{
	"id": "87152496-253a-4088-b400-7a1e8970ad15",
	"created_at": "2026-05-07T02:43:40.22141Z",
	"updated_at": "2026-05-07T02:44:11.005067Z",
	"deleted_at": null,
	"sha1_hash": "02746a8d2fd5ebe2a18fe6fb55cd64e4c5b63bf2",
	"title": "BYOS – Bundle Your Own Stealer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 154719,
	"plain_text": "BYOS – Bundle Your Own Stealer\r\nBy etal\r\nPublished: 2023-07-19 · Archived: 2026-05-07 02:08:50 UTC\r\nHighlights:\r\nCheck Point Research (CPR) provides an in-depth analysis of the new malware strain dubbed BundleBot\r\nspreading under the radar.\r\nBundleBot is abusing the dotnet bundle (single-file), self-contained format that results in very low or no static\r\ndetection at all.\r\nCommonly distributed via Facebook Ads and compromised accounts leading to websites masquerading as regular\r\nprogram utilities, AI tools, and games.\r\nCPR introduces several techniques that were approved to be effective for reverse engineering the dotnet bundle\r\n(single-file), self-contained format.\r\nIntroduction\r\nDuring the past few months, we have been monitoring a new unknown stealer/bot, we dubbed BundleBot, spreading under\r\nthe radar and abusing dotnet bundle (single-file), self-contained format. This format of dotnet compilation has been\r\nsupported for about four years, from .net core 3.0+ to dotnet8+, and there are already some known malware families abusing\r\nit (e.g., Ducktail).\r\nThe BundleBot using this specific dotnet format is different in the sense of its infection chain (more sophisticated), mostly\r\nabusing Facebook Ads and compromised accounts that lead to phishing websites masquerading as regular programs, AI\r\ntools, and games. Leveraging the dotnet bundle (single-file), self-contained format, multi-stage infection, and custom\r\nobfuscation resulted in an effective way to stay under the radar with very low or no static detection at all.\r\nThe dotnet bundle (single-file), self-contained format generally results in a very large binary bloated with the whole dotnet\r\nruntime. Furthermore, analyzing and debugging such a file could result in some problems, especially if such a file is affected\r\nby some obfuscation/protection.\r\nThe main subject of this research is an in-depth analysis of the BundleBot, its typical vector of infection, and an explanation\r\nof the dotnet bundle (single-file), self-contained format, focusing on general problems during the analysis of such file\r\nformat.\r\nBackground \u0026 Key Findings\r\nSince the release of .NET Core 3.0 (2019), it has been possible to deploy .NET assemblies as a single binary. These files are\r\nexecutables that do not contain a traditional .NET metadata header and run natively on the underlying operating system via a\r\nplatform-specific application host bootstrapper.\r\nDotnet bundle (single-file), self-contained format is a compilation form that enables to produce a single executable binary\r\nthat does not require to have a specific dotnet runtime version preinstalled on the OS. The executable is actually a native\r\nhosting binary that contains whole dotnet runtime, assemblies, and other dependencies in its overlay (so it is large in size –\r\ndozens of MBs). The native hosting binary is responsible for extracting (on-execute) all from overlay, loading the dotnet\r\nruntime and assemblies, preparing everything, and transferring execution to the Entry Point of a .NET module.\r\nWhen it comes to extracting the assemblies from the overlay (on-execute), we can deal with different routines depending on\r\nthe targeted dotnet version used to compile the specific application. The difference among dotnet versions is that before\r\ndotnet5+ (.NET Core 3.0+), by default, all assemblies were extracted to the disk ( temp  directory) and loaded into the\r\nprocess memory.\r\nOn the other hand, from the dotnet5+ version, all assemblies from the overlay are extracted and loaded directly into the\r\nprocess memory (no files dropped on disk – only native libraries if used and not deployed separately). From dotnet5+, the\r\nhttps://research.checkpoint.com/2023/byos-bundle-your-own-stealer/\r\nPage 1 of 16\n\nextraction could be specified during the compilation, but the default setting is to extract directly into memory.\r\nDespite the fact we are still dealing with dotnet-related applications, the above-mentioned description of this specific file\r\nformat makes it clear that one would need to use a different toolset and techniques to analyze it properly.\r\nWe detected the BundleBot abusing the dotnet bundle (single-file), self-contained format as the last stage of infection that\r\nwas related to several campaigns, very likely initiated by the same threat actor.\r\nIn all cases we spotted in the wild, the initial vector of infection was via Facebook Ads or compromised accounts that led to\r\nwebsites masquerading as regular program utilities, AI tools, and games (e.g., Google AI, PDF\r\nReader, Canva, Chaturbate, Smart Miner, Super Mario 3D World). As one of the capabilities of the BundleBot is\r\nstealing Facebook account information, those campaigns could be considered self-feeding, where stolen information is\r\nfurther used to spread the malware via newly compromised accounts.