{
	"id": "edc06eec-9bf5-4a1d-b793-cae87c94b985",
	"created_at": "2026-04-06T00:08:49.602261Z",
	"updated_at": "2026-04-10T03:21:55.105913Z",
	"deleted_at": null,
	"sha1_hash": "450cebf2006fd2b16af0753c9af23555d9d1c8aa",
	"title": "GrayBird/Colony - Pastebin.com",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 35644,
	"plain_text": "GrayBird/Colony - Pastebin.com\r\nArchived: 2026-04-05 22:22:01 UTC\r\n1. Downloader – Onlineinstaller.exe\r\n2. MD5 bfd15475fdc15373622a7ad6c8736c1d\r\n3. SHA1 cc3ba347b80b2bf849a75dd1256e57fe32139f1d\r\n4. SHA256 bd43289d2e616c78c9d5807b6c2f57028cd3d23aebc4111d7d689493b8c8c87a\r\n5.\r\n6. services (name-\u003epath): amdfx -\u003e C:\\Windows\\system32\\drivers\\amdfx.sys\r\n7. services (name-\u003epath): mrxsmb22 -\u003e C:\\Windows\\system32\\drivers\\mrxsmb22.sys\r\n8. registry (key-\u003edata):\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\mrxsmb22\\ImagePath -\u003e\r\nsystem32\\drivers\\mrxsmb22.sys\r\n9.\r\n10. \\Registry\\Machine\\System\\CurrentControlSet\\Services\\amdfx\r\n11. \\Registry\\Machine\\System\\CurrentControlSet\\Services\\mrxsmb22\r\n12.\r\n13. Check-in URL: http://iostream.system.band/dump/io/time.php\r\n14. Download URL 1: http://ozkngbvcs.bkt.gdipper.com/xp/aXXXX\r\n15. Download URL 2: http://ozkngbvcs.bkt.gdipper.com/xp/mXXXX\r\n16.\r\n17. Driver – mrxsmb22.sys\r\n18. MD5 eb5591fc8979bfe67a19643a07397882\r\n19. SHA1 08b067821535eaa99dd4f53866245784ffd3ed62\r\n20. SHA256 5589a6960e76c4ccab41a834d41ee85180366f80968a92316148a734ceff9cc4\r\n21.\r\n22. Driver - amdfx.sys\r\nhttps://pastebin.com/GtjBXDmz\r\nPage 1 of 3\n\n23. MD5 e6b26e97a9186835ffbc7f1a2f433bbc\r\n24. SHA-1 a4ef575f40a7e9634dbbb8dde7860e22145a2a9e\r\n25. SHA-256 079daa5aa34c717308dd5792b88f604b904355f32f9e2b738855ad725d9deb45\r\n26.\r\n27.\r\n28. Decrypt downloader check-in\r\n29.\r\n30. MD5(first 8 bytes of packet + hard-coded 8 byte string), AES-128-CBC. In every case I've seen so far, the\r\nhard-coded string is '1Q2a3k79'. The following is sufficient:\r\n31.\r\n32. 00000000: 4136 3946 4339 3344 4558 2b37 6262 4247 A69FC93DEX+7bbBG\r\n33. 00000010: 5064 7339 524c 3474 344f 7362 4367 4867 Pds9RL4t4OsbCgHg\r\n34. 00000020: 6834 484e 7877 6865 5947 732f 4272 436f h4HNxwheYGs/BrCo\r\n35. 00000030: 3254 2b47 4977 4342 706f 4957 6544 416d 2T+GIwCBpoIWeDAm\r\n36. 00000040: 7a67 4132 5363 7068 3758 3872 6d47 6f66 zgA2Scph7X8rmGof\r\n37. 00000050: 6668 4c55 774a 624b 512b 7545 7634 766b fhLUwJbKQ+uEv4vk\r\n38. 00000060: 5263 434b 3061 4e2b 6d65 6d71 3374 4845 RcCK0aN+memq3tHE\r\n39. 00000070: 6454 4b6f 516a 7949 4c4f 4c6d 7533 6c62 dTKoQjyILOLmu3lb\r\n40. 00000080: 6758 6c78 5061 4474 gXlxPaDt\r\n41.\r\n42. echo -n \"A69FC93D1Q2a3k79\" | md5sum\r\n43. cat enc-traffic-1.bin | base64 -d | openssl enc -d -aes-128-cbc -K 'd3b56154ff02575f7d7502445878ccf4' -iv\r\n0\r\n44.\r\n45. 00000000: 7561 3d35 322d 3534 2d30 302d 3441 2d41 ua=52-54-00-4A-A\r\n46. 00000010: 442d 3231 2667 6574 3d42 5326 6c61 6e67 D-21\u0026get=BS\u0026lang\r\n47. 00000020: 3d55 2e53 2672 6567 696f 6e3d 3130 2672 =U.S\u0026region=10\u0026r\r\nhttps://pastebin.com/GtjBXDmz\r\nPage 2 of 3\n\n48. 00000030: 6566 6572 7265 723d 756e 6b6e 6f77 266f eferrer=unknow\u0026o\r\n49. 00000040: 733d 5769 6e64 6f77 7337 2037 3630 3126 s=Windows7 7601\u0026\r\n50. 00000050: 6272 6f77 7365 723d 4368 726f 6d65 browser=Chrome\r\n51.\r\n52.\r\n53. Seems it first appeared around December 2017 - also seems to be some slight confusion. Both of the\r\ndrivers use Netfilter SDK which is a networking framework that consists of both kernel mode and user\r\nmode components, their files are already picked up as AdWare/PUA/PUP and as far as I could tell, had\r\nbeen detected as such for a long time before this appeared.\r\n54. https://forums.malwarebytes.com/topic/217148-30tab-adware-mrxsmb22-need-fixlist-help/\r\n55. https://forums.malwarebytes.com/topic/217215-adwarenetfilter-30tabcom-adware/\r\nSource: https://pastebin.com/GtjBXDmz\r\nhttps://pastebin.com/GtjBXDmz\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://pastebin.com/GtjBXDmz"
	],
	"report_names": [
		"GtjBXDmz"
	],
	"threat_actors": [],
	"ts_created_at": 1775434129,
	"ts_updated_at": 1775791315,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/450cebf2006fd2b16af0753c9af23555d9d1c8aa.pdf",
		"text": "https://archive.orkl.eu/450cebf2006fd2b16af0753c9af23555d9d1c8aa.txt",
		"img": "https://archive.orkl.eu/450cebf2006fd2b16af0753c9af23555d9d1c8aa.jpg"
	}
}