerability or executing a shellcode loader. The Beacon can communicate with the C&C server using several protocols including HTTP, HTTPS, DNS, SMB, named pipes as well as forward and reverse TCP. The Beacon can also chain connections to establish a foothold inside the compromised network and pivot internally into other systems.
    • Cobalt Strike has been used in multiple email phishing attacks on Ukrainian government organizations and is attributed to the UNC2589 APT group. The Beacon has also been used in combination with exploits like CVE-2021-40444 and CVE-2022-30190 (Follina)
    • BEACON: backdoor written in C/C++, part of the Cobalt Strike framework
    • Supports shell command execution, file transfer, file execution, file management
    • Can capture keystrokes and screenshots, act as a proxy server
    • Can harvest system credentials, port scan, and enumerate systems on a network
    • Communicates with C&C server via HTTP or DNS

  • WhisperGate Wiper
    • Uses the following Windows Command Shell command to execute the destructive malware:
    • cmd.exe /Q /c start c:\stage1.exe 1> \127.0.0.1\ADMIN$__[TIMESTAMP] 2>&1
    • Uses PowerShell commands to connect its Command and Control (C2) server and download additional payloads
    • Delivers PowerShell commands in Base64 encoded form
    • PowerShell command: Start-Sleep -s 10
    • Tactic: Defense Evasion & Persistence
    • Modifies the Master Boot Record (MBR) to evade defense
    • Delivers PowerShell commands in Base64 encoded form
    • Searches for specific file extensions in certain directories to alter their content
    • Downloads file corruptor payload from a Discord channel hosted by the APT group
    • Download link for the malicious executable is hardcoded in the stage2.exe
    • Overwrites the Master Boot Record (MBR) causing the infected system to not boot up after power down
    • Overwrites files and corrupts their integrity
    • Renames the files to further its impact
    • Misrepresents itself as ransomware
    • Two-stage wiper malware
    • Initial access stage is unknown, but suspected to be a supply chain attack
    • Overwrites Master Boot Records (MBR) with a fake ransom note
    • Corrupts files with certain extensions and in certain directories by overwriting them with 0xCC bytes
    • Renames the files with a random four-byte extension

References


Summary:
Nodaria (UAC-0056) is targeting Ukraine with new information-stealing malware.   Infostealer.Graphiron malware steals system information, credentials, screenshots, and files from compromised computers.

 Graphiron is a two-stage threat consisting of a downloader (Downloader.Graphiron) and a payload (Infostealer.Graphiron).

The downloader hardcodes C&C server addresses. It checks a malware analysis tool blacklist when performed.

If no blacklisted processes are found, it will download, decrypt, and autorun the payload from a C&C server.  Graphiron uses AES with hardcoded keys. It generates.lock and.trash files. MicrosoftOfficeDashboard.exe and OfficeTemplate.exe are hardcoded file names.

GraphSteel and GrimPlant are comparable to Graphiron. Using PowerShell, GraphSteel exfiltrates files, system information, and password vault credentials. Graphiron can also exfiltrate screenshots and SSH keys.
Summary:
HermeticWiper:
APT responsible: Sandworm (Black Energy, UAC-0082)
Attacks reported: Massive cyberattacks against Ukrainian organizations on February 23, 2022
Disables the Volume Shadow Copy Service (VSS)
Abuses legitimate drivers to corrupt data and render recovery impossible
Targets Windows registry files ntuser.dat and Windows event logs
Triggers system restart rendering the targeted host inoperable
SHA256: 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
HermeticRansom:

APT responsible: Sandworm (Black Energy, UAC-0082)
Attacks reported: Cyberattacks against Ukrainian organizations on February 23, 2022
Written in Go language
Enumerates available drives and renames selected files
Encrypts file contents using AES algorithm
Creates a read_me.html file with a ransom note
SHA256: 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382
IsaacWiper:

APT responsible: Gamaredon (Primitive Bear, Armageddon)
Attacks reported: Cyberattacks against Ukrainian government organizations on February 24, 2022
Overwrites existing content with random bytes
Renames files it can't access and attempts to wipe newly renamed files
Creates a log file with corrupting activity progress
SHA256: 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033
AcidRain:

APT responsible: Unknown
Attacks reported: Cyberattacks against Viasat’s KA-SAT network and Enercon wind turbines on February 24, 2022
Overwrites files and symbolic links with random data from the memory buffer
Avoids certain directories if executed with root permissions
Triggers a device reboot after wiping
SHA256: 9b4dfaca873961174ba935fddaf696145afe7bbf5734509f95feb54f3584fd9a
LoadEdge (InvisiMole):

APT responsible: InvisiMole (UAC-0035)
Attacks reported: Email phishing attacks on Ukrainian government organizations on March 18, 2022
Supports functionalities such as file execution, upload, download, deletion, and obtaining system information
Communication with C&C uses HTTP and JSON formatted data
Persistence provided by HTA file creating an entry under the Run registry key
Resembles an upgraded version of InvisiMole's TCP downloader component
SHA256: fd72080eca622fa3d9573b43c86a770f7467f3354225118ab2634383bd7b42eb
GraphSteel & GrimPlant:

APT responsible: UNC2589 Ember Bear, Lorec53, UAC-0056
Attacks reported: Email phishing attacks on Ukrainian government organizations on March 11, March 28, and April 26, 2022
Both written in Go language
GrimPlant is a simple backdoor allowing for remote execution of PowerShell commands
GraphSteel exfiltrates data and steals credentials using

Summary:

UNC1151 is a group that is believed to be sponsored by Belarus and has frequently used the access and information gained by their intrusions to support information operations tracked as “Ghostwriter.”
UNC2589 is believed to act in support of Russian government interest and has been conducting extensive espionage collection in Ukraine.
UNC2589 uses spear phishing campaigns with various themes, including COVID-19 and the war in Ukraine, and has used a variety of different infrastructure.
Mandiant has attributed the January 14 destructive attack on Ukraine using PAYWIPE (WHISPERGATE) to UNC2589.
GRIMPLANT is a backdoor used by UNC2589 and GRAPHSTEEL is an infostealer.
Mandiant analyzed a malicious document with an evacuation plan-themed lure, which was likely used by UNC2589 to target Ukrainian entities in a phishing campaign in late February 2022.
The malware was delivered via phishing email and the Remote Utilities utility was installed upon execution.
Remote Utilities allows attackers to set persistence through creating a startup service.
Mandiant Intelligence discovered another likely UNC2589-related phishing campaign targeting Ukrainian entities with GRIMPLANT and GRAPHSTEEL malware on March 27, 2022.
The malware was delivered via phishing email and was dropped onto the victim machine through a macro in an XLS document.


 


Summary:
The malware appears to be designed to render targeted devices inoperable rather than to obtain a ransom, unlike typical ransomware attacks.
The malware has been identified on dozens of systems in Ukraine, including multiple government, non-profit, and information technology organizations.
MSTIC assesses that this activity represents an elevated risk to any organization located or with systems in Ukraine.
The malware operates in two stages: Stage 1 overwrites the Master Boot Record (MBR) with a ransom note, and Stage 2 is a file corrupter that overwrites files with a fixed number of 0xCC bytes.
Microsoft has implemented detections for this malware family as WhisperGate and is continuing its investigation.
MSTIC recommends organizations to investigate the provided indicators of compromise (IOCs), enable multifactor authentication, and enable Controlled Folder Access in Microsoft Defender for Endpoint to prevent MBR/VBR modification.
The detections in place across Microsoft security products include DoS:Win32/WhisperGate.A!dha, DoS:Win32/WhisperGate.C!.dha, DoS:Win32/WhisperGate.H!dha, and DoS:Win32/WhisperGate.X!dha.