\r\nVector of infection\r\nAs we mentioned earlier, the typical initial vector of infection points to Facebook Ads or compromised accounts leading to\r\nwebsites masquerading as regular program utilities. Still, we can not fully exclude other possible delivery methods as we\r\ncould not obtain links of origin for all detected samples via their relevant tracking information.\r\nOnce the victim is tricked into downloading the fake program utility from the phishing website, the first stage downloader is\r\ndelivered in the form of a “RAR” archive. Those downloader stages are usually on hosting services like Dropbox or Google\r\nDrive.\r\nThe downloaded “RAR” archive contains the first stage downloader in a self-contained dotnet bundle (single-file) format.\r\nRight upon execution of this first stage, the second stage is downloaded in the form of a password-protected “ZIP” archive,\r\nusually from a hosting service such as Google Drive. The password for the second stage is hardcoded in the downloader,\r\nusually in an encoded form.\r\nThe main part of the password-protected “ZIP” archive that gets extracted and executed is the BundleBot which abuses the\r\ndotnet bundle (single-file), self-contained format with a combination of custom obfuscation.\r\nAn example of a detailed infection chain related to the fake utility “Google AI” that pretends to be a marketing tool using\r\nGoogle AI Bard could be seen below:\r\n1. Facebook ads or Facebook posts from compromised accounts leading to https://marketingaigg[.]com/\r\nFigure 1: Facebook post from compromised account leading to the phishing website\r\nFigure 1: Facebook post from compromised account leading to the phishing website\r\n2. Phishing website  https://marketingaigg[.]com/  masquerading as a marketing tool using Google Bard AI leads to\r\nthe download page  https://googlebardai[.]wiki/Googleai\r\nFigure 2: Phishing website that leads to the downloader stage\r\nFigure 2: Phishing website that leads to the downloader stage\r\n3. The URL  https://googlebardai[.]wiki/Googleai  is serving “RAR” archive  Google_AI.rar  (SHA-256:\r\n“dfa9f39ab29405475e3d110d9ac0cc21885760d07716595104db5e9e055c92a6”) from the Dropbox hosting service\r\n4. Google_AI.rar  contains  GoogleAI.exe  (SHA-256:\r\n”5ac212ca8a5516e376e0af83788e2197690ba73c6b6bda3b646a22f0af94bf59”), dotnet bundle (single-file), self-contained application\r\n5. GoogleAI.exe  contains  GoogleAI.dll  dotnet module that serves as a downloader (downloads password-protected\r\n“ZIP” archive  ADSNEW-1.0.0.3.zip  from  https://drive.google[.]com/uc?id=1-\r\nmC5c7o_B1VuS6dbQeDAAqLuPbfAV58O\u0026export=download\u0026confirm=t , password=alex14206985alexjyjyjj)\r\n6. The extracted content of  ADSNEW-1.0.0.3.zip  (SHA-256:\r\n“303c6d0cea77ae6343dda76ceabaefdd03cc80bd6e041d2b931e7f6d59ca3ef6”) contains  RiotClientServices.exe ,\r\ndotnet bundle (single-file), self-contained application\r\nhttps://research.checkpoint.com/2023/byos-bundle-your-own-stealer/\r\nPage 2 of 16\n\n7. The RiotClientServices.exe served and executed as the last stage contains two malicious dotnet\nmodules RiotClientServices.dll – BundleBot, LirarySharing.dll – C2 packet data serializer\nSelf-Contained Dotnet Bundle – analysis and debugging problems\nWhen we need to analyze a self-contained dotnet bundle (single-file) binary, we can immediately encounter several\nproblems.\nThe first one is that we need to extract somehow all binaries that are a part of the overlay of the bundle described earlier.\nThis extraction will help us investigate each file statically, as we would do when dealing with ordinary dotnet assemblies.\nDespite the fact it is not so known, there are already existing solutions that understand the dotnet bundle format enough to\nhelp us with the extraction. We will mention both GUI-based tools and library to do it in a programmatic way. Notably, for\nnow, the extraction of the dotnet bundle file is not supported in dnSpy/dnSpyEx.\nAmong the most reliable GUI-based tools that can help with the extractions are:\nILSpy – open-source .NET assembly browser and decompiler\ndotPeek – free .NET decompiler and assembly Browser\nExtraction of dotnet bundle in ILSpy:\nFigure 3: Extraction of dotnet bundle in ILSpy\n\nExtraction of dotnet bundle in dotPeek:\nFigure 3: Extraction of dotnet bundle in ILSpy\nExtraction of dotnet bundle in dotPeek:\nFigure 4: Extraction of dotnet bundle in dotPeek\nFigure 4: Extraction of dotnet bundle in dotPeek\nAs we already pointed out, the extraction of dotnet bundle files could also be done programmatically. Such a way could be\nvery handy when we are processing a larger set of files.\nOne of the most suitable solutions for this purpose is to use AsmResolver. AsmResolver is a Portable Executable (PE)\ninspection library that is able to read, modify and write executable files. This includes .NET modules as well as native\nimages. The library exposes high-level representations of the PE while still allowing the user to access low-level structures.\nWhat is even more crucial is that AsmResolver understands the bundle file format so we can use it to automate the\nextraction.\nSuch a code example extracting the bundle file content using AsmResolver and PowerShell can be seen below.