Adversary Intelligence
mins read

Major Payment Disruption: Ransomware Strikes Indian Banking Infrastructure

CloudSEK's threat research team has uncovered a ransomware attack disrupting India's banking system, targeting banks and payment providers. Initiated through a misconfigured Jenkins server at Brontoo Technology Solutions, the attack is linked to the RansomEXX group.

CloudSEK TRIAD
Green Alert
Last Update posted on
August 1, 2024

Schedule a Demo
Table of Contents
Author(s)
Coauthors image
CloudSEK TRIAD

Category: Adversary Intelligence

Industry: BFSI

Region: Asia

Motivation: Financial

TLP: AMBER

Executive Summary

CloudSEK's threat research team is closely monitoring a significant ransomware attack that has disrupted India's banking ecosystem, impacting banks and payment providers. This report aims to dissect the attack chain, uncover adversary tactics, and offer actionable insights for organizations to enhance their security posture. As the situation is still unfolding, this report will provide ongoing updates and recommendations to address the evolving threat landscape.

The impacted entity in this case is Brontoo Technology Solutions, a key collaborator with C-EDGE, a joint venture between TCS and SBI. This report aims to explore the broader implications of this attack on the ecosystem.

Understanding the Potential Attack Chain

According to the report filed by Brontoo Technology Solutions with CertIn(Indian Computer Emergency Response Team) it was mentioned that the attack chain started at a misconfigured jenkins server. CloudSEK threat research team was able to identify the affected jenkins server and subsequently the attack chain.

In the recent history we have published extensively on the exploitation of Jenkins using a local file inclusion vulnerability, read about the case study here and the complete exploit chain here

Screenshot of shodan identifying the said vulnerability in the targeted server

  • Vulnerability: CVE-2024-23897: The Jenkins instance used by Brontoo Technology was affected by the same LFI CVE which can be leveraged to read internal code or in this case as port 22 was open, get secure shell access by reading the private keys.
  • A primary part of the ransomware world is the Initial Access Brokerage, we suspect(with low confidence) looking at the history and recent attack chains exploited, this access could have been sold by IntelBroker(A threat actor/Moderator from breachforums) to RansomEXX group for further exploitation.

This flowchart shows the attack path of compromising the Jenkins server using said vulnerability

Analysis and Attribution

Through our investigation and leveraging sensitive sources, we have confirmed that the ransomware group responsible for this attack is RansomEXX. This determination was facilitated by our extensive engagement with the affected banking sector in India

RansomEXX v2.0 is a sophisticated variant of the RansomEXX ransomware, known for targeting large organizations and demanding significant ransom payments. This group operates as part of a broader trend where ransomware developers continuously evolve their malware to bypass security defenses and maximize their impact. 

Below is a detailed analysis of the RansomEXX v2.0 ransomware group:

1. Background and Evolution

  • Initial Emergence: RansomEXX, initially known as Defray777, first appeared in 2018. It was rebranded to RansomEXX in 2020.
  • Evolution to v2.0: The v2.0 variant emerged as a response to the increasing effectiveness of defensive measures. This evolution indicates enhancements in encryption techniques, evasion tactics, and payload delivery methods.

2. Infection Vectors and Tactics

  • Initial Access: Common vectors include phishing emails, exploiting vulnerabilities in remote desktop protocols (RDP), and leveraging weaknesses in VPNs and other remote access services.
  • Lateral Movement: After initial access, the group employs tools like Cobalt Strike, Mimikatz, and other legitimate administrative tools to move laterally within a network.
  • Privilege Escalation: Utilizing known exploits and credential theft to gain higher privileges within the compromised environment.(Please look at the Appendix for complete table)

3. Payload and Encryption

  • Encryption Algorithm: RansomEXX v2.0 uses strong encryption algorithms, such as RSA-2048 and AES-256, making file recovery without the decryption key virtually impossible.
  • File Encryption: Targets critical files and backups, rendering them inaccessible. The group often exfiltrated data before encryption to use it as leverage (double extortion).

4. Ransom Demands and Negotiation

  • Ransom Notes: Victims receive detailed ransom notes with instructions for payment, typically in Bitcoin or other cryptocurrencies.
  • Negotiation Tactics: RansomEXX is known to engage in negotiations, sometimes lowering ransom demands based on the victim's response and perceived ability to pay.