 

Summary:
HermeticWiper: Malware that makes a system inoperable by corrupting its data. It disables the Volume Shadow Copy Service, wipes the MBR, MFT, and NTUSER files, and overwrites various folders with random bytes generated by CryptGenRandom.
HermeticWizard: Worm that spreads HermeticWiper across a local network via WMI and SMB. It is a DLL file that exports functions DllInstall, DllRegisterServer, and DllUnregisterServer. It gathers IP addresses on a network, and when it finds a reachable machine, drops HermeticWiper and executes it.
HermeticRansom: Ransomware written in Go that encrypts files and displays a ransom message to the victim.
Threat actors TTPs:

Initial access: Unknown for both HermeticWiper and IsaacWiper, although it is suspected that the attackers may have used tools such as Impacket to move laterally. HermeticWiper was deployed in at least one instance through the default domain policy (GPO), suggesting the attackers had prior access to the victim's Active Directory server.
Lateral movement: HermeticWizard worm was used to spread HermeticWiper across the compromised networks via SMB and WMI.
Persistence: HermeticWiper and HermeticWizard are signed by a code-signing certificate assigned to Hermetica Digital Ltd issued on April 13th, 2021, which was not stolen, but instead likely obtained by attackers impersonating the Cypriot company to get this certificate from DigiCert.
Malware delivery: HermeticWiper and HermeticWizard were deployed through various methods, including GPO and the use of Impacket tools. HermeticRansom was deployed through GPO in at least one instance.
Attribution: ESET researchers have not yet found any tangible connection with a known threat actor. The malware families do not share any significant code similarity with other samples in the ESET malware collection.
Summary:
The threat group UAC-0056 is targeting government organizations and companies involved with critical infrastructure in Ukraine and other countries. Their primary goal is to steal sensitive information for situational awareness and leverage in dealing with Ukraine.

The initial loader Trojan is used as a simple wrapper for the next few stages.

The packer used to pack and obfuscate the initial loader allows cloning .NET assemblies from other binaries and certificates.

The decrypted DLL, named SHCore2.dll, is obfuscated.

The stager contains anti-analysis functionality, including checks to refuse to execute inside a virtual machine or on bare metal systems.

The stager will decrypt and execute a total of four embedded binaries.

OutSteel is a file uploader and document stealer developed with the scripting language AutoIT. It searches for files with specific extensions and uploads them to a hardcoded command and control server.

The Windows_defender_disable.bat is used to disable Windows Defender functionality.

The SaintBot .NET Loader is composed of several stages with varying levels of obfuscation.

The SaintBot Payload is capable of downloading further payloads and updating itself on disk.

The threat actors use different social engineering themes in their attacks, such as cryptocurrency, COVID, law enforcement, and fake resumes.

Email is used as the attack vector, and different infection chains are used to compromise systems.

The threat group has overlaps with previous attack campaigns focused on other organizations in Ukraine and Georgia, as well as other nations’ assets local to Ukraine.

The attackers used Discord’s content delivery network (CDN) to host the payload.

The threat group makes use of several hardcoded command and control (C2) servers, all reaching out to the same endpoint.

 

Summary:

 A new APT group named Lorec53 was identified by NSFOCUS Security Labs and confirmed by the Ukrainian Computer Emergency Response Center (UAC-0056).

Lorec53 is active in Eastern Europe and has been involved in large-scale cyber espionage attacks against Ukraine and Georgia.

The group has strong infiltration ability and flexible attack methods, using phishing attacks and social engineering techniques.

Lorec53 targets key state sectors such as the Ministry of Defense, Ministry of Finance, embassies, state-owned enterprises, and public medical facilities to collect personnel information.

The group has Russian-linked characteristics in attack tools, domain names, and asset location.

Victims of the Lorec53 group include the National Bank of Iran, Georgia’s Ministry of Epidemic Prevention and Health, Ukraine’s Ministry of Defense, Presidential Office, Ministry of the Interior, and Border Service.

A recent long wave of attacks from Lorec53 targeted a wide range of victims using baits such as Ukrainian government documents, shortcut files, and cpl files.

The group used 3 domain names (3237.site, stun.site, and eumr.site) as download servers for phishing files.

Lorec53 employed known Trojan programs including LorecDocStealer (OutSteel), LorecCPL, and SaintBot.

The first phishing attack in this wave used phishing documents referring to a presidential decree and the second attack used PDF and DOCX files with malicious macros.

The third attack used a phishing document in .zip format targeted at the Ukrainian medical system.

The main purpose of these attacks is still information gathering and the TTPs of the Lorec53 group are evident at each stage.

Summary:
Threat Campaign: Spear-phishing emails with malicious attachments used to steal files from victims' machine.
Malware: Infostealer "OutSteel" that uploads stolen files to a Command and Control server. Downloader used to load OutSteel is the BabaDeda crypter.
Threat Actor: State-sponsored group "Lorec53" (as named by NSFocus), suspected of being employed by high-level espionage organizations to target government employees in Georgia and Ukraine.
TTPs:
BabaDeda Crypter is an evasive malware that acts as an installer and executes a shellcode stored encrypted in a file (xml or pdf).
The first stage of the attack is downloading the BabaDeda crypter from a malicious LNK file or WORD template document.
The BabaDeda crypter first loads and runs a malicious DLL, which then loads and executes another malicious DLL in another thread.
The first DLL reads and parses the shellcode and writes it in the main binary's text section.
The decrypted shellcode extracts the loader shellcode and the payload, then decrypts them and transfers execution to the decrypted loader shellcode.
The final payload is OutSteel, which exfiltrates stolen documents to a specified URL.
The second malicious library is a mere downloader that downloads the next stage of the attack.

BabaDeda Crypter
LorecCPL downloaders
Outsteel Infostealer
TTPs (Tactics, Techniques, and Procedures):

Persistence achieved by creating a link file in the start-up directory using the IShellLinkW interface
Payload execution after decryption
Self-deletion routine
File size checking before execution
Downloading and running the next stage in a new process
Code overlap with WhisperGate malware
Hosting the archive on Discord
Using CPL files to trick uneducated users into executing the malware
Using xor decryption to hide the real code
Putting arguments on the stack and using them in functions
Downloading the final payload from a URL
Packing the final payload with ASProtect
Exfiltrating documents to a C2 server

2022-02-08 NSFocus - Apt Retrospection: Lorec53, An Active Russian Hack Group Launched Phishing Attacks Against Georgian Government 
PDF: https://contagio.deependresearch.org/read/Ember_Bear_2022_APT_Retrospection__Lorec53%2C_An_Active_Russian_Hack_Group_Launched_Phishing_Attacks_Against_Georgian_Government.pdf

Summary:

In July 2021, a phishing campaign was discovered targeting Georgian government officials and using current political issues to create bait for specific victims.

The campaign utilized phishing documents named "828-ში ცვლილება.doc" and "დევნილთა 2021-2022 წლების სტრატეგიის სამოქმედო გეგმა.doc" to lure victims into enabling the editing feature of Office and executing malicious macros.

The malicious macros created a C# Dropper Trojan that downloaded and executed an AutoIt executable doc, a customized Trojan designed to steal various document-typed files from the victim's computer.

The attacker, tentatively named Lorec53, has been linked to a similar phishing campaign against the Ukrainian government in April 2021.

The attacker is believed to be a Russian hacking group that uses known generation tools to build the attack process and has a bias toward espionage operations.

The attacker controls a large amount of attack resources in the Russian network domain and has been found to conduct long-term vulnerability scanning activities.

 

Summary:

WhisperGate MBR payload: Tampering with the Master Boot Record (MBR) to render the system inoperable. The ransomware note is stored in a buffer that is written over the MBR.
Discord downloader and injector: After gaining a foothold, the stage 2 binary downloads and launches a payload via Discord, which then launches a number of events such as adding Windows Defender exclusion, stopping Windows Defender, and deleting the Windows Defender directory.
File corruptor: The file corruptor payload is loaded in memory via process hollowing and targets any local hard drives, attached USB drives, or mounted network shares. The file corruptor scans directories for files matching specific extensions, overwrites the start of each file with 1MB of static data, renames each file with a randomized extension, and deletes itself.
 

 

Summary:
The DEV-0586 APT group targeted Ukrainian organizations with WhisperGate wiper malware.
WhisperGate is a two-stage wiper malware that masquerades as ransomware. The initial access stage is unknown, but it is suspected to be a supply chain attack.
In its first stage, WhisperGate overwrites the Master Boot Record (MBR) with a fake ransom note, making the infected system unable to boot up.
In its second stage, WhisperGate corrupts files with certain extensions by overwriting them and renaming them with a random four-byte extension.
DEV-0586 uses the following TTPs in their WhisperGate campaign:
Execution: The first stage uses Windows Command Shell and the second stage uses PowerShell to connect to its Command and Control server.
Defense Evasion & Persistence: WhisperGate modifies the MBR to evade defense and deliver its payload in Base64 encoding.
Discovery: The second stage searches for specific file extensions in certain directories.
Command and Control: The second stage downloads file corruptor payload from a Discord channel hosted by the APT group.
Impact: WhisperGate overwrites the MBR and files, affecting their integrity.

