Technical Analysis of Code-Signed “Blister” Malware Campaign (Part 1)

Technical Analysis of Code-Signed “Blister” Malware Campaign (Part 1)

January 7, 2022
Green Alert
Last Update posted on
February 3, 2024
Beyond Monitoring: Predictive Digital Risk Protection with CloudSEK

Protect your organization from external threats like data leaks, brand threats, dark web originated threats and more. Schedule a demo today!

Schedule a Demo
Table of Contents
Author(s)
No items found.

A new malware, dubbed “Blister,” by the Elastic Security team that identified it, is leveraging valid code-signing certificates in Windows systems, to avoid detection by antivirus software. The malware is named after one of its payloads, Blister, which further deploys second-stage payloads.

The threat actors orchestrating the Blister campaigns have been active since 15 September 2021, and have been using code-signing certificates that were validated on 23 August 2021. These certificates were issued by Sectigo to Blist LLC’s mail.ru email address. It is notable that mail.ru is a widely used Russian email service provider.  

The malware masquerades malicious components as genuine executable files, due to which it has a low detection rate. Apart from using code-signing certificates, the threat actors are also leveraging other techniques, such as binding Blister to a legitimate library on the infected system, to stay under the radar. 

Modus Operandi of the Blister Campaign

Threat actors are known to use code-signing to circumvent basic static security checks to compromise the victim systems. The Blister malware is no different in that it uses a Sectigo issued certificate to make the loader malware program look genuine to security products. It then deploys a Remote Access Trojan (RAT) on the target system to gain unauthorized access. 

A .dll file is used as a second stage payload to execute the encoded RAT/ CobaltStrike beacon. Since the .dll file has no malicious traces there have been very few detections on VirusTotal. However, the loader uses Rundll32.exe to execute the LaunchColorCpl function exported by the malicious .dll file. 

Overview of the Blister malware campaign

Leveraging Code-Signing Certificates to Avoid Detection

  • The below image contains the details of the certificate to an entity called “Blist LLC”. It is common  for cybercriminals to either steal code-signing certificates from compromised targets, or to use a front company to obtain the certificate, to sign the malware with.
Certificate issued to Blist LLC

  • Sectigo has since revoked the certificate issued to the binary. 
Certificate issued by Sectigo

First Stage of Infection

Overview of the Loader

  • The loader writes a malicious .dll file in a directory created inside the user Temp folder. 
  • In one of the analysed samples, the malware created a folder named “goalgames” and inside it the loader dumped holorui.dll
  • The .dll houses the code for deploying the RAT to gain unauthorized access to the infected system.
The loader writes a .dll file in the user Temp folder

Step by Step Working of the Loader

  • The Win32 API createDirectoryW is used to create a folder called “goalgames” in the path: C:\Users\<user>\AppData\Local\Temp directory. as shown below.
Using Win32 API createDirectoryW to create a folder in the user Temp folder

  • Before dumping the .dll, the loader sets the working directory to C:\Users\<user>\AppData\Local\Temp\goalgames via Win32 API SetCurrentDirectoryW.
Using Win32 API SetCurrentDirectoryW to set the working directory

  • After setting the working directory, the malware resolves the filename for the .dll file to holorui.dll and stores it in the register RCX, to later pass it to Win32 API CreateFileW.
The malware resolves the filename for the .dll file to holorui.dll

  • The file C:\Users\<user>\AppData\Local\Temp\goalgames\holorui.dll is created using the CreateFileW API. 
holorui.dll created using CreateFileW API

  • Once the file is created, the malware starts writing the content to the file by iteratively transferring bytes from the .dll payload in the loader. The Win32 API WriteFile is used to write contents into holorui.dll.
Win32 API WriteFile used to write contents into holorui.dll

  • The malicious .dll is embedded in the initialized data segment of the PE executable of the loader and the bytes are transferred into C:\Users\<user>\AppData\Local\Temp\goalgames\holorui.dll.
The MZ header of the embedded file

  • Upon closing the handle to the holorui.dll file, written on to the disk in the Temp directory, the malware finishes delivering the second stage payload. Then the file handles are closed by the malware.
File handles closed by the malware