5. Notable Incidents

  • High-Profile Attacks: RansomEXX has targeted a range of high-profile organizations across various sectors, including government agencies, healthcare providers, and multinational corporations.
  • Impact and Response: The attacks have resulted in significant operational disruptions, data breaches, and financial losses. Many victims have resorted to paying the ransom to restore operations quickly.

6. Recent Developments

  • Adaptive Techniques: RansomEXX v2.0 continues to evolve, incorporating new techniques to bypass security measures. Recent reports indicate the use of stolen digital certificates to sign malware, increasing trust and reducing detection rates.
  • Collaboration with Other Threat Actors: There is evidence of collaboration with other cybercriminal groups, sharing tools, techniques, and infrastructure.

Attack History

While analyzing the attack history we found the following information:

1. Region Wise distribution: The Ransomware group has majorly been active in Europe, Asia and America region. They target continents and regions with maximum chance of payout

Pie Chart showing region wise distribution of attacks

2. Sector wise distribution: We can see that the most targeted industries are Government followed by Technology then Manufacturing, Telecom as well as Healthcare.All of these industries are business critical and have the maximum chance of a payout or reputation upliftment

Pie chart showing the distribution of sector wise attacks

3. Timeline of attacks: Since the ransomware group has been rebranded they have had a total of 58 victims, following timeline represents the number of attacks per year:

4. Some Notable hacks: As mentioned above RansomEXX is known to target High value organizations, following are some of the notable organizations they have attacked.

  1. Telecommunications Services of Trinidad and Tobago
  2. Ministry of Defense of Peru
  3. Kenya Airways
  4. Ferrari
  5. Viva Air
  6. LITEON

Larger Impact and Current Situation Analysis

  • This attack highlights a significant vulnerability within our current systems and threat modeling practices. Large organizations with substantial security budgets are more challenging to breach, prompting attackers to exploit the path of least resistance. Consequently, supply chain attacks have become increasingly prevalent. The key takeaway from this report is not only that the primary organization should maintain an updated Jenkins server, but all critical vendors must also ensure their Jenkins servers are consistently up to date.
  • This situation is still evolving, with negotiations ongoing with the ransomware group, and the data has yet to be published on their PR website.
  • The ransomware group has a history of making extravagant ransom demands, and we anticipate a similar approach in this case.
  • These groups are meticulous in assessing the victim's payment capabilities and the nature of the encrypted data, which they use as leverage.

Threat Actor Activity and Rating

Threat Actor Profiling

Active since: Original group(Defray777) active since 2018

PR website: hxxp[:]//rnsm777cdsjrsdlbs4v5qoeppu3px6sb2igmh53jzrx7ipcrbjz5b2ad.onion

Current Status: Active and a sudden surge in activity

History: Targets High value organizations

References

Appendix

MITRE framework mapped to TTPs 

Initial Access

-Phishing: Spear Phishing Attachment (T1566.001): Attackers use targeted phishing emails with malicious attachments.

- Exploit Public-Facing Application (T1190): Exploiting vulnerabilities in public-facing applications.

- Valid Accounts (T1078): Using stolen or brute-forced credentials.

Execution

- Command and Scripting Interpreter: PowerShell (T1059.001): Utilizing PowerShell scripts to execute malicious commands.

- Command and Scripting Interpreter: Windows Command Shell (T1059.003): Using the command prompt to execute malicious commands.

- System Services: Service Execution (T1569.002): Using Windows services to execute the ransomware payload.

Persistence

- Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001): Modifying registry keys or adding files to the startup folder.

- Create or Modify System Process: Windows Service (T1543.003): Creating or modifying Windows services for persistence.

Privilege Escalation

- Exploitation for Privilege Escalation (T1068): mExploiting vulnerabilities to escalate privileges.

- Valid Accounts: Local Accounts (T1078.003): Using local administrator accounts.

Defense Evasion

- Obfuscated Files or Information (T1027): Using obfuscation techniques to avoid detection.

- Deobfuscate/Decode Files or Information (T1140): Decrypting or decoding files to execute payloads.

- Disabling Security Tools (T1562.001): Disabling antivirus and other security tools.