Summary:
The Elephant malware is a threat group associated with pro-Russian cyber attacks, primarily focused on cyber espionage with a focus on key state sectors in Ukraine. The group, also known as UAC-0056, Lorec53, UNC2589, EmberBear, LorecBear, BleedingBear, SaintBear, and TA471, has been active since at least March 2021. The malware is part of the Elephant Framework, a collection of tools written in the Go language and deployed in recent phishing attacks on .gov.ua targets.

The Elephant Framework uses the spear-phishing tactic for initial compromise, with emails originating from spoofed Ukrainian email addresses and using social engineering techniques. The launcher component, written in Go language or Python, downloads the malware payload and establishes persistence. The downloader component, Java-sdk.exe, also written in Go, is responsible for downloading the Elephant Framework, which includes two components: GrimPlant, a backdoor that allows remote execution of PowerShell commands, and GraphSteel, a stealer used for data exfiltration of credentials, certificates, passwords, and other sensitive information.

GraphSteel exfiltrates information using WebSockets and the GraphQL query language, with all communication encrypted using the AES cipher. The malware runs a heartbeat routine every 20 seconds and an exfiltration routine every 20 minutes, exfiltrating files from designated folders and harvests credentials from various sources.

In one reported phishing campaign, the malware deployed a parallel deployment of Cobalt Strike Beacon, which downloads another executable from Discord. The C&C server used by the Elephant Framework is different from the one used by the Cobalt Strike Beacon.

 

2021-04-06 Malwarebytes - A deep dive into Saint Bot, a new downloader
PDF: http://contagio.deependresearch.org/read/Nodaria_2022_A_deep_dive_into_Saint_Bot%2C_a_new_downloader.pdf

Summary:

In March 2021, Malwarebytes analysts discovered a phishing email that contained a zip file with unfamiliar malware.

The malware was a PowerShell script disguised as a link to a Bitcoin wallet, which led to the download of a lesser-known malware called Saint Bot. Saint Bot is a downloader that can be used to distribute various types of malware and is being actively developed.
The malware is distributed through phishing emails with a zip attachment that lures victims with the promise of accessing a Bitcoin wallet.
 
The malware employs a variety of techniques, including obfuscation and anti-analysis techniques, process injection, and command and control infrastructure and communication.
The initial malware is a .NET downloader that carries another .NET binary in its resources.

The second .NET binary is responsible for downloading and deploying two executables, one that disables Windows Defender and another that is the main payload. The main payload is heavily obfuscated and sets up persistence by installing itself in the startup directory and creating a new 

The content sent to/from the C2 is obfuscated using an algorithm that is different from the one used to obfuscate internal strings.

2021-11 NSFocus - 2021 Analysis Report on Lorec53 Group 
PDF: https://s3.amazonaws.com/contagio.deependresearch.org/read/EmberBear+_2021_-Lorec53-Group+(1).pdf

Summary:

A new APT group called Lorec53 has been identified by NSFOCUS Security Labs, targeting Eastern European countries like Ukraine and Georgia with espionage attacks against government workers.

Lorec53 uses a variety of social engineering techniques, such as phishing attacks, watering hole sites, and lnk script execution, along with temporary domain names like .site, .space, .xyz, and others.

The group has acted like a mercenary hacker group by using the attack methods and network facilities of other hacker groups to launch unique downloaders and spy Trojan programs.

Lorec53's attack payloads include Trojan horse programs like LorecCPL and LorecDocStealer, which have not been seen in other spying activities.

The group prefers to use attack resources from Russia, such as servers owned by Russian service providers and registrants and Trojan horse programs from Russian hacker forums or black markets.

The group's phishing attacks involve fake documents with malicious macros that download and run the LorecDocStealer Trojan, and fake download pages disguised as Adobe Acrobat DC readers, among others.

Lorec53 has also used fake websites, including a fake website for the President of Ukraine, to lure people in and send them malware.

The group is suspected to have been behind a phishing campaign that targeted Iran's Android app, using watering hole sites and an Android Trojan called Pardakht to steal SMS messages from Iranian cell phone users.

Hashes


Detailed Hash information:

