# Targeting Portugal: A new trojan ‘Lampion’ has spread using template emails from the Portuguese Government Finance & Tax

**[seguranca-informatica.pt/targeting-portugal-a-new-trojan-lampion-has-spread-using-template-emails-from-the-portuguese-government-finance-](https://seguranca-informatica.pt/targeting-portugal-a-new-trojan-lampion-has-spread-using-template-emails-from-the-portuguese-government-finance-tax/#.XhLzVxczau4)**

26 de dezembro de 2019

Last days of 2019 were the perfect time to spread phishing campaigns using email templates based on the Portuguese
Government Finance & Tax. SI-LAB noted that Portuguese users were targeted with malscam messages that reported
issues related to a debt of the year 2018.

In detail, the emails are related to the Rendimento de Pessoas Singulares – IRS (annual tax declaration), and any citizen
who has received the message can be misled by criminals – as the end of the year is the right time to discuss issues
within this context.

The malware was named ‘Lampion’ as this is the name used as part of its internal name. Regarding a broad analysis, it
looks like the Trojan-Banker.Win32.ChePro family, but with improvements that make hard its detection and analysis.

In brief, when the victim clicks on the links available in the email body the malware is downloaded from the online server.
The downloaded file is a compressed file (.zip) called: FacturaNovembro-4492154-2019-10_8.zip.

As observed, after extracting the file, three files are presented.


-----

The file “FacturaNovembro-4492154-2019-10_8.vbs” is the first stage of the Lampion’s infection chain. This is a Visual
Basic Script (VBScript) file that is acting as a dropper and downloader. It downloads the next stage from the compromised
server available on the Internet on an AWS S3 bucket.

The trojan Lampion uses anti-debug and anti-vm techniques. The use of a commercial protector known as VMProtector
3.x and also specially crafted codes make it difficult to analyze both on a sandbox environment or manually.

After the VBScript file is executed, two files are downloaded: P-19-2.dll and 0.zip. The P-19-2.dll file (Lampion) is a PE
File that is executed during a VBScript execution when the affected computer starts. That file invokes the second file,
0.zip, that is a DLL file with additional code on C2 and how the trojan gets details from the user’s computers. This DLL
contains a name in the Chinese language with the following target message for Portugal: “Your group of Portuguese
**_suckers”._**

Lampion trojan (P-19-2.dll) was sent to the VirusTotal by SI-LAB, and 12 from 71 engines classified it as malware. This is a
clear signal that most of the antivirus engines don’t detect yet the malware signature.

Details from the computer’s disk, opened windows, clipboard and banking credentials are gathered and sent to the C2
available on the Internet. The malware only runs if the DLL (inside the 0.zip file) is available on the same directory where it
is executed.


-----

Users who receive emails this nature should be aware as these files have a low detection rate and will extract sensitive
details including banking credentials from victims’ computers. For Portuguese citizens, special attention on this holiday
season as this is an ongoing target campaign.

For more details and complete analysis of this malicious campaign see the Technical Analysis below.

# Technical Analysis

Several emails were received by Portuguese users about a new campaign related to the Rendimento de Pessoas
Singulares – IRS (annual tax declaration) during the last days of 2019. Two examples can be seen in Figure 1 below.

**_Figure 1: Two template emails used to spread the trojan Lampion._**

At the first glance, just the URLs and their description are different between both templates. The URLs are responsible to
download a zip file that contains three files described below.

**_Figure 2: URL (1) hosting the malware on the Internet (a zip file)._**


-----

**_Figure 3: URL (2) hosting the malware on the internet (a zip file)._**

## Why Lampion?

As observed, the malware icon is a “lampion”, and the original name is “Lampion”. It seems a reference to a Japanese
lampion.

**_Figure 4: Malware’s original name and details._**

## Lampion trojan malware – The 1st stage

**Threat name: FacturaNovembro-4492154-2019-10_8.zip**
**MD5: e7bdce5505ee263530dea04c2fdc661f**
**SHA1: d4927477b71cbf540a894cf2c5849209b64c92af**

This is the zip file that contains the malware’s first stage downloaded from compromised servers online. It is a zip file, with
a low detection rate, and it contains inside 3 other files.