  • The successful delivery of the malicious .dll can be confirmed by analyzing the interaction of the malware on the system.
Successful delivery of the malicious .dll

  • Based on analysing multiple signed loader samples, we have enumerated following distinct directory and payload names used within different samples from the same campaign:
    • C:\Users\<user>\AppData\Local\Temp\goalgames\holorui.dll
    • C:\Users\<user>\AppData\Local\Temp\Framwork\axsssig.dll
    • C:\Users\<user>\AppData\Local\Temp\oarimgamings\holorui.dll
    • C:\Users\<user>\AppData\Local\Temp\guirtsframworks\Pasade.dll

Note: The content inside the .dll is the same despite having different names

Second Stage of Infection

  • At the second stage of infection, the loader generates a command line to execute the function LaunchColorCpl exported  from the .dll, via Rundll32.exe on the infected system.
Command line to execute the function LaunchColorCpl

  • A new process is created with the above command line to spawn a Rundll32 process via CreateProcessW Win32 API. 
Spawning a Rundll32 process via CreateProcessW Win32 API

  • The newly spawned Rundll32.exe process is listed in the process listing on the infected machine. 
Newly spawned Rundll32.exe process

Command line confirmation for the newly spawned process

  • The final payload is executed by the Rundll32.exe process.  
Network activities between the infected host and the attacker C2

In the part 2 of this article we will cover the internal working of the .dll payload in detail.

Indicators of Compromise (IoCs)

FileHash-MD5

e6404260b4e42b7aa75bb0a96627ed3a304921a919ab5228687a4932bb66fab9
db8827d0d7b2addc05719e407216da141b33c1f232b2ed68ac108519caa2d35f
755f50457416aeb7fee95a67abfea9fe1896e6b20128e85a9851b94753eabbdf
6f76505a91c91c29238f0ed70b369417a91ba8f4a339a98fa94e810831e83d96
5a7dea7aa86ccd600f5a97e3b53f7338b8c9c560c6970a877a7ad359f37811d7
3efcd76417a185e48da71e22d230c547

FileHash-SHA1

f8fa1ba14df6f8ab2b307ee0ce04054ea9d538c077b11cc7fc02f2ece71c380afbed82a39df9b8fa
f534e15bbc104cafab80f954ba30f12de87b0f4872134bbf433c51d475412d16ff7abb4ce2b08110
d58e06727c551756cbee1fc6539929553a09878b4800d1f8e6ebc489c6c8a1d3a1f99b8339cf0980
c039362e891b01040c20e75e16b02169c512aebd21799d1d30344428697f3a186733b283a993ac16
bb69d5da32164813be5af29d31edc951a8f1f088871e52778597185f98eb0a57127024bcd094cf07
a492b5e329b55d4a0f66217e5352ab56fabacad1