MD5SHA1SHA256
28f18fc7d9a0ab530742c2314cbd5c3281670ac52bd2356148406e1a6dae97581cb24f9914736be09a7652d206cd6ab35375116ec4fad499bb1b47567e4fd56dcfcd22ea
8409920ef2d78549fc214718c4719d3a37cb1ee7842cf73cb9c1eb98a12aad7b6a78b705e68c83ce6359691ce63c957ebfdbf959c5b199c83fd2480aebe4220fec9f3304
c73d42d7546fe049f63115635c092288da568ee6037959967ea4d5a879c66222d9dff06a73e1f2762ffe8e674f08d83c1308362bd96ccd4f64c307ee0a568bc66faf45bb
23cf0517359c014a8d25085eceb2cb2523cf0517359c014a8d25085eceb2cb25f3f43f3f4d55c0382f9045fd8093eef66074ca7d97dad066746ace47cc47319a
36ff9ec87c458d6d76b2afbd5120dfae 9a3161c8570f1ca410038bed6e2aa297aebaf5488ffe7f2eeb0cbfbe158b77bbff3e0055d2ef7138f481b4fac8ade6bfb9b2b0a1
06124da5b4d6ef31dbfd7a6094fc52a6 265a613ac405e6c3557e36a19f0ead2d18638cb09e9fa8b3b0a59762b429853a36674608df1fa7d7f7140c8fccd7c1946070995a
b8b7a10dcc0dad157191620b5d4e5312 ff37d700d76cb6ed7d123f33362f5017136d1c08b5b989f8eab271b63d8ab96d00d5fb5c41ab622e6cfde46ea62189765326af5a
6b413beb61e46241481f556bb5cdb69c 189f1879fcac60030dd3a751daae46a7444245ffc83d8b36402639ea3f1ad5d48edc1a22005923aee1c1826afabe27cb3989baa3
4a5de4784a6005aa8a19fb0889f1947a a20b0724746a742bf1ea14e6c9571fa6aa29e02299a2b79a4231806d4979aa017ff7e8b804d32bfe9dcc0958d403dfe06bdd0532
aafe14a65c2198e6f70174c620760645d0f1518db54f280dde5008404a2750641e76ceb2c8e3869f431937f4db3bbb34b0bb4afa3d7e6982d43e81ee840382eeb5525ab2
563ccff9d1021076a12176ae49404d32f9d5b4cd52b42858917a4e1a1a60763c039f8930a318fbaddaa11df5edde620b4c45ff31316dcfadf085d0f862004c857be568d7
da305627acf63792acb02afaf83d94d1 b4100aad572f619632ec28042a76c52ba2350accc1afb561cd5363ac5826ce7a72f0055b400b86bd7524da43474c94bc480d7eff
3bfb04e40b548d58ea3a9c8c82aae205ba9cea9ae60f473d7990c4fb6247c11c080788d3c73a1f1ff53e50e07cd654b2296139747c2c0394ce507de88b2d7a1248b8ac25
7052d63610b063c859af7f128a0c05cd7d44391b76368b8331c4f468f8ddbaf6ee5a67936e3917257f9239ff1c0ec0c17a7d9b6b01dead526c56218a11b0676174440112
1c09d7e1f5d2a7ee08a630bb22ade8503a0a4e711c95e35c91a196266aeaf1dc0674739d449a8f555ab4ec871612374f638076ad4a7d8d6d628beaaf6799fa7723f9e40a
28267ea322e3975f1e98c64a1c77f509e1d92e085df142d703ed9fd9c65ed92562a759fa18f24841651461bd84a5eac08be9bce9eab54b133b0e837d5298dac44e199d5f
c3c04682c9b03439f022af6052c7c1a80d94bac4c4df1fe3ad9fd5d6171c7460b30d8203ef6f02c41b4bad58fc1930d0ed00a5db1e122b89bc2782ba4dbdc785bc07dba0
cb5e37a1c74b3cd1e4008fd3ee4ef61366117493eed35fbd3824e35971b0919190cd1de792767e39f24f845c9a12fb44035eda7f801560f8285d7435e82d6c57c059cd83
26e326ba69f5258c4979902b5bd4f24ed6e4d803b1062b4f55c1cef61e5a517dd98cd4b79dec13e1b0ed9337fcbe233d5f83eff09c64a14c7f2400b9b915a685b29612ea
aa5e8268e741346c76ebfd1f27941a14a6772c80f51d3805d5704f02a80e08501b133fac2f92d416f73472db1ebe880b3bec677bcb1d96d6ad62974da00b4be5f6d61f5b
d0a11d7904cf6c67b0b947c58aeeeb3c3bbe45cdcc2731c0bb4751d1098eccc50f98ef6644a002ea931156d09ebfcb395ac60b7a804a8a7f94d4fb5b2fa8aa7268e1bc28
d8beed484e8e7e171aeaa6753ac8d8b8ac672a07c62d48c0a7f98554038913770efaef11424ca2f8aec060f5a7268f543b71e7038d90bec60914f5380cebdbfcfd1f041d
5f6aacd3106f727d45c295fd0f25054d0d584d72fe321332df0b0a17720191ad96737f4714bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196
49ac3e120ee12d904145dfaefd041c0c75afd05e721553211ce2b6d6760b3e642637846901b620642cc6ed6b75d0d1ee307f117fbd45ce5f1bd67d95bd80daa104e80e2f
2e0f1315c52e8b017fb6110398b28e60d9b4676229dbe5192d9ec22b017b6ffa2f76f9bdba1066f7a47b3662b1589579c9b7100a6f275a1cd82de75b166f31e9ee913562
15c525b74b7251cfa1f7c471975f3f9551267f49e508965de494441aacd8a0c8b43e7b5439b3c82b1e7e5626e380a53df4ccb52f3002749447cfab362b8ec217189a0fd5
beaed555048e1074fc13cdf8431abd49ec148ab5332da96df92e87e9b5a8e66bb517a1de0d0a675516f1ff9247f74df31e90f06b0fea160953e5e3bada5d1c8304cfbe63
ec18353f05c0ec9c014d4eb57f35dd4000e59476d9e250b342131d96bb67fea917c6152ceee1d29a425231d981efbc25b6d87fdb9ca9c0e4e3eb393472d5967f7649a1e6
ef81f74875718d370876289088c931501e749ae20fe5d6ce46dbee6d4a27e8f6dec38d9d878450da2e44f5c89ce1af91479b9a9491fe45211fee312354dfe69e967622db
aa6f5570b814e336cc91e57f1dbbf22c3d022052c70ecc34dfbfac318b05ca7e6ba4a24480e6a9079deffd6837363709f230f6ab3b2fe80af5ad30e46f6470a0c73e75a7
89eb4a35ea3122f01f47abe5e8b4982a5a85b4e69a7169897fadca712eab31c805689509f0fd55b743a2e8f995820884e6e684f1150e7a6369712afe9edb57ffd09ad4c1
8b245119a08313ede84ecda10d2b83c732ce463f1125a5de26aa07377e0a7d5a86bda8b34787c415dd0114e4b709e684b3ed686aed3d0c11549427ee23083c7ba53ef0e0
628f41776ae3b2e8343eeb9cdcd019f2d77421caae67f4955529f91f229b31317dff0a958e77118d819681fdc49ce3362d8bfd8f51f8469353396be7113c5a8978a171f6
eee2f9fab737eef8884e0b9432055edced4f5914178324405ec4b12b693313fae6ac47ee47a734e624dac47b9043606c8833001dde8f341d71f77129da2eade4e02b3878
b3370eb3c5ef6c536195b3bea0120929b2d863fc444b99c479859ad7f012b840f896172e923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6
4c2e3c21a4b4eeec05dc364b854c57d61c10158495a90ad1dfa1092cb80e387bd82f38df5cda471f91413a31d3bc0e05176c4eb9180dfcac3695b83edd6a5d4b544fe3f1
be2d21ce56597f0ba2610852f6b9a1221175dc063ab6f17f28300f0c624e59c35283a04f8bb427b4f80fe1ede3e3ed452d9f0a4ce202b77cda4ad2d54968ab43578e9fa9
cdcbd3dd6a5be09f409c47995a4de934769dc031f90c296e14c7e2c38823743933e75956b89a71c9dbc9492ecb9debb38987ab25a9f1d9c41c6fbc33e67cac055c2664bc
09a833a75039f9b3e923683b32344415ac44f6b7caa9bb14483623a9bf5f738d1380812035180c81ebcefbc32c2442c683cab6fd299af797a0493d38589d5c5d1d6b5313
c6e7af8d31a951b8c05565ab18c4f2588da49c2dbaf1abd4b2ba81669b201e2ab5b95926024054ff04e0fd75a4765dd705067a6b336caa751f0a804fefce787382ac45c1
dd9439b5cb3b1fc91181092f9da5aa69f2b8ab6f531621ab355912de64385410c39c1909db03917ca3cb91cdebcb681fa2733c1a2a9679e5201beeba21aee911de05973e
5d735d8c7243f61a30f5e91539f76df926474ba449682e82ca38fef32836dcb23ee24012f00b523635707cf97be5877c9dea1abec7abf8d0e6bcce529cc96826344511a0
410ff2fc20418aceee5fcbc7ab56076b931a86f402fee99ae1358bb0b76d055b2d04518f0f13f5f9a53a78fc4f528e352cd94929ae802873374ffb9ac6a16652bd9ea4c5
48e26159d9aa517ba2a1f1010c8e7c00dbc9c8a492ae270bb7ed845680b81b94483ab5857e1355e51eb9c38e006368de1ae80b268ffab6918237696474f50802e3d8a9c8
c717265dc91b1980921320c8d6257b53dd2444ddba96fa070559828934c025b4c2fae86a07ed980373c344fd37d7bdf294636dff796523721c883d48bb518b2e98774f2c
6af7a85274f02d1bc61f2d90674cb13115791db60928df6d7a86d80b80b88609c15aaa202b15ade9de6fb993149f27c802bb5bc95ad3fc1ca5f2e86622a044cf3541a70d
5077eff8ea0ad83e30860ec93c18fc2a693607b23dec9d41a373a41aed2e8c32e17098d1891f526fea4d9490a8899ce895ce86af102a09a50b40507645fee0cf2ab5bef5
900e892c8151f0f59a93af1206583ce6aea15a7ce95761a556199f5a774be293a82c17c296f815abb422bb75117e867384306a3f1b3625e48b81c44ebf032953deb2b3ff
f7f23e5f3ff42eef595bb4b804c68eea968126ecd4e526e9b6e1a16e9d001efcfde8fad1157b05db61aaf171823c7897a2f931d96a62083a3ad6014cb41c6b42694a0c2f
0e16df6845cde1260087902f25842f795698c8836bf2d5b542a7534b9a49c29beba3af43a356be890d2f48789b46cd1d393a838be10bdea79f12a10b1adf1d78178343c5
b2a5d1107613834cd380b492afcdd9309394c4528bfb504d6a4aee256dbbbd1cf177b821882597c251905f9be31352ba034835764124c9a9e25ef1ba0150e5998c621f07
ae9b71972359f44c60ff636a761efd6982e3bf5efbad08d27428aacd27018bec8b040f342c879f5d97f126820f1fbf575df7e681c90f027062b6bcb3451bb09607c922da
6296f167c93a0ca4dd75af9c23c942329a97b0957ddc18e4c445099f533d2400f5dd278852173598ca2f4a023ec193261b0f65f57d9be3cb448cd6e2fcc0c8f3f15eaaf7
122975532c1e1af554d4d39511e7eb3e8290ba1e792c291ea039fdb459c652e2c7fea5ad63d7b35ca907673634ea66e73d6a38486b0b043f3d511ec2d2209597c7898ae8