Credential Access

- OS Credential Dumping: LSASS Memory (T1003.001): Dumping credentials from the LSASS process.

- OS Credential Dumping: NTDS (T1003.003): Dumping Active Directory credentials.

Discovery

- Network Service Discovery (T1046): Enumerating network services.

- System Information Discovery (T1082): Gathering information about the OS and hardware.

- Process Discovery (T1057): Enumerating running processes.

Lateral Movement

- Remote Services: Remote Desktop Protocol (T1021.001): Using RDP to move laterally within the network.

- Remote Services: SMB/Windows Admin Shares (T1021.002): Using SMB shares to move laterally and deploy ransomware payloads.

Collection

- Data from Local System (T1005): Collecting data from the local system.

- Data Staged: Local Data Staging (T1074.001): Staging collected data locally before encryption or exfiltration.

Exfiltration

- Exfiltration Over C2 Channel (T1041): Exfiltrating data over an established command and control (C2) channel.

- Exfiltration Over Web Service (T1567.002): Using web services to exfiltrate data.

Impact

- Data Encrypted for Impact (T1486): Encrypting files on the victim’s system.

- Service Stop (T1489): Stopping services to facilitate encryption and hinder recovery efforts.

- Inhibit System Recovery (T1490): Deleting or disabling backup and recovery systems.

Indicators Of Compromise: 

SHA256

62e9d5b3b4d5654d6ec4ffdcd7a64dfe5372e209b306d07c6c7d8a883e01bead

6962e408aa7cb3ce053f569415a8e168a4fb3ed6b61283c468f6ee5bbea75452

981e6f2584f5a4efa325babadcb0845528e8147f3e508c2a1d60ada65f87ce3c

98266835a238797f34d1a252e6af0f029c7823af757df10609f534c4f987e70f

ad635630ac208406cd28899313bef5d4e57dba163018dfb8924de90288e8bab3

b6ed0a10e1808012902c1a911cf1e1b6aa4ad1965e535aebcb95643ef231e214

b89742731932a116bd973e61628bbe4f5d7d92b53df3402e404f63003bac5104

d931fe8da243e359e9e14f529eafe590b8c2dd1e76ca1ad833dd0f927648f88b

ec2a22d92dd78e37a6705c8116251fabdae2afecb358b32be32da58008115f77

f9c6dca22e336cf71ce4be540905b34b5a63a7d02eb9bbd8a40fc83e37154c22

09c99e37121722dd45a2c19ff248ecfe2b9f1e082381cc73446e0f4f82e0c468

4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458

78147d3be7dc8cf7f631de59ab7797679aba167f82655bcae2c1b70f1fafc13d

cb408d45762a628872fa782109e8fcfc3a5bf456074b007de21e9331bb3c5849

259670303d1951b6b11491ddf8b76cad804d7a65525eac08a5b6b4473b42818b

48301f37e92a9d5aa29710bda4eee034dd888a3edd79e2f74990300ffd8eb3b6

48460c9633d06cad3e3b41c87de04177d129906610c5bbdebc7507a211100e98

4b8103cd9fbb0efb472cbf39715becacf098f7ee44bf98f6672278e4e741542b

5c3569c166654eed781b9a2a563adec8e2047078fdcbafcdef712fabf2dd3f57

5ccf8c6bf9c39ccb54c5ebabd596a1335da522d70985840036e50e3c87079ab4

335d1c6a758fcce38d0341179e056a471ca84e8a5a9c9d6bf24b2fb85de651a5

452c219223549349f3b2c4fe25dfef583900f8dac7d652a4402cf003bf5ecf46

URLs

hxxp://iq3ahijcfeont3xx.sm4i8smr3f43.com

hxxps://iq3ahijcfeont3xx.tor2web.blutmagie.de

hxxp://iq3ahijcfeont3xx.fenaow48fn42.com

hxxp://iq3ahijcfeont3xx.sm4i8smr3f43.com

Author

CloudSEK TRIAD

CloudSEK Threat Research and Information Analytics Division

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Ransomware
November 4, 2023

Underground Marketplace Unveils New Ransomware Offering QBit with Advanced Encryption & Customization

On 23 October 2023, CloudSEK’s Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations.