\nPlain text\nCopy to clipboard\nOpen code in new window\nEnlighterJS 3 Syntax Highlighter\n[Reflection.Assembly]::LoadFrom(\"C:\\AsmResolver\\AsmResolver.DotNet.dll\") | Out-Null\n$extractionPath = \"C:\\Extracted\\\"\n$manifest = [AsmResolver.DotNet.Bundles.BundleManifest]::FromFile(\"C:\\RiotClientServices.exe\")\nforeach($file in $manifest.Files)\n{\n$fileInfo = [IO.FileInfo]::new($extractionPath + $file.RelativePath)\n$fileInfo.Directory.Create()\nhttps://research.checkpoint.com/2023/byos-bundle-your-own-stealer/\nPage 3 of 16\n\n[IO.File]::WriteAllBytes($fileInfo.FullName, $file.getData($true))\r\n}\r\n[Reflection.Assembly]::LoadFrom(\"C:\\AsmResolver\\AsmResolver.DotNet.dll\") | Out-Null $extractionPath =\r\n\"C:\\Extracted\\\" $manifest = [AsmResolver.DotNet.Bundles.BundleManifest]::FromFile(\"C:\\RiotClientServices.exe\")\r\nforeach($file in $manifest.Files) { $fileInfo = [IO.FileInfo]::new($extractionPath + $file.RelativePath)\r\n$fileInfo.Directory.Create() [IO.File]::WriteAllBytes($fileInfo.FullName, $file.getData($true)) }\r\n[Reflection.Assembly]::LoadFrom(\"C:\\AsmResolver\\AsmResolver.DotNet.dll\") | Out-Null\r\n$extractionPath = \"C:\\Extracted\\\"\r\n$manifest = [AsmResolver.DotNet.Bundles.BundleManifest]::FromFile(\"C:\\RiotClientServices.exe\")\r\nforeach($file in $manifest.Files)\r\n{\r\n $fileInfo = [IO.FileInfo]::new($extractionPath + $file.RelativePath)\r\n $fileInfo.Directory.Create()\r\n [IO.File]::WriteAllBytes($fileInfo.FullName, $file.getData($true))\r\n}\r\nNow, when we are in a state we successfully extracted the whole content of the dotnet bundle file, we can use any tool that\r\nwe would normally use to inspect the ordinary dotnet assemblies, like dnSpyEx. This will allow us to investigate each dotnet\r\nassembly statically.\r\nFigure 5: Static analysis of dotnet assembly in dnSpyEx\r\nFigure 5: Static analysis of dotnet assembly in dnSpyEx\r\nAs dotnet assemblies, especially the malicious ones, are usually quite sophisticated and very often affected by some\r\nobfuscation or protection, most researchers prefer to combine both the static and dynamic analysis approach. Regarding the\r\ndynamic approach, we are getting closer to the second problem with a self-contained dotnet bundle (single-file) binary –\r\n debugging.\r\nIt is always welcome to debug dotnet assemblies in managed debuggers such as dnSpyEx. The debugging in dnSpyEx was\r\nnot fully supported for self-contained dotnet bundle binary, and if one tried to debug such files, it could result in a similar-like exception shown below.\r\nFigure 6: DnSpyEx exception thrown when debugging self-contained dotnet bundle\r\nFigure 6: DnSpyEx exception thrown when debugging self-contained dotnet bundle\r\nFortunately, the recently released version of dnSpyEx (v6.4.0) improved the debugging of such files, so we should not get\r\nthis kind of exception anymore, and debugging could proceed without any problems.\r\nDespite the fact we can debug self-contained dotnet bundle files in the latest release of dnSpyEx (v6.4.0), it can not solve the\r\nproblem of dealing with obfuscated dotnet assemblies that are a part of the dotnet bundle and would be very likely the main\r\nsubject of our interest. In such cases, it is always good to be able to extract the whole content of the bundle file, deobfuscate\r\nassemblies and proceed with the below-mentioned guide to preserve the debugging.\r\nWhen the dotnet binary is compiled as a self-contained bundle, it simply means that whole dependencies (especially dotnet\r\nruntime) are a part of the produced application, and such an application is configured to use them (via its configuration\r\nfiles). Those configuration files are the main problem affecting the debugging after extraction of the bundle and\r\ndeobfuscation of each protected assembly.\r\nTo overcome this, we can actually convert the self-contained dotnet bundle file into a non-self-contained, non-single-file\r\n.NET program. This way converted program will be tricked into using dotnet runtime, which is a part of OS, so we must be\r\nsure to have it installed.\r\nThe conversion could be accomplished with the following steps:\r\nExtracting the content of the dotnet bundle file (as described earlier).\r\nhttps://research.checkpoint.com/2023/byos-bundle-your-own-stealer/\r\nPage 4 of 16\n\nFinding out the dotnet runtime version to be installed in OS and installing it. To quickly find out the information\r\nabout specific version of dotnet runtime our .NET application depends on and we need to install, we can locate and\r\ncheck configuration files  *[appname].runtimeconfig.json*  and  *[appname].deps.json*  which should be inside\r\nthe previously extracted content.\r\nIn the example below, we can clearly see that we need to install .NET Runtime 5.0.17, x86.\r\nFigure 7: Configuration files\r\nFigure 7: Configuration files\r\nFigure 8: Required version of dotnet runtime to be installed (Microsoft)\r\nFigure 8: Required version of dotnet runtime to be installed (Microsoft)\r\nModifying the content of configuration files  *[appname].runtimeconfig.json*  and  *[appname].deps.json* . By\r\nmodification of these files, we are converting the application into a non-self-contained, non-single-file .NET\r\nprogram, and we will force it to use the installed version of dotnet runtime.\r\nModification of  *[appname].runtimeconfig.json*  by changing the “includedFrameworks” string to “frameworks”.\r\nFigure 9: Modification of “[appname].runtimeconfig.json”\r\nFigure 9: Modification of “[appname].runtimeconfig.json”\r\nModification of  *[appname].deps.json*  by removing “runtimepack” entries from “libraries”.