5ab92ca35e41b9a7aa07cc7efc60bbd1468a2d057a805ca971047b6fbd5ec359a67bc20a461eeadbe118b5ad64a62f2991a8bd66bdcd3dd1808cd7070871e7cc02effad7
a8bb31dcf791e09e656618ab726cdc2d9533ffa146e213e64e70c236344cf84484caa993c9761f30956f5ba1ac9abc8b000eae8686158d05238d9e156f42dd5c17520296
081a6edd07e2de8c8161380bcd60547c3d0011d42e69b962f97b2d35f25012c4e5da55feb7c6b82a8074737fb35adccddf63abeca71573fe759bd6937cd36af5658af864
1f7fc4fd6c7d2735dfc446f62ada2e09d2694a3201e45a5d4239b36483e0c6b05b4fff1dd99f998207c38fe3ab98b0840707227af4d96c1980a5c2f8f9ac7062fab0596d
096eef1eb2bb266e37f1eeca0db21bd55727ee8b41c309e0935748a2fd9633d0f972013a354868cd615a0377e0028bcaee422c29f6b6088b83a0b37a32e00cce5dba43f9
333796e18eb3f3d1529d07ec90c63e61051f30587f7ab8101602b40748f7f21fac21658a0be1801a6c5ca473e2563b6b77e76167d88828e1347db4215b7a83e161dae67f
847b071fa537e21507e78c80b5aa7d599455119a6522727905dd14ee3b29e87f55e88a26a60f4a353ea89adc8def453c8a1e65ea2ecc46c64d0d9ea375ca4e85e1c428fd
efcff826fa14c23c9abcd53e0a148383f79f22761707f666178f8855fcfb95a46065dd21f6ae1d54de68b48ba8bd5262233edaec6669c18f05f986764cf9873ce3247166
51e5c14cd5a2be650ab6e932b86d29f2a65f8e57c960bf32fef0ab2d611dbb1871b024a24fcfe7718ea860ab5c6d19b27811f81683576e7bb60da3db85b4658230414b70
44697aad796c0d82c1adbee15fd1266b0349463deb6e3803c425fa7725f7dedaccc6e6aa9803e65afa5b8eef0b6f7ced42ebd15f979889b791b8eadfc98e7f102853451a
99b983e5885f7418a950b822b5d5acc5ab94ce54005fc530851bf5443117441e91555b2492af444e0e9e4e49deda3b7e5724aaecbb7baf888b6399ec15032df31978f4cf
f7b0f59bff65176713c678693f1bf1f2417858f4722442a311f4ef2d5126c8a8cae760cba16e466bed46fcf9c0a771ca0e41bc42a1ac13e66717354e4824f61d1695dbb1
5107d2108da21e3572db8087060a53c0c0e9735b42f00ea0c45a5eb3c1b858a407fb3fcb64057982a5874a9ccdb1b53fc15dd40f298eda2eb38324ac676329f5c81b64e0
fa23f43fa759f0f38cde2b703d98ba050412055469c67c4cfc63b3c412833d064ec06270fbe13003a4e39a5dea3648ee906ea7b86ed121fd3136f15678cf1597d216c58a
b56975725c4e260370af540f9c0b670977741870383a8d347c407ffda23e26d1b440500ef69125eafdd54e1aae10707e0d95b0526e80b3b224f2b64f5f6d65485ca9e886
6bbe141ee44548490fbc55127e59fd3763d1b7fcb7d00a1b8326c896e30dc2b44c54ca1e2ec710d38a0919f9f472b220cfe8d554a30d24bfa4bdd90b96105cee842cf40d
c26566e3ac35986456f68bbd9e29db731dde1d09bd13d54baf2022974e83ddbc623880b21092d367692045995fab78ba1b9b236d5b99d817dd09cba69fd3834e45bd3ddf
7de66b5c7d3ddae321fa6cfeeaa948192c399c6b34a3ff2e09b29ed98d941d9550ad423b276ac9b9fe682d76382ec6e5bc3d1d045ce937438f92949c23453468eb62a143
2ce1c17b5a46a7fc42f98c67edf2e409f0f8095dce21916470f0aea2b9d0b8486038fe54275388ffad3a1046087068a296a6060ed372d5d4ef6cf174f55c3b4ec7e8a0e8
dbdb7908b3c16fac52a8e279b43ac83c02e623c353ca99c8572c9bf44a4d288f5d41ad98677500881c64f4789025f46f3d0e853c00f2f41216eb2f2aaa1a6c59884b04cc
549334edbfacd98b6c5c3154949d5b12a17eef04cf987d16ab2f7c23f97885e6e428f50033a4655fd61e471d8956bc7681ee56a9926da91df3583b79e80cb26a14e45548
12840e2c8a5f378153d9eaea226c592ba6cfa25e5a9eb7fca97b19b2f5b8003ed7c7aaaedfe11b83da7c4dc02ff7675d086ff7ddd97fec71c62cc96f1a391f574bec6b4f
df45ee66dd410b491e3e01c8880f6966e4fec41a80337c87acc8f67864047aba34690bb4434d39bfbcee378ed62a02aa40acc6507aa00b2a3cb0bf356c0b23cc9eebcd77
664104684583dcca00c6aa94b2d5e8ca9b41eac0a97ab72885cd15e4d6beb93cfc55ae6df0d99b7056dac946af19b50e27855b89f00550d3d8dc420a28731814a039d052
5897322f62070e894488b4115463939d217490d9df6b3eb30caec933c6f3a04ae3a3a82f101d9f3a9e4a8d0c8d80bcd40082e10ab71a7d45a04ab443ef8761dfad246ca5
0a3d8fae9ffbe6b9e8cfdeb4c485cf88e89ae58166546908d3e4ecf1b0eba601c17c18825d8c5bb9858fb51271d344eac586cff3f440c074254f165c23dd87b985b2110b
19b6965b648160b89e7057ab028981621d3b1bfecbbc17d521e4da93104a426bd690b3925d9c7192cae28f4b6cc0463efe8f4361e449f87c2ad5e74a6192a0ad96525417
7516e343441c2f0e782dd42f5fa85d8b54a8dd58216e1afa4b718e51fa86b435bd08f62190ce65b0b91df898de16aa652d7603566748ac32857972f7d568925821764e17
803f772489ff905eccdc4684def6addefbb3e24f9d517714c312fc88d7e60ab05860dff610d21d4bf93e78a059a32b0210bd7891e349aabe88d0184d162c104b1e8bee2e
5e8c9f85256e83d6042bbbac2905d1f3e4d3b29b69ce6d80bb8d1c6309d1c7ebb12f99420db336cab2ca69d630d6b7676e5eab86252673b1197b34cf4e3351807229f12a
5f6aacd3106f727d45c295fd0f25054d0d584d72fe321332df0b0a17720191ad96737f4714bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196
db6ea5fcda79fc4253f423fce607dddc9cd4c35204e7753ec5ae5836a0398e960e964241e39a12f34bb8a7a5a03fd23f351846088692e1248a3952e488102d3aea577644
66de28a0d0769f9b7f1397ebd10d2ab4be7ca341419631d12032ac64269d9c36e445f9b568313c90ca8eb0d5fc5e63e2b0f7a5f4d1fe15f825fe8ca0b4b3e922a253caa7
dc202f657b67b99186b20cd15ae851846c38f8ad13512c535a1350e50378d0e5c36f98675227adda2d80fb9b66110eeb26d57e69bbbb7bd681aecc3b1e882dc15e06be17
afc8158cd8f52a526dc77bd2236e0987d90ccb4cc0c19a71d90eb768d1c9957478971d7484e651b2d55a75ec59b861b11a8f8f7cb155ed81604081c95dd11b8aec5b31b1
be339b83946635d6aa3b1dc3e42c1b029786ed20fce197edbab2f1bc4c61d153b353bb788c8ef518239308216d06b4bf9b2771dbb70759cb1c9e6327a1cd045444f2b69a
09a4937fa4256020c5b1a5efee53452a8dca575d32a4c362e81eabe4d778e9ac6acedf015dabf2e0fcc2366d512eda2a37d73f4d6c381aa5cb8e35e9ce7f53dae1065e4a
aa3e4c243b101ed6c92b38fe8670a724b85ef90888d2169252af104e809726e92aa518ef172f12c692611e928e4ea42b883b90147888b54a8fb858fc97140b82eef409f3
d7510192dd826e6c63266ba412c4a8c6e51431ab4448d503db3d154d1da7bec25eb5aaacffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28
65792e4d02f910d20dcf74487cb9fab1942337f3ea28f553b47dc05726bb062befe09fef9fbeb629ea0dc72ac8db680855984d51b28c1195e48abff2e68b0228f49d5b0f
a92bd5072f0e3e683be1b27117df76d7a80db2f724e6d10c4b704f8e221c0946f5a12ad82bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca
059c5bbec45da7e50d92a54160622d36a97230965dea34f32ac9db418aece125ceb63426b83c41763b5e861e15614d3d6ab8573c7948bf176143ee4142516e9b8bcb4423
cb408fab657233d0ed6aff130def8984598f9c6d330d6a3ab2428d66655694b0f1bb9856f4a56c86e2903d509ede20609182fbe001b3a3ca05f8c23c597189935d4f71b8
75d6f57cfba0ebc3633a49a8412a43e5dd7a31b07f1dfdcdbb72f59c3535636b41d0eaad2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b
29e47258c517f5f33349caacef04464542cfb37c1f47de8f1ef6f4dbd047c1a06922adc0c6c47d3d7e56213f0d0ced379c64e166ed5a86308ea96856163a4e0155b1fc6e
ede3bf69a09cec27ded2d20c95ca78e38d3a1b800d73d5315998b3b5f966b084fdb4b806320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2
a718ba0edee0b2108aad0ce0fd7fdd0f711b27ab368a13ccda3c279a8645a77c8e9fbf4e9917c962b7e0a36592c4740d193adbd31bc1eae748d2b441e77817d648487cff
e9da5c53a8d86b9616c4163423699dbdf5af420de5ae4835a292d262a398342f73a53ef50c644fedcb4298b705d24f2dee45dda0ae5dd6322d1607e342bcf1d42b59436c
2a211218afa6a34db27c1ac6f6ba339092fa9d3de5d976391e2dc3ca6fcf053ae072b654b02c420e6f8a977cd254cd69281a7e8ce8026bda3fc594e1fc550c3b5e41565d
b69de5d4550ed214bcc8ad2f839735d8f7806011d03923ffe4f4eb92891289efdeb003e8ec8868287e3f0f851ff7a2b0e7352055b591a2b2cb1c2a76c53885dee66562dc
abc87856247dea1e4d01e2c3b352ab77fa48ec02991837bd7ce2248a130da934ec6555addb8975fd6c04a7d3790eb73ab8e95b6dbf6c9d65ad5c6a6d3c862d0284f87c34
3b6f68801cade1cd388138500fd8e9869bc818e0e6ef9aaafb02065800a97d8bd98ee76da61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a
ed1deddf6287d2435e1c4c02daf0278d7b67ed1f42e5cf388a0a981566598e716d9b4f99d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26
103118660a0abadc99831e23777979b5f69be5dcf16ef31a9aa66dce34f35fd84972f3e7afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a