FileHash-SHA256

fe7357d48906b68f094a81d19cc0ff93f56cc40454ac5f00e2e2d9c8ccdbc388fa885e9ea1293552cb45a89e740426fa9c313225ff77ad1980dfea83b6c4a91c
f5104d0ead2f178711b1e23db3c16846de7d1a3ac04dbe09bacebb847775d76ded6910fd51d6373065a2f1d3580ad645f443bf0badc398aa77185324b0284db8
ed241c92f9bc969a160da2c4c0b006581fa54f9615646dd46467d24fe5526c7adf8142e5cf897af65972041024ebe74c7915df0e18c6364c5fb9b2943426ed1a
d54dfedda0efa36ed445d501845b61ab73c2102786be710ac19f697fc8d4ca5cd0f934fd5d63a1524616bc13b51ce274539a8ead9b072e7f7fe1a14bb8b927a6
cc31c124fc39025f5c3a410ed4108a56bb7c6e90b5819167a06800d02ef1f028cb949ebe87c55c0ba6cf0525161e2e6670c1ae186ab83ce46047446e9753a926
ca09d9cd2f3cfcc06b33eff91d55602cb33a66ab3fd4f540b9212fce5ddae54ac61d2ba1e001c137533cd7fb6b38fe71fee489d61dbcfea45c37c5ec1bcf845c
c0f3b27ae4f7db457a86a38244225cca35aa0960eb6a685ed350e99a36c32b61bee3210360c5d0939c5d38b7b9f0c232cf9fbf93b46a19e53930a1606bda28a5
ba3a50930e7a144637faf88a98f2990a27532bfd20a93dc160eb2db4fbc17b58afb77617a4ca637614c429440c78da438e190dd1ca24dc78483aa731d80832c2
af555d61becfcf0c13d4bc8ea7ab97dcdc6591f8c6bb892290898d28ebce1c5da486e836026e184f7d3f30eaa4308e2f0c381c070af1f525118a484a987827c1
a34821b50aadee0dd85c382c43f44dae1e5fef0febf2f7aed6abf3f3e21f79949bccc1862e3e5a6c89524f2d76144d121d0ee95b1b8ba5d0ffcaa23025318a60
96bf7bd5f405d3b4c9a71bcd1060395f28f2466fdb91cafc6e261a31d41eb37a9472d4cb393256a62a466f6601014e5cb04a71f115499c320dc615245c7594d4
923b2f90749da76b997e1c7870ae3402aba875fdbdd64f79cbeba2f9288841298e22cf159345852be585bc5a8e9af476b00bc91cdda98fd6a3244219a90ac9d9
8ae2c205220c95f0f7e1f67030a9027822cc18e941b669e2a52a5dbb5af74bc98a414a40419e32282d33af3273ff73a596a7ac8738e9cdca6e7db0e41c1a7658
863228efa55b54a8d03a87bb602a2e418856e0028ae409357454a6303b12822484a67f191a93ee827c4829498d2cb1d27bdd9e47e136dc6652a5414dab440b74
81edf3a3b295b0189e54f79387e7df61250cc8eab4f1e8f42eb5042102df8f1f7cd03b30cfeea07b5ea4c8976e6456cb65e09f6b8e7dcc68884379925681b1c4
7b9091c41525f1721b12dcef601117737ea990cee17a8eecf81dcfb25ccb5a8f6c6f808f9b19e1fab1c1b83dc99386f0ceee8593ddfd461ac047eae812df8733
696f6274af4b9e8db4727269d43c83c350694bd1ef4bd5ccdc0806b1f014568a56ca9ea3f7870561ed3c6387daf495404ed3827f212472501d2541d5ccf8b941
5651e8a8e6f9c63c4c1162efadfcb4cdd9ad634c5e00a5ab03259fcdeaa225ac516cac58a6bfec5b9c214b6bba0b724961148199d32fb42c01b12ac31f6a6099
4fe551bcea5e07879ec84a7f1cea1036cfd0a3b03151403542cab6bd8541f8e544e5770751679f178f90ef7bd57e8e4ccfb6051767d8e906708c52184bf27f32
3c7480998ade344b74e956f7d3a3f1a989aaf43446163a62f0a8ed34b0c010d0359ffa33784cb357ddabc42be1dcb9854ddb113fd8d6caf3bf0391380f9d640a
2d049f7658a8dccd930f7010b32ed1bc9a5cc0f8109b511ca2a77a2104301369294c710f4074b37ade714c83b6b7bf722a46aef61c02ba6543de5d59edc97b60
25a0d6a839c4dc708dcdd1ef9395570cc86d54d4725b7daf56964017f66be3c1216cb4f2caeaf59f297f72f7f271b084637e5087d59411ac77ddd3b87e7a90aa
1a10a07413115c254cb7a5c4f63ff525e64adfe8bb60acef946bb7656b7a2b3d17ea84d547e97a030d2b02ac2eaa9763ffb4f96f6c54659533a23e17268aabab
00eb2f75822abeb2e222d007bdec464bfbc3934b8be12983cc898b37c6ace0810a7778cf6f9a1bd894e89f282f2e40f9d6c9cd4b72be97328e681fe32a1b1a00

Domains

  • discountshadesdirect.com
  • domain clippershipintl.com
  • domain bimelectrical.com