\r\nFigure 10: Modification of “[appname].deps.json”\r\nFigure 10: Modification of “[appname].deps.json”\r\nRunning and Debugging. The self-contained dotnet bundle application could have dependencies on native libraries\r\nthat could be a part of the bundle (so we would have them already extracted from the content), or they can be\r\nprovided separately alongside the bundle executable. We can quickly find out if the application has such\r\ndependencies (defined in  *[appname].deps.json* ) by checking the configuration file or by running it, as shown\r\nbelow.\r\nFigure 11: Dependency-related error when running the extracted bundle application\r\nFigure 11: Dependency-related error when running the extracted bundle application\r\nTo overcome this, simply copy all dependencies that should be alongside of the bundle application to the location of\r\npreviously extracted content of the bundle. Now the debugging should work like for ordinary .NET applications using the\r\ndotnet runtime that is installed in OS.\r\nFigure 12: Debugging converted non-self-contained, non-single-file .NET app in dnSpyEx\r\nFigure 12: Debugging converted non-self-contained, non-single-file .NET app in dnSpyEx\r\nThe above-mentioned guide is not necessary in cases where we are not dealing with obfuscated/protected dotnet assemblies\r\nthat are a part of the dotnet bundle, as using the latest release of dnSpyEx (v6.4.0) can debug them directly. Still, the\r\nworkaround above is needed when we deal with obfuscated assemblies and prefer to debug them in deobfuscated form.\r\nNoteworthy is that we described a general approach to converting a self-contained dotnet bundle file to ordinary dotnet\r\nassembly, which depends on the presence of an appropriate version of dotnet runtime being preinstalled on the targeted OS.\r\nThis approach should work across different OS platforms (Windows, Linux, macOS)\r\nEncouraged with the knowledge of how to extract the content of a self-contained dotnet bundle file and how to debug it, we\r\ncan finally move forward to analysis.\r\nTechnical Analysis: Highlights\r\nSelf-contained dotnet bundle format to harden the analysis and static AV detection\r\nAffected by simple but effective custom-made obfuscation\r\nAbusing password-protected archives to deliver the last stage\r\nThe last stage is a new stealer/bot – BundleBot\r\nhttps://research.checkpoint.com/2023/byos-bundle-your-own-stealer/\r\nPage 5 of 16\n\nCustom homebrew packet data serialization for C2 communication\nTechnical Analysis – Downloader\nFor the analysis of the downloader stage, sample GoogleAI.exe , SHA-256:\n“5ac212ca8a5516e376e0af83788e2197690ba73c6b6bda3b646a22f0af94bf59” was used.\nThis sample is a 32-bit self-contained dotnet bundle application (.NET Core 3.0.3), originally a part of the RAR archive.\nAfter extraction of this bundle, the main module GoogleAI.dll is a downloader, affected by simple custom obfuscation –\nonly strings and names (non-meaningful Thai text).\nFigure 13: Downloader affected by simple custom obfuscation\nFigure 13: Downloader affected by simple custom obfuscation\nPDB path of the downloader: D:\\BOT\\RAT\\Rat Ver 4.0\\HashCode\\Bot ADS-Server 4\\ClientDowload-FB\\ClientDowload\\obj\\Debug\\netcoreapp3.0\\win-x86\\GoogleAI.pdb .\nAfter deobfuscation, the main functionality resides in the function named as ProcessMain .\nFigure 14: Main functionality of the downloader\n\nThe main functionality could be summarized as\nfollows:\nFigure 14: Main functionality of the downloader.\nThe main functionality could be summarized as follows:\nSingle instance check\nDownloading password-protected ZIP archive saved with a random name and “.rar” extension\nArchive downloaded from: https://drive.google[.]com/uc?id=1-\nmC5c7o_B1VuS6dbQeDAAqLuPbfAV58O\u0026export=download\u0026confirm=t\nSetting the file attribute of the downloaded archive as “Hidden”\nExtracting the content of the downloaded archive to a newly created folder C:\\Users\\User\\Documents\\{random} ,\npassword: alex14206985alexjyjyjj\nSetting the attribute of the newly created folder and all “.exe” files inside as “Hidden”\nTrying to execute all “.exe” files\nDeleting the downloaded archive\nThe BundleBot, in the form of a self-contained dotnet bundle file, is the main part of the downloaded password-protected\narchive and gets executed by the downloader. Noteworthy, all analyzed downloaders contained the same hardcoded\npassword alex14206985alexjyjyjj (either in clear-text or base64 encoded) to extract the next stage.\nTechnical Analysis – BundleBot\nFor the analysis of the BundleBot stage, sample RiotClientServices.exe , SHA-256:\n“6552a05a4ea87494e80d0654f872f980cf19e46b4a99d5084f9ec3938a20db91” was used.\nThis sample is a 32-bit self-contained dotnet bundle application (.NET 5.0.17), originally a part of the password-protected\nZIP archive. After extraction of this bundle, its main malicious components are the main\nmodule RiotClientServices.dll and a library LirarySharing.dll .\nThe assembly RiotClientServices.dll is a custom, new stealer/bot that uses the library LirarySharing.dll to process\nand serialize the packet data that are being sent to C2 as a part of the bot communication.\nThese binaries are affected by similar custom-made obfuscation that mainly focuses on name obfuscation and bloating those\ndotnet modules with a lot of junk code. Such an obfuscation will result in an overwhelming number of methods and classes\nthat will make the analysis much harder and require creating a custom deobfuscator to simplify the analysis process.