eb0309e8c3246307635d24d0353228959bdea3ab3b6ea567997de2d9ad37d5dbe5cd863e975f9ce0769a079e99f06870122e9c4d394dfd51a6020818feeef9ccdb8b0614
593ac1acb0452748340d6a5ccdb18f122d2af604a8e4f0df9b36c047c8f9e9b0759327e982d2779e90cbc9078aa70d7dc6957ff0d6d06c127701c820971c9c572ba3058e
79c66ae4a99e15d855785cbf98762e21ccf3715644dc622e8f3815e2feda5fa62e7d5ad1f2bdde99f9f6db249f4f0cb1fb8208198ac5bf55976a94f6a1cebfb0d6c30551
92ce4437539947884d25ac80756a624f1a4ef45b728cd415a92eac24b91140bd1cf466db61f5e96ec124fef0c11d8152ee7c6441da0ea954534ace3f5f5ec631dd4f1196
fe6663b00d94a8106c07b4a95152226624492ca47b178e1990c4e5bd684547bb62bfad7a4c8a433ed99cc4b6994b2e1df59eb171f326373ba100a3653eb37e8a8ee2e6f2
304d1ac0296fedec694a097480b341d9fb60d4ab152acf71847dbbd36c75b8032c5da303b2f5edef0e599005e205443b20f6ffd9804681b260eec52fa2f7533622f46a6c
e852e90f778f616f09900b4f1b05c03c91b6442fa2c070f07437a887fbb42805bf59b8cbdfc24fa837b6cd3210e7ea0802db3dcf7bb1f85bff2c1b4bda4c3c599821bf8c
6181cb68aa34a470503452087a63bc1b2b12581fbfcf812b39d00854e71c9ff641d2f79a005d2d373e7ba5ee42010870b9f9bf829213a42b2dd3c4f3f4405c8b904641f2
ab2a92e0fc5a6f63336e442f34089f1624f71409bde9d01e3519236e66f3452236302e46e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c
259f06fcdb971f606d239b3178110981e2180bf4b9783d42d396826fc25ff8f9394cd430f58c41d83c0f1c1e8c1c3bd99ab6deabb14a763b54a3c5f1e821210c0536c3ff
b8cd8b40bda5bec1e8d5b765b5a90db441057c8497d0845fd54771d0e23ca234af9b3b2cdf3b1ad5445d628c24c1308aa6cb476bd9a06f0095a2b285927964339866b2c3
2371d432700a7e1f9c070a6e97fdb63400d6c66ab2fd1810628d13980cc73275884933b1fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e
247951ff7b519fa8d39ef07d33e0ba5bcf4587b6015d2a00c26a369339504595a266401fec3c0afccfef11f753a408c859d98bbba4841e87f7f1a48573270c0d82252b03
fa4d702a335aab44355c84863395617aa2a308cec43c9bea9260243970aa914fb8751707bd83e801b836906bab4854351b4d6000e0a435736524a504b9839b5f7bdf97cc
ec0883bd8594cc34092a5e9a70a1b2494ba9c7d411006de1bf589eac2fa179d1d7120468c222122fe3e1206ba2363c17fb37ae2f8e271840e17b3bb9ba5359f2793f9574
2e0cee9eb10dd9dbe060f5a25cebfa80b7d4ade87108f36ff04b07c7adba6a2be600541227868ae50b849506121c36b00d92afe3115ce2f041cc28476db8dfc0cc1d6908
f6ce89bf34e3ff6509a32347c400ca8dc4da78729b0e12c30c55036b1df7093ccd0ef7198ab3879ed4b1601feb0de11637c9c4d1baeb5266f399d822f565299e5c1cd0c4
6bd9390577ee23f236d81f7d20d47fea34a08fbfe099b70fa547b240d0b1ddd41c4959a53075a467e89643d1f37e9413a2b38328fbec4dd1717ae57128fdf1da2fe39819
d34f6a8493b14371e552f9f317aac50f884917375758a77f708c96648477012a70579c020222f6bdfd21c41650bcb056f618ee9e4724e722b3abcd8731b92a99167c6f8d
01033729316e2886515a15dc93ea85c48d7e3b9e1f5cedeb6050f4808ec057fe6603c3ebcd93f6df63187e3ac31ea56339f9b859b0f4fbe3e73e1c07192cef4c9a6f8b08
572fdac6723a4031febc449795f51df5fdf8662e68a5dfc900cec85fa509ac392471e8569cf4b83688dd5035623182d6a895c61e1e71ea02dc3e474111810f6641df1d69
a7913461e211158d5ac34ac3bd06bc7b71c3f7a9eac34b0b5ccd5ec2df01f9c95f14235b5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13
e0ca9d7fdf345af474332533ee50dfb6303f5df8841a33886413435a61809d338a66639bcb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1
23f5b5fcd6f181088af23614bf6e015fedba6f00b0b697b59ce958c01f8c62bfac51b0219ec80626504ca869f5e731aef720e446936333aaf6ab32bae03c0de3c2299f34
7327a3dd34b3a6c218d00ef9cfa2ef1b2b12fae645fce9c944e6035f6e69bdc67103f28da9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb
d9300ff1b9e6c7ef3f1c6cac4c30bb72833a8f095aa555f3fa3e873adadc0879a4bcfc5a71e9cc55f159f2cec96de4f15b3c94c2b076f97d5d8cecb60b8857e7a8113a35
e3ffe9b1db336ca7f34e0f26215d4ee43ec434df80529311342401ac7a7acd066e19c90f700b05fede8afe3573b6fec81452d4b09c29adb003cdacb762c8b53d84709901
e65e7ca60642f80fe2a95823247f8726fc0700076fd443edb24777e4ee7eed802411fd70e0c46e23bd1b5b96123e0c64914484bbfae7a7ad13cbd45184035d4c0f8a10a2
893b17ed65ecffa8376063349f22d2bc50c556277899d6b9da5ec125c0a58650a14a08a7ebbf30e06de3a25f76cf43c72c521d14a27053e4d9be566b41f50c41bea3a7a9
2124d2e449117ecbc66c3e67e3ed289c5455fb1f943ec04431c69857806de4a7a0625eb3707971879e65cbd70fd371ae76767d3a7bff028b56204ca64f27e93609c8c473
45abce50a00d40dff21edb72648247580861d2abbcf16bf6394dc7aadd341b348a3c8c4d3f7b0d15f4cbe63e57fb06b57575bf6dd9eb777c737b0886250166768169fc6c
d4fa9c88bd43d2b9bcb66c3e7292b52a5cf627b7cc836506958a5e04e902f8530cdb58b6b8ce958f56087c6cd55fa2131a1cd3256063e7c73adf36af313054b0f17b7b43
13ea6a80588a9eeea6b919a4f104a7de7e79e0459e7aa0fa54bd5a2e5e79b6c0587f23341e6596320a3fa48d8c13609a66e639b35fb1e9caae378552956aa9659809162b
e4855693722de3856421b1b6920ba54d9c50313f3b6d84a2b063d0acca64417bfe283d6d0e1e2f87699a24d1d7b0d984c3622971028a0cafaf665c791c70215f76c7c8fe
d377c71f7df1c515705eb6b0cc745f7da2ac278ec99ec0bcab10b55427753327da1cc3a489da9a4a5c26b7818e5660b33941b45c8838fa7cfa15685adfe83ff84463799a
091cd6e1b1addd88794b7ea0dd09750d97f4863b80f584d5505e799661976f588624b3839ef2d114c329c169e7b62f89a02d3f7395cb487fcd6cff4e7cac1eb198407ba6
e640bdb76d7b30cb9ca9250d5b6631e30540792efa9eb7ecdcfce3340dc0be1204c1e8c8b1af67bcfaa99c369960580f86e7c1a42fc473dd85a0a4d3b1c989a6bc138a42
44f05f473b7d568be2abd9d498fc10efe9768aac3c51d92a377d7b91e6863c38ea762680b72188ba545ad865eb34954afbbdf2c9e8ebc465a87c5122cebb711f41005939
7910a78498cb7953b1c0db2ef4f8db278f61608330261c1d5214f5d19f98b4d64f51ac129528a97d8d73b0dbed2ac496991f0a2eecc5a857d22e994d227ae7c3bef7296f
1bf3028a0b65a4174a66f3677e8720261e33b01f84a96b93cdded1d23fdb1b7f6f58a077619393d5caf08cf12e3e447e71b139a064978216122e40f769ac8838a7edfca4
78e941e780adc1a159fdc7090194c96d9cd8a786572a7ee8713492302555fe4ce34329117ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32
3640ff45519f1acc1505348010626b6dd5b85fddbf7c893e50560da787d7bc0dcef658e94ee84419fb9267081480954f1be176095a45fe299078dfa95f980e513b46a020
d3d15e62d61981e85ae81ad54bd23b40053d987ff528964bf18ffc1898acd678b8917dd76ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79
b9d5a18d4cb2ad3afddacc3a3a25b146a6c5f29fe14fb234fc0801c348876f215c30e0ff494122ff204f3dedaa8f0027f9f98971b32c50acbcce4efa8de0498efa148365
bafdcdfdac4e0d5a835c1048af2a38158ed85a4739ab5945ee21e05947eb204ef04bcc02fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3
67b8f4bb9c81aca61abf8d49640a85b9fbf00a827bf1a44340a1e4bb1698285b27dab56c7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4
dfff334622bccba782126e953bcf1faecac977827bc96e7ee2a9291f315f0da4e4eedb709ee1a587acaddb45481aebd5778a6c293fe94f70fe89b4961098eb7ba32624a8
48e26159d9aa517ba2a1f1010c8e7c00dbc9c8a492ae270bb7ed845680b81b94483ab5857e1355e51eb9c38e006368de1ae80b268ffab6918237696474f50802e3d8a9c8
c5baf146ada97b638b337d94eaeabe22aa3e65e4881e937b51286c3ae0649df5dd7eda6dd6e2a79bc87d48819fabe332dd3539f572605bb6091d34ae7d25ae0934b606b5
ae37c9bfa13df2a6353039fe6e7a54e7c99c15bd925d9364b5101f490bdcb05e3227b2cfb6e34665dd0d045c2c79bf3148f34da0b877514a6b083b7c8c7e2577362463b3
66c3ae9bddbbbcc2cc979d23792f15ac822c3ee867e390135c260590da2c7bca5dd3112eb0b0cb50456a989114468733428ca9ef8096b18bce256634811ddf81f2119274
167ac4792548676f7e9b648a5c4b554690ef8db9cea3d981535659c4fa6b1476744b38344d59a7739f15c17f144587762447d5abb81c01f16224a3f7ce5897d1b6f7ee77
eb332fd9cc8be8e6a60d4ff9c5f5fcf7e18df098c2fcb6a3961c310fdde58106e07ef9c04715a5009de403edd2dd480cf5c78531ee937381f2e69e0fb265b2e9f81f15c4
c073d9f6c0af5eff0a7150debe1d63dbd838a5b99044f8be1030a179ad3f8322ea4fb010ec62c984941954f0eb4f3e8baee455410a9dc0deb222360d376e28981c53b1a0