Blog Image
Malware
July 28, 2023

Amadey Equipped with AV Disabler drops Redline Stealer

Our researchers have found out The Amadey botnet is now using a new Healer AV disabler to disable Microsoft Defender and infect target systems with Redline stealer.

Blog Image
Threat Intelligence
July 11, 2023

Breaking into the Bandit Stealer Malware Infrastructure

CloudSEK's threat researchers discovered a new Bandit Stealer malware web panel on 06 July 2023, with at least 14 active instances.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Adversary Intelligence

min read

Major Payment Disruption: Ransomware Strikes Indian Banking Infrastructure

CloudSEK's threat research team has uncovered a ransomware attack disrupting India's banking system, targeting banks and payment providers. Initiated through a misconfigured Jenkins server at Brontoo Technology Solutions, the attack is linked to the RansomEXX group.

Authors
CloudSEK TRIAD
CloudSEK Threat Research and Information Analytics Division
Co-Authors
CloudSEK TRIAD

Category: Adversary Intelligence

Industry: BFSI

Region: Asia

Motivation: Financial

TLP: AMBER

Executive Summary

CloudSEK's threat research team is closely monitoring a significant ransomware attack that has disrupted India's banking ecosystem, impacting banks and payment providers. This report aims to dissect the attack chain, uncover adversary tactics, and offer actionable insights for organizations to enhance their security posture. As the situation is still unfolding, this report will provide ongoing updates and recommendations to address the evolving threat landscape.

The impacted entity in this case is Brontoo Technology Solutions, a key collaborator with C-EDGE, a joint venture between TCS and SBI. This report aims to explore the broader implications of this attack on the ecosystem.

Understanding the Potential Attack Chain

According to the report filed by Brontoo Technology Solutions with CertIn(Indian Computer Emergency Response Team) it was mentioned that the attack chain started at a misconfigured jenkins server. CloudSEK threat research team was able to identify the affected jenkins server and subsequently the attack chain.

In the recent history we have published extensively on the exploitation of Jenkins using a local file inclusion vulnerability, read about the case study here and the complete exploit chain here

Screenshot of shodan identifying the said vulnerability in the targeted server

  • Vulnerability: CVE-2024-23897: The Jenkins instance used by Brontoo Technology was affected by the same LFI CVE which can be leveraged to read internal code or in this case as port 22 was open, get secure shell access by reading the private keys.
  • A primary part of the ransomware world is the Initial Access Brokerage, we suspect(with low confidence) looking at the history and recent attack chains exploited, this access could have been sold by IntelBroker(A threat actor/Moderator from breachforums) to RansomEXX group for further exploitation.

This flowchart shows the attack path of compromising the Jenkins server using said vulnerability

Analysis and Attribution

Through our investigation and leveraging sensitive sources, we have confirmed that the ransomware group responsible for this attack is RansomEXX. This determination was facilitated by our extensive engagement with the affected banking sector in India

RansomEXX v2.0 is a sophisticated variant of the RansomEXX ransomware, known for targeting large organizations and demanding significant ransom payments. This group operates as part of a broader trend where ransomware developers continuously evolve their malware to bypass security defenses and maximize their impact. 

Below is a detailed analysis of the RansomEXX v2.0 ransomware group:

1. Background and Evolution

  • Initial Emergence: RansomEXX, initially known as Defray777, first appeared in 2018. It was rebranded to RansomEXX in 2020.
  • Evolution to v2.0: The v2.0 variant emerged as a response to the increasing effectiveness of defensive measures. This evolution indicates enhancements in encryption techniques, evasion tactics, and payload delivery methods.

2. Infection Vectors and Tactics

  • Initial Access: Common vectors include phishing emails, exploiting vulnerabilities in remote desktop protocols (RDP), and leveraging weaknesses in VPNs and other remote access services.
  • Lateral Movement: After initial access, the group employs tools like Cobalt Strike, Mimikatz, and other legitimate administrative tools to move laterally within a network.
  • Privilege Escalation: Utilizing known exploits and credential theft to gain higher privileges within the compromised environment.(Please look at the Appendix for complete table)

3. Payload and Encryption

  • Encryption Algorithm: RansomEXX v2.0 uses strong encryption algorithms, such as RSA-2048 and AES-256, making file recovery without the decryption key virtually impossible.
  • File Encryption: Targets critical files and backups, rendering them inaccessible. The group often exfiltrated data before encryption to use it as leverage (double extortion).