\nBefore the deobfuscation, the size of the RiotClientServices.dll is ≈ 11MB containing 26742 methods and 902 classes.\nIn the case of LirarySharing.dll , the obfuscation resulted in a binary size ≈ 10MB with 32462 methods and 9473 classes.\nhttps://research.checkpoint.com/2023/byos-bundle-your-own-stealer/\nPage 6 of 16\n\nFigure 15: Obfuscated code of the “LirarySharing.dll” - class “Serialize”\r\nFigure 15: Obfuscated code of the “LirarySharing.dll” – class “Serialize”\r\nOne could get easily lost in such a mess. Because of that, we quickly put together a simple deobfuscator that works for all\r\nbinaries that are affected by similar-based custom obfuscation. This deobfuscator uses AsmResolver and PowerShell to\r\nmainly clean the junk code and still preserves the debugging opportunity.\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n[Reflection.Assembly]::LoadFrom(\"C:\\AsmResolver\\AsmResolver.DotNet.dll\") | Out-Null\r\n$obfuscated = \"C:\\RiotClientServices.dll\"\r\n$moduleDef = [AsmResolver.DotNet.ModuleDefinition]::FromFile($obfuscated)\r\n# Removing junk methods\r\nforeach($type in $moduleDef.GetAllTypes())\r\n{\r\nforeach($method in [array]$type.Methods.Where{$_.HasMethodBody})\r\n{\r\nif(($method.MethodBody.Instructions.Where{$_.Opcode.Mnemonic -like \"call\" -and\r\n$_.Operand.FullName -like \"*System.Console::WriteLine*\"}).count -eq 5)\r\n{\r\n$type.Methods.Remove($method) | Out-Null\r\n}\r\n}\r\n}\r\n# Removing junk NestedTypes\r\nforeach($type in [array]$moduleDef.GetAllTypes().Where{$_.IsNested -and $_.Methods.Count -eq 1 -and\r\n$_.Methods[0].IsConstructor -and $_.Methods[0].MethodBody.Instructions.Count -eq 4})\r\n{\r\nforeach($topType in $moduleDef.TopLevelTypes.Where{$type -in $_.NestedTypes})\r\n{\r\n$topType.NestedTypes.Remove($type) | Out-Null\r\n}\r\n}\r\n# Removing junk TopLevelTypes\r\nhttps://research.checkpoint.com/2023/byos-bundle-your-own-stealer/\r\nPage 7 of 16\n\nforeach($topType in [array]$moduleDef.TopLevelTypes.Where{$_.BaseType.FullName -like \"System.Object\" -and\r\n$_.Methods.Count -eq 1 -and $_.Methods[0].IsConstructor -and\r\n$_.Methods[0].MethodBody.Instructions.Count -eq 4 -and $_.CustomAttributes.Count -eq 0})\r\n{\r\n$moduleDef.TopLevelTypes.Remove($topType) | Out-Null\r\n}\r\n# Originally compiled as R2R binary and we don´t care about the native precompiled code, ILOnly == True\r\n$moduleDef.IsILOnly = $true\r\n$moduleDef.Write($obfuscated + \"-cleaned.dll\")\r\n[Reflection.Assembly]::LoadFrom(\"C:\\AsmResolver\\AsmResolver.DotNet.dll\") | Out-Null $obfuscated =\r\n\"C:\\RiotClientServices.dll\" $moduleDef = [AsmResolver.DotNet.ModuleDefinition]::FromFile($obfuscated) # Removing\r\njunk methods foreach($type in $moduleDef.GetAllTypes()) { foreach($method in\r\n[array]$type.Methods.Where{$_.HasMethodBody}) { if(($method.MethodBody.Instructions.Where{$_.Opcode.Mnemonic\r\n-like \"call\" -and $_.Operand.FullName -like \"*System.Console::WriteLine*\"}).count -eq 5) {\r\n$type.Methods.Remove($method) | Out-Null } } } # Removing junk NestedTypes foreach($type in\r\n[array]$moduleDef.GetAllTypes().Where{$_.IsNested -and $_.Methods.Count -eq 1 -and $_.Methods[0].IsConstructor -and\r\n$_.Methods[0].MethodBody.Instructions.Count -eq 4}) { foreach($topType in $moduleDef.TopLevelTypes.Where{$type -in\r\n$_.NestedTypes}) { $topType.NestedTypes.Remove($type) | Out-Null } } # Removing junk TopLevelTypes\r\nforeach($topType in [array]$moduleDef.TopLevelTypes.Where{$_.BaseType.FullName -like \"System.Object\" -and\r\n$_.Methods.Count -eq 1 -and $_.Methods[0].IsConstructor -and $_.Methods[0].MethodBody.Instructions.Count -eq 4 -and\r\n$_.CustomAttributes.Count -eq 0}) { $moduleDef.TopLevelTypes.Remove($topType) | Out-Null } # Originally compiled as\r\nR2R binary and we don´t care about the native precompiled code, ILOnly == True $moduleDef.IsILOnly = $true\r\n$moduleDef.Write($obfuscated + \"-cleaned.dll\")\r\n[Reflection.Assembly]::LoadFrom(\"C:\\AsmResolver\\AsmResolver.DotNet.dll\") | Out-Null\r\n$obfuscated = \"C:\\RiotClientServices.dll\"\r\n$moduleDef = [AsmResolver.DotNet.ModuleDefinition]::FromFile($obfuscated)\r\n# Removing junk methods\r\nforeach($type in $moduleDef.GetAllTypes())\r\n{\r\n foreach($method in [array]$type.Methods.Where{$_.HasMethodBody})\r\n {\r\n if(($method.MethodBody.Instructions.Where{$_.Opcode.Mnemonic -like \"call\" -and\r\n $_.Operand.FullName -like \"*System.Console::WriteLine*\"}).count -eq 5)\r\n {\r\n $type.Methods.Remove($method) | Out-Null\r\n }\r\n }\r\n}\r\n# Removing junk NestedTypes\r\nforeach($type in [array]$moduleDef.GetAllTypes().Where{$_.IsNested -and $_.Methods.Count -eq 1 -and\r\n $_.Methods[0].IsConstructor -and $_.Methods[0].MethodBody.Instructions.Count -eq 4})\r\n{\r\n foreach($topType in $moduleDef.TopLevelTypes.Where{$type -in $_.NestedTypes})\r\n {\r\n $topType.NestedTypes.Remove($type) | Out-Null\r\n }\r\n}\r\n# Removing junk TopLevelTypes\r\nforeach($topType in [array]$moduleDef.TopLevelTypes.Where{$_.BaseType.FullName -like \"System.Object\" -and\r\nhttps://research.checkpoint.com/2023/byos-bundle-your-own-stealer/\r\nPage 8 of 16\n\n$_.Methods.Count -eq 1 -and $_.Methods[0].IsConstructor -and\r\n $_.Methods[0].MethodBody.Instructions.Count -eq 4 -and $_.CustomAttributes.Count -eq 0})\r\n{\r\n $moduleDef.TopLevelTypes.Remove($topType) | Out-Null\r\n}\r\n# Originally compiled as R2R binary and we don´t care about the native precompiled code, ILOnly == True\r\n$moduleDef.IsILOnly = $true\r\n$moduleDef.Write($obfuscated + \"-cleaned.dll\")\r\nThe deobfuscation reduced the size, count of methods and classes to:\r\nRiotClientServices.dll  size ≈ 124KB, 158 methods, 35 classes\r\nLirarySharing.dll  size ≈ 30KB, 220 methods, 28 classes\r\nFigure 16: Deobfuscated code of the “LirarySharing.dll” - class “Serialize”\r\nFigure 16: Deobfuscated code of the “LirarySharing.dll” – class “Serialize”\r\nFurther deobfuscation of the names (methods, classes, etc.) could be processed using the de4dot tool. Still, we should not\r\nforget to supply all binaries together (to preserve the debugging – the main module is referencing and using the library).