**_Figure 5: Available files after extracting the zip file._**


-----

The files are as follows:

[1] – FacturaNovembro-4492154-2019-10_8.pdf (51fbca86a499c55ce31179fc36e0d889)

**[2] – FacturaNovembro-4492154-2019-10_8.vbs (3350e74a4cfa020f9b256194eae25c12)**

[3] – Politica de Protecao de Dados – ST-8 (deb80a47496857e24c0bc57873b25707)

Only the [2] file (FacturaNovembro-4492154-2019-10_8.vbs) has malicious code capable of infecting victims’
computers.

In contrast, files [1] and [3] are harmless and are only used as a way of inducing the victims to open the VBS document –
the Lampion 1st stage.

**_Figure 6: Snippet from the Politica de Protecao de Dados – ST-8 file, never used_**
_during the malware infection chain._

On the other hand, the PDF file [1] is just a PDF file with some information contained
inside, and without malicious links or activity to collect details on the victim’s computer.

**_Figure 7: Object content from FacturaNovembro-4492154-2019-10_8.pdf._**

**_Figure 8: Content available on PDF file FacturaNovembro-4492154-2019-10_8.pdf._**


-----

**_Figure 9: Translation from the Portuguese language to English._**

The file states that the file to be executed is here, in the same directory of the PDF file . That message is completely
confidential, has a unique code, and the date of issuance is highlighted to create a bad feeling on the victim’s side.

**Threat name: FacturaNovembro-4492154-2019-10_8.vbs (Lampion – 1st stage)**
**MD5: 3350e74a4cfa020f9b256194eae25c12**
**SHA1: 7f5960ff9feff30d2f4a4c1598dd22632ceea0cb**

This file has a detection rate of 25/58 and is classified as a Trojan Agent. It is, in fact, a trojan downloader/dropper as it
downloads the next stage from the Internet and also drops a new VBS file that will be executed whenever the victim’s
computer starts. It looks like an improvement form of the Trojan-Banker.Win32.ChePro family.

**_[Figure 10: VirusTotal analysis from FacturaNovembro-4492154-2019-10_8.vbs file.](https://www.virustotal.com/gui/file/418dbcf5f8d5ad7e16a0bb48c1e14cb269bf5bd814f0a70c3aa90ce787136047/detection)_**

Looking at the file, it is obfuscated, but in this case, the technique used by criminals was simple: just add commentaries
**(junk blocks) between the lines of the malicious code to make it confused.**


-----

**_Figure 11: First stage of the Lampion malware – obfuscated code._**

After a few rounds of code cleanup (deobfuscation), the final code comes up. Before going into the detail, the high-level
diagram with the overall behavior of the file is presented.

**_Figure 12: Lampion 1st stage high-level diagram._**

In detail, the first stage works as described below.

It depends on the initial victim’s action.
The VBS file downloads additional files from the Internet (the 2nd stage – the Lampion itself).
2 files are downloaded to the AppData Windows folder, and a new VBS file is also created with the code that will
execute the trojan every time the victim’s computer starts.
A .lnk file is created on the Windows StartUp folder to execute the trojan (a persistence technique).
Finally, the victim’s computer is forced to reboot and the trojan malware starts its execution.

## Digging into the details – Lampion 1st stage

The 1st stage has random functions to generate random names that will be used to rename the next malicious files
created on the victim’s machine. Line 27 is where the Wscript object is created that will be used to create a .lnk file on
the Windows StartUp folder. All the malware source code is commented on the next images.


-----

**_Figure 13: Random functions that generate random names – (1/5)._**

The next figure has the function to decrypt the URLs from which the 2nd stage of malware is downloaded.

**_Figure 14: Decryption function used to decrypt the URLs where the next stage is available – (2/5)._**

Next, all the shortcuts (.lnk) files are deleted from the operating system StartUp folder (line 65).

After that, all the VBS files from the operating system StartUp folder are also removed to prevent other files can start with
the OS. A randomly named folder is created in the Windows AppData directory that will keep the malicious files.