IPv4

  • 93.115.18.248
  • 188.68.221.203
  • 185.170.213.186

Signed loaders

  • ed6910fd51d6373065a2f1d3580ad645f443bf0badc398aa77185324b0284db8
  • cb949ebe87c55c0ba6cf0525161e2e6670c1ae186ab83ce46047446e9753a926
  • 7b9091c41525f1721b12dcef601117737ea990cee17a8eecf81dcfb25ccb5a8f
  • 84a67f191a93ee827c4829498d2cb1d27bdd9e47e136dc6652a5414dab440b74
  • cc31c124fc39025f5c3a410ed4108a56bb7c6e90b5819167a06800d02ef1f028
  • 9472d4cb393256a62a466f6601014e5cb04a71f115499c320dc615245c7594d4
  • 4fe551bcea5e07879ec84a7f1cea1036cfd0a3b03151403542cab6bd8541f8e5
  • 1a10a07413115c254cb7a5c4f63ff525e64adfe8bb60acef946bb7656b7a2b3d
  • 9bccc1862e3e5a6c89524f2d76144d121d0ee95b1b8ba5d0ffcaa23025318a60
  • 8a414a40419e32282d33af3273ff73a596a7ac8738e9cdca6e7db0e41c1a7658
  • 923b2f90749da76b997e1c7870ae3402aba875fdbdd64f79cbeba2f928884129
  • ed241c92f9bc969a160da2c4c0b006581fa54f9615646dd46467d24fe5526c7a
  • 294c710f4074b37ade714c83b6b7bf722a46aef61c02ba6543de5d59edc97b60

DLL

  • BE7E259D5992180EADFE3F4F3AB1A5DECC6A394DF60C7170550B3D222FCE5F19

Author

Predict Cyber threats against your organization

Related Posts
Blog Image
February 3, 2024

From Discussion Forums to Malware Mayhem: The Alarming Rise of Abuse on Google Groups and Usenet

Explore the escalating wave of cyber threats on platforms like Google Groups and Usenet, uncovering the pivotal role of cybersecurity in safeguarding online discussion forums.

Redirect Chain: Advertisement Services being Abused by Threat Actors to Redirect Users to Malware, Betting, Adult Websites

Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.

Blog Image
December 29, 2023

Compromising Google Accounts: Malwares Exploiting Undocumented OAuth2 Functionality for session hijacking

A detailed blog on Analysis of the Global Malware Trend: Exploiting Undocumented OAuth2 Functionality to Regenerate Google Service Cookies Regardless of IP or Password Reset.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Malware Intelligence

min read

Technical Analysis of Code-Signed “Blister” Malware Campaign (Part 1)

Technical Analysis of Code-Signed “Blister” Malware Campaign (Part 1)

Authors
Co-Authors
No items found.

A new malware, dubbed “Blister,” by the Elastic Security team that identified it, is leveraging valid code-signing certificates in Windows systems, to avoid detection by antivirus software. The malware is named after one of its payloads, Blister, which further deploys second-stage payloads.

The threat actors orchestrating the Blister campaigns have been active since 15 September 2021, and have been using code-signing certificates that were validated on 23 August 2021. These certificates were issued by Sectigo to Blist LLC’s mail.ru email address. It is notable that mail.ru is a widely used Russian email service provider.  

The malware masquerades malicious components as genuine executable files, due to which it has a low detection rate. Apart from using code-signing certificates, the threat actors are also leveraging other techniques, such as binding Blister to a legitimate library on the infected system, to stay under the radar. 

Modus Operandi of the Blister Campaign

Threat actors are known to use code-signing to circumvent basic static security checks to compromise the victim systems. The Blister malware is no different in that it uses a Sectigo issued certificate to make the loader malware program look genuine to security products. It then deploys a Remote Access Trojan (RAT) on the target system to gain unauthorized access. 

A .dll file is used as a second stage payload to execute the encoded RAT/ CobaltStrike beacon. Since the .dll file has no malicious traces there have been very few detections on VirusTotal. However, the loader uses Rundll32.exe to execute the LaunchColorCpl function exported by the malicious .dll file. 