4. Ransom Demands and Negotiation

  • Ransom Notes: Victims receive detailed ransom notes with instructions for payment, typically in Bitcoin or other cryptocurrencies.
  • Negotiation Tactics: RansomEXX is known to engage in negotiations, sometimes lowering ransom demands based on the victim's response and perceived ability to pay.

5. Notable Incidents

  • High-Profile Attacks: RansomEXX has targeted a range of high-profile organizations across various sectors, including government agencies, healthcare providers, and multinational corporations.
  • Impact and Response: The attacks have resulted in significant operational disruptions, data breaches, and financial losses. Many victims have resorted to paying the ransom to restore operations quickly.

6. Recent Developments

  • Adaptive Techniques: RansomEXX v2.0 continues to evolve, incorporating new techniques to bypass security measures. Recent reports indicate the use of stolen digital certificates to sign malware, increasing trust and reducing detection rates.
  • Collaboration with Other Threat Actors: There is evidence of collaboration with other cybercriminal groups, sharing tools, techniques, and infrastructure.

Attack History

While analyzing the attack history we found the following information:

1. Region Wise distribution: The Ransomware group has majorly been active in Europe, Asia and America region. They target continents and regions with maximum chance of payout

Pie Chart showing region wise distribution of attacks

2. Sector wise distribution: We can see that the most targeted industries are Government followed by Technology then Manufacturing, Telecom as well as Healthcare.All of these industries are business critical and have the maximum chance of a payout or reputation upliftment

Pie chart showing the distribution of sector wise attacks

3. Timeline of attacks: Since the ransomware group has been rebranded they have had a total of 58 victims, following timeline represents the number of attacks per year:

4. Some Notable hacks: As mentioned above RansomEXX is known to target High value organizations, following are some of the notable organizations they have attacked.

  1. Telecommunications Services of Trinidad and Tobago
  2. Ministry of Defense of Peru
  3. Kenya Airways
  4. Ferrari
  5. Viva Air
  6. LITEON

Larger Impact and Current Situation Analysis

  • This attack highlights a significant vulnerability within our current systems and threat modeling practices. Large organizations with substantial security budgets are more challenging to breach, prompting attackers to exploit the path of least resistance. Consequently, supply chain attacks have become increasingly prevalent. The key takeaway from this report is not only that the primary organization should maintain an updated Jenkins server, but all critical vendors must also ensure their Jenkins servers are consistently up to date.
  • This situation is still evolving, with negotiations ongoing with the ransomware group, and the data has yet to be published on their PR website.
  • The ransomware group has a history of making extravagant ransom demands, and we anticipate a similar approach in this case.
  • These groups are meticulous in assessing the victim's payment capabilities and the nature of the encrypted data, which they use as leverage.

Threat Actor Activity and Rating

Threat Actor Profiling

Active since: Original group(Defray777) active since 2018

PR website: hxxp[:]//rnsm777cdsjrsdlbs4v5qoeppu3px6sb2igmh53jzrx7ipcrbjz5b2ad.onion

Current Status: Active and a sudden surge in activity

History: Targets High value organizations

References

Appendix

MITRE framework mapped to TTPs 

Initial Access

-Phishing: Spear Phishing Attachment (T1566.001): Attackers use targeted phishing emails with malicious attachments.

- Exploit Public-Facing Application (T1190): Exploiting vulnerabilities in public-facing applications.

- Valid Accounts (T1078): Using stolen or brute-forced credentials.

Execution

- Command and Scripting Interpreter: PowerShell (T1059.001): Utilizing PowerShell scripts to execute malicious commands.

- Command and Scripting Interpreter: Windows Command Shell (T1059.003): Using the command prompt to execute malicious commands.

- System Services: Service Execution (T1569.002): Using Windows services to execute the ransomware payload.

Persistence

- Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001): Modifying registry keys or adding files to the startup folder.

- Create or Modify System Process: Windows Service (T1543.003): Creating or modifying Windows services for persistence.

Privilege Escalation

- Exploitation for Privilege Escalation (T1068): mExploiting vulnerabilities to escalate privileges.

- Valid Accounts: Local Accounts (T1078.003): Using local administrator accounts.