-----

**_Figure 15: Some operations are performed, such as create folders on AppData and setting the default process security_**
_level with VBScript – (3/5)._

Now is time to download the 2nd stage from the Internet. Two files are obtained from 2 AWS S3 buckets.

**_Figure 16: Trojan 2nd stage is downloaded from two AWS S3 buckets – (4/5)._**

The URLs are encoded with the following strings:

1. logs = Decrypt("&aQ^>jhjqfFi`0o%B%~\tkLYya'jL^\[{m[e1hYb~Z!$miU)e$5k3i]#*[OWHi(jc#
(F$bWHcVW\pWe;deW3m$i_$TY%emc^%s&M$Tp^_OfxK")
2. ur = Decrypt("{PL^7j\j9f)is0D%9%aiXZ~]E^\i#k*_+ZW^(eU_-ZNe^]5^;i}ZaYm'Y/wYH$6im)6$tksiw#|[dWNi)ja#*

(~$oWzc+Wip@e6d2W&m.ix$uYde&ch%{F,#8'9/T#F(]$`ZdbrbY#")


-----

[To get the result of plain-text URLs, SI-LAB is keeping the decryption code available on GitHub. The result is as follows.](https://github.com/sirpedrotavares/SI-LAB-malware/blob/master/decryption-strings-lampion.vbs)

**_[Figure 17: Clean URLs as a result of the decrypted function output (available here).](https://github.com/sirpedrotavares/SI-LAB-malware/blob/master/decryption-strings-lampion.vbs)_**

As observed, the output shows us two AWS-hosted addresses that contain two malicious files, namely:

1. hxxps[:]//fucktheworld.s3.us-east-2.amazonaws[.]com/0.zip
2. hxxps[:]//sdghsuidhoidoghsdc19c.s3.us-east-2.amazonaws[.]com/P-19-2.dll

The 0.zip file is a DLL with additional code loaded by PE File P-19-2.dll during its execution. It is the PE file that will be
executed each time the infected machine starts. This file is overly large (32 MB in size), with a lot of trash to make it
difficult to detect.

Continuing to the last part of the 1st stage, the VBS file, in the last phase a VBS file is created in the AppData folder
(C:\Users\user\AppData\Roaming\lkuuxelnxqy.vbs).

Also, a .lnk is created in the Windows StartUp folder (C:\Users\user\AppData\Roaming\Microsoft\Windows\Start
**Menu\Programs\Startup\lkuuxelnxqy.lnk) which will then execute the next malware stage (P -19-2.dll).**


-----

**_Figure 18: VBS file is executed and the operating system is restarted – (5/5)._**

Finally, WScript.Shell runs the created VBScript file, the victim’s computer is forced to restart, and the malware itself (P-192.dll) runs on the infected machine.

## Lampion Trojan – 2nd Stage (after the persistence)

**Threat name: P-19-2.dll**
**MD5: 18977c78983d5e3f59531bd6654ad20f**
**SHA1: 941d03715af25f7bfedaaf86081ebc2046b4b019**

From the first submission we noticed that the threat was recent and unique in VirusTotal.

**_[Figure 19: Lampion VirusTotal detection rate (P-19-2.dll).](https://www.virustotal.com/gui/file/eb3f2be571bb6b93ee2e0b6180c419e9febfdb65759244ea04488be7c6f5c4e2/detection)_**

This file first appears as a DLL, but it is a PE File. As can be seen from Figure 15 – line 86, it is written directly to disk as
an executable.

As noted, 12 of 71 AV engines classified the file as malware. The file is extremely large (32 MB), with a lot of junk allowing,
thus, to evade antivirus engines as a result.


-----

## The malware’s protection

[As explained below, malware is protected by VMProtect 3.x which makes it difficult to analyze even through a manual](http://vmpsoft.com/support/user-manual/introduction/history-of-changes/)
approach.

#### VMProtect protects code by executing it on a virtual machine with non-standard architecture that makes it extremely

 difficult to analyze and crack the software. Besides that, VMProtect generates and verifies serial numbers, limits free

 upgrades and much more.