Overview of the Blister malware campaign

Leveraging Code-Signing Certificates to Avoid Detection

  • The below image contains the details of the certificate to an entity called “Blist LLC”. It is common  for cybercriminals to either steal code-signing certificates from compromised targets, or to use a front company to obtain the certificate, to sign the malware with.
Certificate issued to Blist LLC

  • Sectigo has since revoked the certificate issued to the binary. 
Certificate issued by Sectigo

First Stage of Infection

Overview of the Loader

  • The loader writes a malicious .dll file in a directory created inside the user Temp folder. 
  • In one of the analysed samples, the malware created a folder named “goalgames” and inside it the loader dumped holorui.dll
  • The .dll houses the code for deploying the RAT to gain unauthorized access to the infected system.
The loader writes a .dll file in the user Temp folder

Step by Step Working of the Loader

  • The Win32 API createDirectoryW is used to create a folder called “goalgames” in the path: C:\Users\<user>\AppData\Local\Temp directory. as shown below.
Using Win32 API createDirectoryW to create a folder in the user Temp folder

  • Before dumping the .dll, the loader sets the working directory to C:\Users\<user>\AppData\Local\Temp\goalgames via Win32 API SetCurrentDirectoryW.
Using Win32 API SetCurrentDirectoryW to set the working directory

  • After setting the working directory, the malware resolves the filename for the .dll file to holorui.dll and stores it in the register RCX, to later pass it to Win32 API CreateFileW.
The malware resolves the filename for the .dll file to holorui.dll

  • The file C:\Users\<user>\AppData\Local\Temp\goalgames\holorui.dll is created using the CreateFileW API. 
holorui.dll created using CreateFileW API

  • Once the file is created, the malware starts writing the content to the file by iteratively transferring bytes from the .dll payload in the loader. The Win32 API WriteFile is used to write contents into holorui.dll.
Win32 API WriteFile used to write contents into holorui.dll

  • The malicious .dll is embedded in the initialized data segment of the PE executable of the loader and the bytes are transferred into C:\Users\<user>\AppData\Local\Temp\goalgames\holorui.dll.
The MZ header of the embedded file

  • Upon closing the handle to the holorui.dll file, written on to the disk in the Temp directory, the malware finishes delivering the second stage payload. Then the file handles are closed by the malware.
File handles closed by the malware

  • The successful delivery of the malicious .dll can be confirmed by analyzing the interaction of the malware on the system.
Successful delivery of the malicious .dll

  • Based on analysing multiple signed loader samples, we have enumerated following distinct directory and payload names used within different samples from the same campaign:
    • C:\Users\<user>\AppData\Local\Temp\goalgames\holorui.dll
    • C:\Users\<user>\AppData\Local\Temp\Framwork\axsssig.dll
    • C:\Users\<user>\AppData\Local\Temp\oarimgamings\holorui.dll
    • C:\Users\<user>\AppData\Local\Temp\guirtsframworks\Pasade.dll

Note: The content inside the .dll is the same despite having different names

Second Stage of Infection

  • At the second stage of infection, the loader generates a command line to execute the function LaunchColorCpl exported  from the .dll, via Rundll32.exe on the infected system.
Command line to execute the function LaunchColorCpl

  • A new process is created with the above command line to spawn a Rundll32 process via CreateProcessW Win32 API. 
Spawning a Rundll32 process via CreateProcessW Win32 API

  • The newly spawned Rundll32.exe process is listed in the process listing on the infected machine. 
Newly spawned Rundll32.exe process

Command line confirmation for the newly spawned process

  • The final payload is executed by the Rundll32.exe process.  
Network activities between the infected host and the attacker C2

In the part 2 of this article we will cover the internal working of the .dll payload in detail.