Defense Evasion

- Obfuscated Files or Information (T1027): Using obfuscation techniques to avoid detection.

- Deobfuscate/Decode Files or Information (T1140): Decrypting or decoding files to execute payloads.

- Disabling Security Tools (T1562.001): Disabling antivirus and other security tools.

Credential Access

- OS Credential Dumping: LSASS Memory (T1003.001): Dumping credentials from the LSASS process.

- OS Credential Dumping: NTDS (T1003.003): Dumping Active Directory credentials.

Discovery

- Network Service Discovery (T1046): Enumerating network services.

- System Information Discovery (T1082): Gathering information about the OS and hardware.

- Process Discovery (T1057): Enumerating running processes.

Lateral Movement

- Remote Services: Remote Desktop Protocol (T1021.001): Using RDP to move laterally within the network.

- Remote Services: SMB/Windows Admin Shares (T1021.002): Using SMB shares to move laterally and deploy ransomware payloads.

Collection

- Data from Local System (T1005): Collecting data from the local system.

- Data Staged: Local Data Staging (T1074.001): Staging collected data locally before encryption or exfiltration.

Exfiltration

- Exfiltration Over C2 Channel (T1041): Exfiltrating data over an established command and control (C2) channel.

- Exfiltration Over Web Service (T1567.002): Using web services to exfiltrate data.

Impact

- Data Encrypted for Impact (T1486): Encrypting files on the victim’s system.

- Service Stop (T1489): Stopping services to facilitate encryption and hinder recovery efforts.

- Inhibit System Recovery (T1490): Deleting or disabling backup and recovery systems.

Indicators Of Compromise: 

SHA256

62e9d5b3b4d5654d6ec4ffdcd7a64dfe5372e209b306d07c6c7d8a883e01bead

6962e408aa7cb3ce053f569415a8e168a4fb3ed6b61283c468f6ee5bbea75452

981e6f2584f5a4efa325babadcb0845528e8147f3e508c2a1d60ada65f87ce3c

98266835a238797f34d1a252e6af0f029c7823af757df10609f534c4f987e70f

ad635630ac208406cd28899313bef5d4e57dba163018dfb8924de90288e8bab3

b6ed0a10e1808012902c1a911cf1e1b6aa4ad1965e535aebcb95643ef231e214

b89742731932a116bd973e61628bbe4f5d7d92b53df3402e404f63003bac5104

d931fe8da243e359e9e14f529eafe590b8c2dd1e76ca1ad833dd0f927648f88b

ec2a22d92dd78e37a6705c8116251fabdae2afecb358b32be32da58008115f77

f9c6dca22e336cf71ce4be540905b34b5a63a7d02eb9bbd8a40fc83e37154c22

09c99e37121722dd45a2c19ff248ecfe2b9f1e082381cc73446e0f4f82e0c468

4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458

78147d3be7dc8cf7f631de59ab7797679aba167f82655bcae2c1b70f1fafc13d

cb408d45762a628872fa782109e8fcfc3a5bf456074b007de21e9331bb3c5849

259670303d1951b6b11491ddf8b76cad804d7a65525eac08a5b6b4473b42818b

48301f37e92a9d5aa29710bda4eee034dd888a3edd79e2f74990300ffd8eb3b6

48460c9633d06cad3e3b41c87de04177d129906610c5bbdebc7507a211100e98

4b8103cd9fbb0efb472cbf39715becacf098f7ee44bf98f6672278e4e741542b

5c3569c166654eed781b9a2a563adec8e2047078fdcbafcdef712fabf2dd3f57

5ccf8c6bf9c39ccb54c5ebabd596a1335da522d70985840036e50e3c87079ab4

335d1c6a758fcce38d0341179e056a471ca84e8a5a9c9d6bf24b2fb85de651a5

452c219223549349f3b2c4fe25dfef583900f8dac7d652a4402cf003bf5ecf46

URLs

hxxp://iq3ahijcfeont3xx.sm4i8smr3f43.com

hxxps://iq3ahijcfeont3xx.tor2web.blutmagie.de

hxxp://iq3ahijcfeont3xx.fenaow48fn42.com

hxxp://iq3ahijcfeont3xx.sm4i8smr3f43.com