\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n.\\de4dot.exe \"C:\\RiotClientServices.dll\" \"C:\\LirarySharing.dll\"\r\n.\\de4dot.exe \"C:\\RiotClientServices.dll\" \"C:\\LirarySharing.dll\"\r\n.\\de4dot.exe \"C:\\RiotClientServices.dll\" \"C:\\LirarySharing.dll\"\r\nFigure 17: “LirarySharing.dll” - deobfuscated vs. obfuscated\r\nFigure 17: “LirarySharing.dll” – deobfuscated vs. obfuscated\r\nAfter deobfuscation, the main logic of the BundleBot could be seen in the module  RiotClientServices.dll :\r\nFigure 18: Main logic of the BundleBot in the “RiotClientServices.dll” module\r\nFigure 18: Main logic of the BundleBot in the “RiotClientServices.dll” module\r\nThe main functionality could be summarized as follows:\r\nSleep  patch detection (Anti-Sandbox)\r\nInstalling/Uninstalling persistence via registry path  HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run ,\r\nvalue  ApplicationName\r\nInformation Stealing\r\nC2 BOT communication (TCP socket communication to C2 IP  51.79.180.158 , port  5505 )\r\nStolen and exfiltrated data:\r\nTelegram data\r\nDiscord token\r\nComputer information – HWID (first 10 bytes of computed MD5 from CPU count, UserName, MachineName,\r\nOSVersion, and TotalSize of OS Drive), Windows version, UserName, Windows region – country, IP info (IP\r\naddress, country, region, city, timezone, ISP) – retrieved via services  http://icanhazip[.]com  and  http://ip-api[.]com/json/\r\nWeb Browsers data (Chrome, Edge, Opera, Brave, Coccoc, Firefox) – profile name, decrypted key, credential\r\ncookies, passwords, bookmarks, extensions, credit cards\r\nhttps://research.checkpoint.com/2023/byos-bundle-your-own-stealer/\r\nPage 9 of 16\n\nFacebook account – uid, name, cookie, access_token, pages, ad account info, business info, browser name, browser\r\nprofile name\r\nCaptured screenshot\r\nAll stolen data and C2 communication are processed, serialized, and compressed with the help of\r\nthe  LirarySharing.dll  library. This library defines the main capabilities of bot communication as follows:\r\nBot Identification – start TCP socket, send stolen data to C2 (serialized, GZip compressed)\r\nBot Update (complete reinstall of the bot with a new version)\r\nBot Off (only exit the process)\r\nBot Kill (remove persistence and exit the process)\r\nBot Re-update Identification (steal data and send to C2)\r\nBot Get Browser Data (collect web browser data and send to C2)\r\nExample of dissected network traffic related to Bot Identification:\r\nFigure 19: Dissection of network traffic related to Bot Identification\r\nNoteworthy, we encountered a slightly different version of the final BundleBot that shares all code, but in addition, it has the\r\nfunctionality to exfiltrate stolen data to C2 via HTTPS. All such samples we analyzed were configured to avoid using the bot\r\ncommunication via TCP and were just configured to exfiltrate the stolen data to the C2 web server with\r\nURL  https://cp.bemilcoin[.]io/api/cookiePc?cookie . The added code can be seen below.\r\nFigure 20: Code related to data exfiltration to C2 web server\r\nThe stolen data are exfiltrated to the C2 web server in the content of the ZIP archive.\r\nhttps://research.checkpoint.com/2023/byos-bundle-your-own-stealer/\r\nPage 10 of 16\n\nFigure 21: Stolen data exfiltrated to the C2 web server as a ZIP archive\r\nAs we were able to get the original pdb files of these specific versions and could confirm that a dependency resulting from\r\nthis new capability was presented, this functionality was not caused by manual alternation but was more likely added as a\r\nrecent feature.\r\nConclusion\r\nBy monitoring the BundleBot for a few months, we got a deeper insight into its infection vectors and how it abuses the\r\ndotnet bundle (single-file), self-contained format that results in very low or no static detection at all. The combination of this\r\nspecific file format and multi-stage infection spread this threat silently under the radar for several months.\r\nThe delivering method via Facebook Ads and compromised accounts is something that has been abused by threat actors for\r\na while, still combining it with one of the capabilities of the revealed malware (to steal a victim´s Facebook account\r\ninformation) could serve as a tricky self-feeding routine.\r\nIn this research, we pointed out how the attacker abused the dotnet bundle (single-file), self-contained format and hardened\r\nthe analysis even more by applying a custom-made obfuscation. We introduced and detailed several tools and techniques to\r\nproperly analyze similar threats and to avoid any problem that could occur during reverse engineering.\r\nCheck Point customers remain protected from the threats described in this research.