After some rounds, we found that it is protected with the VMProtect 3.x .

**_Figure 20: Lampion protected with the VMProtect 3.x._**

VMProtect has 3 protection modes: Mutation, Virtualization, and “Ultra” (both methods combined).

#### Mutation does what it says it does: it mutates the assembly code to make automated analysis of it harder. The

 resulting mutated code varies drastically per compilation.

 On the other hand, Virtualization translates the code into a special format that only a special virtual machine can

 run. It then inserts a “stub” function to call the VM where the actual code was supposed to be ran.

Another detail is two sections identified in PE File ( vmp0 and vmp1 ), which contains the packed binary code which will
later be devirtualized at runtime, and also has the EP (entry point) where the binary will be executed first.

**_Note: Details about the VMProtector disassemble will not be displayed in this analysis as it is commercial_**
**_software for packing and protecting executable files._**


-----

**_Figure 21: Malware sections and high entropy of section vmp1._**

As shown, there are two sections in binary (vmp0 and vmp1) with high entropy that are known as a result of VMProtector.
Also, the EP is outside of the standard location. Now it is on: .vmp1.

[In detail, the malware was developed in Delphi. The IDE Embarcaredo was used to support its developing.](https://www.embarcadero.com/br/)

**_Figure 22: Resources from the Lampion trojan malware._**

As noted from Figure 22, all the source-code logic is available within a feature called TFORM1, a Delphi form.


-----

**_Figure 23: Details about Embarcaredo._**

However, once the malware is protected with VMProtector, it is not possible to decompile the binary source-code.

## Disassembling – Deep inside

By disassembling it, it is possible to get a binary dump by indicating the potential OEP (original entry point). Although part
of the binary code remains obfuscated and protected, through this technique, it was possible to get some details about the
inner structure of the malware.


-----

**_Figure 24: Dumping the binary code, building the binary IAT and get internal details on how it works._**

The extracted file has its partial IAT messed up and the name of each function does not appear because its respective
virtual addressing is necessary to convert it to a raw addressing. This is a result of the VMProtector 3.x.

After the partially unpacked binary, we can see some functions it is using, namely:

**ShowWindow: Sets the specified window’s show state.**
**GetWindowTextW: Copies the text of the specified window’s title bar.**
**IsDialogMessageW: Determines whether a message is intended for the specified dialog box.**
**GetDesktopWindow: Retrieves a handle to the desktop window.**
**GetCursorPos: Retrieves the position of the mouse cursor, in screen coordinates.**
**GetMenuState: Retrieves the menu flags associated with the specified menu item.**
**GetKeyboardLayoutNameW: Retrieves the name of the active input locale identifier.**
**OpenClipboard: Opens the clipboard for examination.**
**EnumDisplayMonitors: It enumerates display monitors.**


-----

**_Figure 25: Functions used to get details about the victim’s computer._**

During the static analysis, we identified some functions such as HideFromDebugger and IsDebuggerPresent, and even
the library SBIEDLL.DLL which aims to detect if the program is running in a virtual environment.


-----

## Lampion – Dynamic Analysis

At the moment, the file 0.zip has not been used (the second one that was downloaded and presented in Figure 16).

When the Lampion is running, it will try to read the 0.zip file from the same directory where it is executing (AppData, in this
case).

**_Figure 26: 0.zip file not found and a popup message is presented. The malware_**
_terminates its execution._

The 0.zip file was not found (the second file downloaded by VBScript). By
submitting the executable file to sandboxes on the Internet, it will never be run
derived from this dependency. This can be seen as a mechanism for a dynamic
analysis not to be performed properly.

By fixing this detail, we can validate that malware actually can read the file.

**_Figure 27: 0.zip file is now accessed by Lampion and its content is loaded._**

The 0.zip file is a compressed file with a DLL inside it with additional code. But the file is protected with a password. Only
the 2nd stage (Lampion) has that password inside.


-----

**_Figure 28: 0.zip file protected by a password hardcoded inside the malware 2nd stage (Lampion trojan)._**

This can be seen as yet another anti-reversing mechanism introduced by malware authors.