2699077a996951eac7b369b6356ff2968c6acecf8009665e0670ce634ce8f0d2907481c17419f0798c70888e7197f69ed1091620b2c6fbefead086b5faf23badf0474044
e3ed0d3b6f801d8ffe8dc18b262c14c5a3c499d65a090b2df7fb519a9a366f4cb3d39f79506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f
ee6021e6682455f1bb8bead3d761530d9bfe2745dd3123d6c0e3057717e394b6ca6015880fc7154ebd80ea5d81d82e3a4920cb2699a8dd7c31100ca8ec0693a7bd4af8b7
f1639890944c37c25e1a4bdea35a6012228684d884a11f1434620ce8e9af9226ab6366586a698edb366f25f156e4b481639903d816c5f5525668f65e2c097ef682afc269
a7eb8d7b83e5fd622c1e205c911a110ac685312922a40d841e583f9399f66d35d6ccfb46187e0a02620b7775c2a8f88d5b27e80b5d419ad156afc50ef217a95547d0feaa
a31cb445d3131bf567720c43f2a7448429e763a59424f9bb147df11a7b2ebfe9373a451f56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256
9ae3d8ba1311af690523aeb2e69bb4691357dbf294817122b1e193762fb3d66a5d73e651c33a905e513005cee9071ed10933b8e6a11be2335755660e3f7b2adf554f704a
89aafef2f334d6349d3d850e7f68f10f97b4b5f19be70177dc5f867ed580478c9dc7e2b6b0b4550ba09080e02c8a15cec8b5aeaa9fbb193cec1d92c793bdede78a70cec6
363e2b62f93c58c177e58dbe0a247fa0e8abab85ccbaf646305aa5a786c0894d59bdcfd175f728fa692347e096386acd19a5da9b02dca372b66918be7171c522d9c6b42d
959553930a01d5518588340aa55a2de232e80ffc4948828009b192076fa85922528a57401a1fe7b6455153152037668d47c7c42a068b334b91949739ed93256d5e3fbd89
124f0b9dadbef030a4cba26393ce25df15479f31109fd0a367ad681fb3ee63c6fb0ade0a3d7a05e7ba9b3dd84017acab9aab59b459db6c50e9224ec1827cbf0a2aee47db
946a1974ec330a30aadb514efe8c394d7af3c242e9dd444a7498de118911b0f5ad49a9692762cbc81056348f2816de01e93d43398ba65354252c97928a56031e32ec776f
efec7686f695867bd45a4d2ccaf964d504af410cffd8f4b7ef0270ccae11ce6e01cc4633cce564eb25a80549d746c180832d0b3d45dcd4419d9454470bfd7517868d0e10
ee3895f50bbc6316a746c239afc47e714aaf0acb7891fe06868ea442f55e5913961117d739e8455d21447e32141dc064eb7504c6925f823bf6d9c8ce004d44cb8facc80b
fd0ed9f5ffa9c912ba8d677687776448b7abe535dccf587c80cbcd2d4cc0c30e330b3a54750c447d6e3c7d74ccab736a0082ef437b1cd2000d761d3aff2b73227457b29c
cf584e69d6832fb7f92af0633e6e5222fb652a73f6d6de07d22e13de5a19e9fc6f9814b5f24ee966ef2dd31204b900b5c7eb7e367bc18ff92a13422d800c25dbb1de1e99
c96cfe462657240c155d4b1842292a4ce94483c338213c667720a44d89c12a3f50547c71ff07325f5454c46e883fefc7106829f75c27e3aaf312eb3ab50525faba51c23c
83cd7984cee0a4fde468216521d9d3fce8fa43110dd36085d79199788d2ea5c57236136e37be3d8810959e63d5b6535164e51f16ccea9ca11d7dab7c1dfaa335affe6e3d
28267ea322e3975f1e98c64a1c77f509e1d92e085df142d703ed9fd9c65ed92562a759fa18f24841651461bd84a5eac08be9bce9eab54b133b0e837d5298dac44e199d5f
eb8385915f68d5fbbf7c0c05e480a999a72734fcddbad58308d91274ad444a5b1d970c217d7d9a9df8b8ffd0a0c652a3d41b9a5352efb19424e42942aaf26196c9698019
22840909e11530390e8f74c6a162ded178d82f0ff396393e958553f25a47145916ea4e399a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e
577df0d0d1ebfde0c67cf6489d9a1974a57a31db630fd55666cfd3ccdacf78cec8fabc434fdc37f59801976606849882095992efecee0931ece77d74015113123643796e
22cb7775c867ac98f7c4b1266e3534b455b6a0512a9da7f7e854cb5155708e3f7fc34d7a7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871
1e2e2b8f1c81c01bac895e113f7a48463bcf40b51363e2e69aacea81f700bd246fa99882c532d19652ea6d4e0ebb509766de1ec594dd80152f92f7ef6b80ad29d2aa8cf4
9e2b456c62b027c89b36dc9109e50f01617fddb80de29bc455c0ecfd4b64d194fe911541e9a858127f5f6e5e0e94ed655a2bf9ed228f87bc99d9b12113e27dcc84be3909
61a3d983a1fde813204b8f6f13842163336a3a59b782b49c2253bd0afeefdb43b24f70b67963f8606e4c0e7502a813969a04e1266e7cd20708bef19c338e8933c1b85eda
f5de326683df44d71ed1b986fd836e0b33bc899da6afd2b82b27d59acd0844b521e5707917c3cf5742d2a0995afb4dd2a2d711abe5de346abde49cf4cf5b82c14e0a155f
268c62a4b45d08a0639ead11b2feebd8c1d9237230acc994067fdc1d6502b6a84afd1b9acb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293
2d9702caab94b9c7788443c13b1b1ce108cef1c0cc4942221a5304ad0a680324a2f0f39a0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c
12ed130045b2e731bc66c9261c88efaadf697bee43eb208144496ad3ab56a02c92d3b69aB258a747202b1ea80421f8c841c57438ffb0670299f067dfeb2c53ab50ff6ded
65792e4d02f910d20dcf74487cb9fab1942337f3ea28f553b47dc05726bb062befe09fef9fbeb629ea0dc72ac8db680855984d51b28c1195e48abff2e68b0228f49d5b0f
08982381ef296038ae7ad8d083ef8ca88cf1d9dbd5d41dd9481249a1d5b1d930afa083d3d0aad99f10bdd6f6af2f7a0f6c319ed7d126de4d1ff44ca86858e7ffc17cc39b
df32b34cc480934ca2ac0895863dd030e0256ff9efa8fca3813924d7ac556ddc44dc08b15fd4e486bd7e12454f67ba8fcdaa9afc88b4d1c29705b0cffc9d32000700d314
a89521c26b2c660d41101ca0a6100cd375c8cf7b14ea7bb8557efd80170a1df1c89d97976f3994ad6b418b55ba2a3cd4f4d8cff35284a5790ea3dd38f1abf8699410430a
65501683cfe1e0af1ff7463de684a2fefa7887bc9d48fcfc6fd0e774092ca711ae28993a61da1819361c095f802ce2151092df02531eeeb713e7db07100a9a80874d902a
079766094541035de5f115a9bbb4f5838423b25054aa78535c49042295558f33d34deae16434913278186cb5b12ca38580a4e94b2ce2af83a836f7e50ab9c5ea8e265a59
d8434e637305cfc941744807698c846a0de3fce5c10b9122335866f5c1a817ed8a6d4269a98e108588e31f40cdaeab1c04d0a394eb35a2e151f95fbf8a913cba6a7faa63
d2efb0b8b82576016416aacbde6c387319cac454edb76d7e879598d8c7e8e032f9d006d2a4b705baac8bb2c0d2bc111eae9735fb8586d6d1dab050f3c89fb12589470969
f690fa242d8200f27e71e11d469b584df14f8a0ee542b6db79c52266450c5fe0412a0d622d88db4098a72cd9cb58a760e6a019f6e1587b7b03d4f074c979e776ce110403
4d01975268c215fc26ed79ebd17ec22d64c6752af3632f6f49fd6db091182e753e5d9f80992df82cf31a91acd034411bb43a1ec127fa15d613b108287384882807f81764
cd8915c63f3134425aa7c851f5f1e6453ba578e4396145b18747c914fed9d6c8f027fe2c0f9f31bbc69c8174b492cf177c2fbaf627fcdb5ac4473ca5589aa2be75cee735
ccc3750d9270d1e8c95649d91f94033b058f0190a58646ab1a6295eed496732e1e3f7cbf29decd1e88b297aa67fef6e14e39889cfd2454c581b9371a1003b63a28324d0f
af9a60ea728985f492119ebf713e07164fecd1895b6f7ff41b8b0dee700b5f194743b36a9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a
5d5c99a08a7d927346ca2dafa7973fc1189166d382c73c242ba45889d57980548d4ba37ea196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92
14c8482f302b5e81e3fa1b18a509289d16525cb2fd86dce842107eb1ba6174b23f188537dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
e61518ae9454a563b8f842286bbdb87b82d29b52e35e7938e7ee610c04ea9daaf5e08e909ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d
3907c7fbd4148395284d8e6e3c1dba5da67205dc84ec29eb71bb259b19c1a1783865c0fc34CA75A8C190F20B8A7596AFEB255F2228CB2467BD210B2637965B61AC7EA907
e61518ae9454a563b8f842286bbdb87b82d29b52e35e7938e7ee610c04ea9daaf5e08e909ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d
ee47d6ae8414f6c6ca28a3b76bf75e44a983bd69a71322d64199e67f2abcfe5ef0e1bca79cdaacaba35c3a473ec5b652d035a9593ee822609e79662223869e2b7298dc0a
ba45247858c0739865a52996768b7485aff0b6eab23bbf4e5cb94fd4292c6d961dee060e00bc665d96ecadc6beb2a9384773a70391f08f8e7a2876253f32ceec793eb728
6f93fd91f17130aabd5251e7bae3eeaa2af6e61d203191b4b8df982f37048937a1f9696cff3b45ecfbbdb780b48b4c829d2b6078d8f7673d823bedbd6321699770fa3f84
14c8482f302b5e81e3fa1b18a509289d16525cb2fd86dce842107eb1ba6174b23f188537dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
56af47c87029b9fba5fe7c81e99cedcaea65565404ffde218ebccaeaca00ac1a2937dc5735ab54a9502e975c996cbaee3d6a690da753b4af28808d3be2054f8a58e5c7c5
5d5c99a08a7d927346ca2dafa7973fc1189166d382c73c242ba45889d57980548d4ba37ea196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92
db600240aecf9c6d75c733de57f252bf8756712e2c73ee3f92ded3852e41a486be3de6e2bbe1949ffd9188f5ad316c6f07ef4ec18ba00e375c0e6c2a6d348a2a0ab1e423