\r\nCheck Point’s Threat Emulation provides comprehensive coverage of attack tactics, file types, and operating\r\nsystems and has developed and deployed a signature to detect and protect customers against threats described in this\r\nresearch.\r\nCheck Point’s Harmony Endpoint provides comprehensive endpoint protection at the highest security level, crucial to\r\navoid security breaches and data compromise. Behavioral Guard protections were developed and deployed to protect\r\ncustomers against threats described in this research.\r\nThreat Emulation:\r\nInfoStealer.Wins.BYOSDownloader.A\r\nHarmony Endpoint:\r\nInfoStealer.Win.FakeGoogleAI.A\r\nInfoStealer.Win.FakeGoogleAI.B\r\nInfoStealer.Win.FakeGoogleAI.C\r\nInfoStealer.Win.FakeGoogleAI.D\r\nInfoStealer.Win.FakeGoogleAI.E\r\nIOCs\r\nFiles\r\nhttps://research.checkpoint.com/2023/byos-bundle-your-own-stealer/\r\nPage 11 of 16\n\nName Hash SHA-256 Description\r\nGoogle_AI.rar dfa9f39ab29405475e3d110d9ac0cc21885760d07716595104db5e9e055c92a6\r\nRAR Archive contain\r\nDownloader stage\r\nADSNEW-1.0.0.3.zip 303c6d0cea77ae6343dda76ceabaefdd03cc80bd6e041d2b931e7f6d59ca3ef6\r\nPass-protected ZIP ar\r\ncontaining BundleBo\r\n(pass:alex14206985a\r\nBot_Server6_1.0.0.3.zip 90b37f26d7574a23437a2f0ad75d3cce5ecf3928efb58beacedde289fd3568bf\r\nPass-protected ZIP ar\r\ncontaining BundleBo\r\n(pass:alex14206985a\r\nADS_1.0.0.3.zip af92d0545ce01e5dcbe228a43babe6281a1631836e5631286908c7f0aa225f3d\r\nPass-protected ZIP ar\r\ncontaining BundleBo\r\n(pass:alex14206985a\r\nFB_1.0.0.3.zip 25c0f65acb3ecfe435a39bed3f5013eadd85eca1e78a0dc754cb4b82389ee4bb\r\nPass-protected ZIP ar\r\ncontaining BundleBo\r\n(pass:alex14206985a\r\nCOIN_1.0.0.4.zip a99dbc0cb0a051ec68bd89c468fd589b201380f47330bdedbb69f9b076099711\r\nPass-protected ZIP ar\r\ncontaining BundleBo\r\n(pass:alex14206985a\r\nCoin_1.0.0.0.zip b47ac379cc23a059e1aaaba351f528c5a955fd56da35928c0bc0043c4ab8b38a\r\nPass-protected ZIP ar\r\ncontaining BundleBo\r\n(pass:alex14206985a\r\nRiotClientServices.zip 3198a613574a8ab84637bf80ebe5f6a56c851aa292973515c5de856f1e958d6d\r\nPass-protected ZIP ar\r\ncontaining BundleBo\r\n(pass:alex14206985a\r\nSubwaySub.dll a1389d02c0b7892ffeae60b7869f3a761c2326629bd1c304839a1e8b7400744e\r\nDownloader stage – e\r\nmain module\r\nGoogleAI.dll 22bb60b0ea0d5bb57e105287843867880f336ddafa1545332e2de16d412cde12\r\nDownloader stage – e\r\nmain module\r\nPDF Reader.dll 4b4f69b01edd2c96db6374a9d0d980f5023383d440914831301f19d1d29ae4d9\r\nDownloader stage – e\r\nmain module\r\nPDF.dll bc1fceb2d6c5dc7bedfdf1790ac0f06ccf0a9777c79d831d037dff10ae4ace8f\r\nDownloader stage – e\r\nmain module\r\nPDF.dll d0146a3bbed91d5680c9b44c0f0e69deabe4d6c0f114e50d9fdee9cd202242fc\r\nDownloader stage – e\r\nmain module\r\nPDF Reader.dll 1c27a31830946ca806be10d07dc67b185d3f1e2bbc76cd5365719055966600fb\r\nDownloader stage – e\r\nmain module\r\nSmart Miner.dll 20b833c028322139b81e220cc165513ec2d4a490cfbd84e88e985a84d3173025\r\nDownloader stage – e\r\nmain module\r\nChaturbate.dll 0e2bb46c9cb2baa0263824f4a6725a2e4db2541eafd392f25bd9a4921a2e04f3\r\nDownloader stage – e\r\nmain module\r\nMario.dll 4c39df6e78b110e4912f3cb543130297b9b3cc3d33daa2d613999a1b991ba763\r\nDownloader stage – e\r\nmain module\r\nhttps://research.checkpoint.com/2023/byos-bundle-your-own-stealer/\r\nPage 12 of 16\n\nName Hash SHA-256 Description\r\nSuper Mario 3D\r\nWorld.dll\r\n9b4c6dcee2848e2c23cffe1b8925ebc37d4d98a441fe6b0ff82dc788595a68be\r\nDownloader stage – e\r\nmain module\r\nCanva.dll 601f888abbb545b003ed37e3835237de7915874893f22ee5bb6ebc9f5db618b5\r\nDownloader stage – e\r\nmain module\r\nPDF.dll 2038aa28b4e23806030f945aadcf5dbbfa2e3f7ae2b924bd987fda62f87773fc\r\nDownloader stage – e\r\nmain module\r\nPDF.dll cd1c00427973b7ff7bac1803d35c071ff0fdeb975c4eb5a54829bedf12c4d136\r\nDownloader stage – e\r\nmain module\r\nGoogleAI.exe 5ac212ca8a5516e376e0af83788e2197690ba73c6b6bda3b646a22f0af94bf59\r\nDownloader stage – b\r\nfile\r\nPDF.exe 67f24b507fe2f6dc06a294b85486cfa1dba6af188e59c51a74adc3b3f9ed29d8\r\nDownloader stage – b\r\nfile\r\nChaturbate.exe 97f777abfeada170c1caa625ffbf12b8d097ae5331f3f4c5b57dad4fc0c4f8c1\r\nDownloader stage – b\r\nfile\r\nSuper Mario 3D\r\nWorld.exe\r\n8d1aa8ca616afc7fdf3cd6552e94fb486196d67e062adf5c97ada05b7b176985\r\nDownloader stage – b\r\nfile\r\nPDF.exe 9e6175a02a129fe559f108f6dced7fb6bf66c468cfb3ca276f3621ab8c312e91\r\nDownloader stage – b\r\nfile\r\nPDF Reader.exe 953e1b59b2163ddafaafe7872033ae6351a46500b575a717c853b6393d2c7ef6\r\nDownloader stage – b\r\nfile\r\nRiotClientServices.exe 230e5844ac0c767baf4d5d660f9ebcd0a9dd7f5a5ec5869387f53fa3eb902aa3 BundleBot stage – bu\r\nRiotClientServices.exe 26d0853adcec8b273346924e97170226abd7b800b5ee51f6768c58ac45f59d20 BundleBot stage – bu\r\nRiotClientServices.exe 37a06e2e28d16096c45bfd3ef2679fe8dc722810b6f6119b7dc5f1483e66ec01 BundleBot stage – bu\r\nRiotClientServices.exe 50b7447d83715b8b7b36a15d0e7c7b8ae881a56dc0f39eb1aa22604e00f97d17 BundleBot stage – bu\r\nRiotClientServices.exe 6552a05a4ea87494e80d0654f872f980cf19e46b4a99d5084f9ec3938a20db91 BundleBot stage – bu\r\nRiotClientServices.exe 6834be1cbde6718d153a729f2e68e3f3b21bcbcb51a9f381e98f78b7a414969f BundleBot stage – bu\r\nRiotClientServices.exe bfa7b12cc68b9cd26022a4c611ceaa473c84ffe36bb8008c67c1692b968b88d8 BundleBot stage – bu\r\nRiotClientServices.dll 0ba224ecc2546d0a5ccc13bc8f929ec0035ca884fce44c8aebcfec185550169c\r\nBundleBot