To get details about the library inside the 0.zip file, we analyzed the 2nd stage and identified the right moment the file is
unzipped to obtain the password hardcoded from memory (as it is obfuscated).

**_Figure 29: Password of 0.zip file extracted from memory._**

After extracting the files, we can see that its name has Chinese characters. Through the translated message “Your group
**_of Portuguese suckers” we can conclude that this threat is targeting Portuguese citizens._**


-----

**_Figure 30: Message left by criminals indicating that the threat is targeting Portuguese citizens._**

Again, this file is also protected with VMProtector 3.x. This can be observed in Figure 31.

**_Figure 31: 0.zip file sections._**

As shown, most of the file content and EP address are located in the vmp01 section. From Figure 32, we can observe the
DLL export address table (EAT).

**_Figure 32: Export Address Table (EAT) from the DLL inside 0.zip._**

That DLL contains part of the trojan code. Those functions are imported
from this DLL. Some of the available functions are:

**WNetUseConnectionW: It makes a connection to a network**
resource.
**WNetGetConnectionW: This function retrieves the name of the**
network resource associated with a local device.
**WNetAddConnection2W: This function makes a connection to a**
network resource and can redirect a local device to the network
resource.
**SHGetFolderPathW: Gets the path of a folder identified by**
[a CSIDL value.](https://docs.microsoft.com/windows/desktop/shell/csidl)
**FilterSendMessage: This function sends a message to a kernel-**
mode minifilter.
**FilterConnectCommunicationPort: It opens a new connection to**
a communication server port
**DoThisBicht: Function invoked when the DLL file is loaded.**
**CryptUIDIgCertMgr: It is a function that displays a dialog box that**
allows users to manage certificates.
**CallFormPrincipal: It has the source-code logic about keylogger**
and C2.

In detail, we can examine all the malware operations while we open a browser for accessing a home banking website (the
malware is activated during the https operation because the certmgr.exe is launched).

An interesting detail found on “CallFormPrincipal” is the request method and C2 IP address.

1. $_POST=&plug=NAO&sowin=Windows%207%20Home%20Premium%20-%206.1%20-%207601
2. hxxp://18.219.52.4/PT/VaiPostaProPai.php

It also validates the windows hosts file to check the remote system discovery.

1. C:\Windows\System32\drivers\etc\hosts


-----

During malware execution, we verify that it collects data from clipboard, disk, browsers, and sends the details via a
request to the C2 server available on the Internet.

**_Figure 33: POST request sent to the C2 available online with details about the victim’s computer._**

## Lampion – C2 portal

On server C2, a portal is available that we did not have access to, however, it was possible to collect some interesting
details.

An interesting indicator is that this banking trojan does not have a high detection rate, and can easily run and make
persistent on victims’ computers.

For example, the URL where the victim data is sent (the POST request) is not identified as malicious by the antivirus
agents at the moment of writing this report.


-----

**_Figure 34: C2 server not detected on VirusTotal._**

As shown, the login page this panel can be accessed and a username and password are required.

**_Figure 35: Login page of C2 panel._**

Based on some paths available on the server-side, we can find that this is a portal already known and shared in the past
by David Montenegro along his analysis.

**_Figure 36: Details on the C2 portal (flags that identified the_**
_victim’s origin)._


-----

[14:10 - 20 de set de 2018](https://twitter.com/CryptoInsane/status/1042657116966854656)

[Veja outros Tweets de David Montenegro](https://twitter.com/CryptoInsane)


As observed, the panel has details about the victim, namely:

**Country;**
**Date and hour of access;**
**Operating System;**
**Computer Name;**
**Installed antivirus engine;**
**Version; and**
**Plugin.**


-----

**_Figure 37: Images about the potential C2 portal._**

We contacted Amazon Web Services (AWS) to decommission the domains and C2 server before publishing the article,
ensuring, thus, that the threat has been contained in a good way and by preserving the victim’s information. Nonetheless,
malicious endpoints are still active at the moment of writing this report.