This is what your table looks like:

MD5SHA1SHA256FileName
4d01975268c215fc26ed79ebd17ec22d64c6752af3632f6f49fd6db091182e753e5d9f80992df82cf31a91acd034411bb43a1ec127fa15d613b108287384882807f81764Повідомлення про вчиненя злочину (Білоус Олексій Сергійович).docx
ccc3750d9270d1e8c95649d91f94033b058f0190a58646ab1a6295eed496732e1e3f7cbf29decd1e88b297aa67fef6e14e39889cfd2454c581b9371a1003b63a28324d0f29decd1e88b297aa67fef6e14e39889cfd2454c581b9371a1003b63a28324d0f.exe
af9a60ea728985f492119ebf713e07164fecd1895b6f7ff41b8b0dee700b5f194743b36a9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0aload4849kd30.exe
cd8915c63f3134425aa7c851f5f1e6453ba578e4396145b18747c914fed9d6c8f027fe2c0f9f31bbc69c8174b492cf177c2fbaf627fcdb5ac4473ca5589aa2be75cee735GoogleUpdateSetup.exe

Article: Malware Arsenal used by Ember Bear (aka UAC-0056,Saint Bear, UNC2589, Lorec53, TA471, Nodaria, Nascent Ursa, LorecBear, Bleeding Bear, and DEV-0586) in attacks targeting Ukraine (samples) - published almost 2 years ago.

https://contagiodump.blogspot.com/2023/02/malware-arsenal-used-by-ember-bear-aka.html   
Published: 2023 02 18 07:59:00
Received: 2023 02 18 08:20:57
Feed: contagio
Source: contagio
Category: Cyber Security
Topic: Cyber Security
Views: 1

Custom HTML Block

Click to Open Code Editor