stage – ex\r\nmain module\r\nRiotClientServices.dll 0c5ef531c2d5be15ef2a031c381a9531db22e030b14a1c2de311c68da23fef48\r\nBundleBot stage – ex\r\nmain module\r\nRiotClientServices.dll 2e0492507ed4127b25e523444b205c58312902fa0bf2f5697c184049af5e4e18\r\nBundleBot stage – ex\r\nmain module\r\nRiotClientServices.dll 41c884718ce264195d75695252b22021680c6d5470a303f999f3f333a5eef9c9\r\nBundleBot stage – ex\r\nmain module\r\nRiotClientServices.dll 5beb1ce875166ec47ee7fbcd9e48c891fe0b27ccec04edf3da82bf8b3b2ea04b\r\nBundleBot stage – ex\r\nmain module\r\nRiotClientServices.dll 84319f401994ca83d2659aef8fa5810224f4a0fef2d3ed6883a5a265d3a8c291\r\nBundleBot stage – ex\r\nmain module\r\nhttps://research.checkpoint.com/2023/byos-bundle-your-own-stealer/\r\nPage 13 of 16\n\nName Hash SHA-256 Description\r\nRiotClientServices.dll 9b0a6fdc188de6d80117f9f0894c456e9f541f19ba5b4ed8cfd03e86d8fb8af9\r\nBundleBot stage – ex\r\nmain module\r\nLirarySharing.dll 386189e521d431428157cf37b4653444f8c2116ee0a5229313012c43e5839edd\r\nBundleBot stage – ex\r\ndata serialization libr\r\nLirarySharing.dll 4856cdb407d67ee82d44e1cd606e382cde7b6bcaf9127dd7924e2d604c1cad38\r\nBundleBot stage – ex\r\ndata serialization libr\r\nLirarySharing.dll 6632c655875279ed1c19937805416a716d9994db71c8e30d2c8b4a3a3c3f9620\r\nBundleBot stage – ex\r\ndata serialization libr\r\nLirarySharing.dll 7a0cd3cc214b312cda20a54f7e0e93509fbcf5f6e6d9f41fd95d6dfa3bb5bcdc\r\nBundleBot stage – ex\r\ndata serialization libr\r\nLirarySharing.dll a47d68411f64887300800cbe471f3cb24047e2e352bff74b810ad1940cfff85c\r\nBundleBot stage – ex\r\ndata serialization libr\r\nLirarySharing.dll fca477e3e0fe31dfc14a4bade9828da267b6f234c343f9fb654e6921ba71bd08\r\nBundleBot stage – ex\r\ndata serialization libr\r\nNetwork\r\nURL IP Address Description\r\nhttps://drive.google[.]com/uc?\r\nid=1obRjbjOkXO3aCKKVa6BHKYqsROXRVmzL\u0026export=download\u0026confirm=t\r\n–\r\nURL to\r\ndownload\r\nBundleBot\r\nstage\r\n(embedded\r\nin\r\ndownloader)\r\nhttps://drive.google[.]com/uc?id=1-\r\nmC5c7o_B1VuS6dbQeDAAqLuPbfAV58O\u0026export=download\u0026confirm=t\r\n–\r\nURL to\r\ndownload\r\nBundleBot\r\nstage\r\n(embedded\r\nin\r\ndownloader)\r\nhttps://drive.google[.]com/uc?id=1f6QEiRPXZ1GKKtu-G_d_iQ448xYPGfMC\u0026export=download\u0026confirm=t\r\n–\r\nURL to\r\ndownload\r\nBundleBot\r\nstage\r\n(embedded\r\nin\r\ndownloader)\r\nhttps://drive.google[.]com/uc?\r\nid=1ypYJpu5pgaFRnXx64ZnCCfoGaUMYBt5E\u0026export=download\u0026confirm=t\r\n–\r\nURL to\r\ndownload\r\nBundleBot\r\nstage\r\n(embedded\r\nin\r\ndownloader)\r\nhttps://research.checkpoint.com/2023/byos-bundle-your-own-stealer/\r\nPage 14 of 16\n\nURL IP Address Description\r\nhttps://drive.google[.]com/uc?id=1S2G8OmhMREHS8l24hG-BmGKINxEL_DD5\u0026export=download\u0026confirm=t\r\n–\r\nURL to\r\ndownload\r\nBundleBot\r\nstage\r\n(embedded\r\nin\r\ndownloader)\r\nhttps://drive.google[.]com/uc?id=1Uvyx_Fj7wF9cVnq3IwIAm5-\r\ni2IROsi0R\u0026export=download\u0026confirm=t\r\n–\r\nURL to\r\ndownload\r\nBundleBot\r\nstage\r\n(embedded\r\nin\r\ndownloader)\r\nhttps://drive.google[.]com/uc?id=1teMU5O6VYsRjH9GVQf1V7h5ya-3Ssbkn\u0026export=download\u0026confirm=t\r\n–\r\nURL to\r\ndownload\r\nBundleBot\r\nstage\r\n(embedded\r\nin\r\ndownloader)\r\n– 51.79.180[.]158:5505\r\nC2 –\r\nBundleBot\r\nTCP\r\nconnection\r\n– 85.239.242[.]27:5505\r\nC2 –\r\nBundleBot\r\nTCP\r\nconnection\r\n– 139.99.80[.]193:5505\r\nC2 –\r\nBundleBot\r\nTCP\r\nconnection\r\n– 139.99.38[.]193:5505\r\nC2 –\r\nBundleBot\r\nTCP\r\nconnection\r\nhttps://cp.bemilcoin[.]io/api/cookiePc?cookie –\r\nC2 –\r\nBundleBot\r\nHTTPS\r\n(exfil)\r\nReferences\r\n1. Single-file deployment: https://learn.microsoft.com/en-us/dotnet/core/deploying/single-file/\r\n2. Runtime configuration: https://learn.microsoft.com/en-us/dotnet/core/runtime-config/\r\n3. Runtime configuration: https://github.com/dotnet/sdk/blob/main/documentation/specs/runtime-configuration-file.md\r\n4. DnSpyEx “latest” releases: https://github.com/dnSpyEx/dnSpy/releases\r\nhttps://research.checkpoint.com/2023/byos-bundle-your-own-stealer/\r\nPage 15 of 16\n\n5. DnSpyEx issue, related to dotnet bundle: https://github.com/dnSpyEx/dnSpy/issues/48\r\n6. AsmResolver: https://github.com/Washi1337/AsmResolver\r\n7. De4dot: https://github.com/de4dot/de4dot\r\nSource: https://research.checkpoint.com/2023/byos-bundle-your-own-stealer/\r\nhttps://research.checkpoint.com/2023/byos-bundle-your-own-stealer/\r\nPage 16 of 16\n\ndotnet modules with a that will make the analysis lot of junk code. Such much harder and an obfuscation will result require creating a custom in an overwhelming deobfuscator to simplify number of methods the analysis process. and classes\nBefore the deobfuscation, the size of the RiotClientServices.dll  is ≈ 11MB containing 26742 methods and 902 classes.\nIn the case of LirarySharing.dll , the obfuscation resulted in a binary size ≈ 10MB with 32462 methods and 9473 classes.\n  Page 6 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/2023/byos-bundle-your-own-stealer/"
	],
	"report_names": [
		"byos-bundle-your-own-stealer"
	],
	"threat_actors": [],
	"ts_created_at": 1778121820,
	"ts_updated_at": 1778121851,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/02746a8d2fd5ebe2a18fe6fb55cd64e4c5b63bf2.pdf",
		"text": "https://archive.orkl.eu/02746a8d2fd5ebe2a18fe6fb55cd64e4c5b63bf2.txt",
		"img": "https://archive.orkl.eu/02746a8d2fd5ebe2a18fe6fb55cd64e4c5b63bf2.jpg"
	}
}