Indicators of Compromise (IoCs)

FileHash-MD5

e6404260b4e42b7aa75bb0a96627ed3a304921a919ab5228687a4932bb66fab9
db8827d0d7b2addc05719e407216da141b33c1f232b2ed68ac108519caa2d35f
755f50457416aeb7fee95a67abfea9fe1896e6b20128e85a9851b94753eabbdf
6f76505a91c91c29238f0ed70b369417a91ba8f4a339a98fa94e810831e83d96
5a7dea7aa86ccd600f5a97e3b53f7338b8c9c560c6970a877a7ad359f37811d7
3efcd76417a185e48da71e22d230c547

FileHash-SHA1

f8fa1ba14df6f8ab2b307ee0ce04054ea9d538c077b11cc7fc02f2ece71c380afbed82a39df9b8fa
f534e15bbc104cafab80f954ba30f12de87b0f4872134bbf433c51d475412d16ff7abb4ce2b08110
d58e06727c551756cbee1fc6539929553a09878b4800d1f8e6ebc489c6c8a1d3a1f99b8339cf0980
c039362e891b01040c20e75e16b02169c512aebd21799d1d30344428697f3a186733b283a993ac16
bb69d5da32164813be5af29d31edc951a8f1f088871e52778597185f98eb0a57127024bcd094cf07
a492b5e329b55d4a0f66217e5352ab56fabacad1

FileHash-SHA256

fe7357d48906b68f094a81d19cc0ff93f56cc40454ac5f00e2e2d9c8ccdbc388fa885e9ea1293552cb45a89e740426fa9c313225ff77ad1980dfea83b6c4a91c
f5104d0ead2f178711b1e23db3c16846de7d1a3ac04dbe09bacebb847775d76ded6910fd51d6373065a2f1d3580ad645f443bf0badc398aa77185324b0284db8
ed241c92f9bc969a160da2c4c0b006581fa54f9615646dd46467d24fe5526c7adf8142e5cf897af65972041024ebe74c7915df0e18c6364c5fb9b2943426ed1a
d54dfedda0efa36ed445d501845b61ab73c2102786be710ac19f697fc8d4ca5cd0f934fd5d63a1524616bc13b51ce274539a8ead9b072e7f7fe1a14bb8b927a6
cc31c124fc39025f5c3a410ed4108a56bb7c6e90b5819167a06800d02ef1f028cb949ebe87c55c0ba6cf0525161e2e6670c1ae186ab83ce46047446e9753a926
ca09d9cd2f3cfcc06b33eff91d55602cb33a66ab3fd4f540b9212fce5ddae54ac61d2ba1e001c137533cd7fb6b38fe71fee489d61dbcfea45c37c5ec1bcf845c
c0f3b27ae4f7db457a86a38244225cca35aa0960eb6a685ed350e99a36c32b61bee3210360c5d0939c5d38b7b9f0c232cf9fbf93b46a19e53930a1606bda28a5
ba3a50930e7a144637faf88a98f2990a27532bfd20a93dc160eb2db4fbc17b58afb77617a4ca637614c429440c78da438e190dd1ca24dc78483aa731d80832c2
af555d61becfcf0c13d4bc8ea7ab97dcdc6591f8c6bb892290898d28ebce1c5da486e836026e184f7d3f30eaa4308e2f0c381c070af1f525118a484a987827c1
a34821b50aadee0dd85c382c43f44dae1e5fef0febf2f7aed6abf3f3e21f79949bccc1862e3e5a6c89524f2d76144d121d0ee95b1b8ba5d0ffcaa23025318a60
96bf7bd5f405d3b4c9a71bcd1060395f28f2466fdb91cafc6e261a31d41eb37a9472d4cb393256a62a466f6601014e5cb04a71f115499c320dc615245c7594d4
923b2f90749da76b997e1c7870ae3402aba875fdbdd64f79cbeba2f9288841298e22cf159345852be585bc5a8e9af476b00bc91cdda98fd6a3244219a90ac9d9
8ae2c205220c95f0f7e1f67030a9027822cc18e941b669e2a52a5dbb5af74bc98a414a40419e32282d33af3273ff73a596a7ac8738e9cdca6e7db0e41c1a7658
863228efa55b54a8d03a87bb602a2e418856e0028ae409357454a6303b12822484a67f191a93ee827c4829498d2cb1d27bdd9e47e136dc6652a5414dab440b74
81edf3a3b295b0189e54f79387e7df61250cc8eab4f1e8f42eb5042102df8f1f7cd03b30cfeea07b5ea4c8976e6456cb65e09f6b8e7dcc68884379925681b1c4
7b9091c41525f1721b12dcef601117737ea990cee17a8eecf81dcfb25ccb5a8f6c6f808f9b19e1fab1c1b83dc99386f0ceee8593ddfd461ac047eae812df8733
696f6274af4b9e8db4727269d43c83c350694bd1ef4bd5ccdc0806b1f014568a56ca9ea3f7870561ed3c6387daf495404ed3827f212472501d2541d5ccf8b941
5651e8a8e6f9c63c4c1162efadfcb4cdd9ad634c5e00a5ab03259fcdeaa225ac516cac58a6bfec5b9c214b6bba0b724961148199d32fb42c01b12ac31f6a6099
4fe551bcea5e07879ec84a7f1cea1036cfd0a3b03151403542cab6bd8541f8e544e5770751679f178f90ef7bd57e8e4ccfb6051767d8e906708c52184bf27f32
3c7480998ade344b74e956f7d3a3f1a989aaf43446163a62f0a8ed34b0c010d0359ffa33784cb357ddabc42be1dcb9854ddb113fd8d6caf3bf0391380f9d640a
2d049f7658a8dccd930f7010b32ed1bc9a5cc0f8109b511ca2a77a2104301369294c710f4074b37ade714c83b6b7bf722a46aef61c02ba6543de5d59edc97b60
25a0d6a839c4dc708dcdd1ef9395570cc86d54d4725b7daf56964017f66be3c1216cb4f2caeaf59f297f72f7f271b084637e5087d59411ac77ddd3b87e7a90aa
1a10a07413115c254cb7a5c4f63ff525e64adfe8bb60acef946bb7656b7a2b3d17ea84d547e97a030d2b02ac2eaa9763ffb4f96f6c54659533a23e17268aabab
00eb2f75822abeb2e222d007bdec464bfbc3934b8be12983cc898b37c6ace0810a7778cf6f9a1bd894e89f282f2e40f9d6c9cd4b72be97328e681fe32a1b1a00

Domains

  • discountshadesdirect.com
  • domain clippershipintl.com
  • domain bimelectrical.com

IPv4

  • 93.115.18.248
  • 188.68.221.203
  • 185.170.213.186

Signed loaders

  • ed6910fd51d6373065a2f1d3580ad645f443bf0badc398aa77185324b0284db8
  • cb949ebe87c55c0ba6cf0525161e2e6670c1ae186ab83ce46047446e9753a926
  • 7b9091c41525f1721b12dcef601117737ea990cee17a8eecf81dcfb25ccb5a8f
  • 84a67f191a93ee827c4829498d2cb1d27bdd9e47e136dc6652a5414dab440b74
  • cc31c124fc39025f5c3a410ed4108a56bb7c6e90b5819167a06800d02ef1f028
  • 9472d4cb393256a62a466f6601014e5cb04a71f115499c320dc615245c7594d4
  • 4fe551bcea5e07879ec84a7f1cea1036cfd0a3b03151403542cab6bd8541f8e5
  • 1a10a07413115c254cb7a5c4f63ff525e64adfe8bb60acef946bb7656b7a2b3d
  • 9bccc1862e3e5a6c89524f2d76144d121d0ee95b1b8ba5d0ffcaa23025318a60
  • 8a414a40419e32282d33af3273ff73a596a7ac8738e9cdca6e7db0e41c1a7658
  • 923b2f90749da76b997e1c7870ae3402aba875fdbdd64f79cbeba2f928884129
  • ed241c92f9bc969a160da2c4c0b006581fa54f9615646dd46467d24fe5526c7a
  • 294c710f4074b37ade714c83b6b7bf722a46aef61c02ba6543de5d59edc97b60

DLL

  • BE7E259D5992180EADFE3F4F3AB1A5DECC6A394DF60C7170550B3D222FCE5F19