## Lampion – Mitre Att&ck Matrix

# Indicators of Compromise (IOCs)

1. URLs
2. rebrand[.]ly/mmvk36?

=NOWAUVJBNOWAUVJBNOWAUVJBNOWAUVJBNOWAUVJBNOWAUVJBNOWAUVJBNOWAUVJBNOWAUVJBNOWAUVJB
3. hxxp[:]//100.26.189.49/PY/App.php?=5wzpz2e7xglkzmh
[4. hxxps[:]//fucktheworld.s3.us-east-2.amazonaws.com/0.zip](http://amazonaws.com/)
[5. hxxps[:]//sdghsuidhoidoghsdc19c.s3.us-east-2.amazonaws.com/P-19-2.dll](http://amazonaws.com/P-)
6. hxxp[:]//18.219.52.4/PT/VaiPostaProPai.php
7. Hashes
8. e7bdce5505ee263530dea04c2fdc661f (FacturaNovembro-4492154-2019-10_8.zip)
9. deb80a47496857e24c0bc57873b25707 (Politica de Protecao de Dados - ST-8)
10. 51fbca86a499c55ce31179fc36e0d889 (FacturaNovembro-4492154-2019-10_8.pdf)

11. 3350e74a4cfa020f9b256194eae25c12 (FacturaNovembro-4492154-2019-10_8.vbs)
12. 18977c78983d5e3f59531bd6654ad20f (P-19-2.dll | P-19.2.exe - Lampion)
13. 76eed98b40db9ad3dc1b10c80e957ba1 (你的⼀群葡萄⽛⼈的吸盤)
14. C2
15. hxxp[:]//18.219.52.4/PT/VaiPostaProPai.php
16. hxxp[:]//18.219.52.4/PT/index.php
17. hxxp[:]//18.219.52.4/PT/admin.php
18. hxxp[:]//18.219.52.4/PT/png/pt.png
19. hxxp[:]//18.219.52.4/PT/SO/
20. 18[.]219.52.4/PT/painelADM.php
21. 18[.]219.52.4/PT/painel.php
22. $_POST=&plug=NAO&sowin=Windows%207%20Home%20Premium%20-%206.1%20-%207601


-----

### Yara rules

1. rule Lampion_VBS_File_Portugal {
2. meta:
3. description = "Yara rule for Lampion Portugal - December version"
[4. author = "SI-LAB - https://seguranca-informatica.pt"](https://seguranca-informatica.pt/)
5. last_updated = "2019-12-28"
6. tlp = "white"
7. category = "informational"
8. strings:
9. $lampion_a = {53 65 74 20 76 69 61 64 6f 20 3d 20 63 75 7a 61}
10. $lampion_b = {76 69 61 64 6f 2e 57 69 6e 64 6f 77 53 74 79 6c}

11. condition:
12. all of ($lampion_*)
13. }
14. --------------------------------15. import "hash"
16. rule Lampion_DLL_Portugal {
17. meta:
18. description = "Yara rule for Lampion Portugal - December version"
[19. author = "SI-LAB - https://seguranca-informatica.pt"](https://seguranca-informatica.pt/)
20. last_updated = "2019-12-28"
21. tlp = "white"
22. category = "informational"
23. strings:
24. $lampion_a = {5468 6973 4269 6368 7400 4669 6c74 6572}
25. condition:
26. all of ($lampion_*) or
27. hash.md5(0, filesize) == "76eed98b40db9ad3dc1b10c80e957ba1"
28. }
29. --------------------------30. import "hash"
31. rule Lampion_malware_portugal {
32. meta:
33. description = "Yara rule for Lampion Portugal - December version"
[34. author = "SI-LAB - https://seguranca-informatica.pt"](https://seguranca-informatica.pt/)
35. last_updated = "2019-12-28"
36. tlp = "white"
37. category = "informational"
38. strings:
39. $lampion_a = {3f 3f 3f 3f 3f 3f 3f 74 61 3f 3f 3f 3f 3f 3f 00}
40. condition:
41. all of ($lampion_*) or
42. hash.md5(0, filesize) == "18977c78983d5e3f59531bd6654ad20f"
43. }

[All yara files available here.](https://github.com/sirpedrotavares/SI-LAB-Yara_rules)

### Yara Retro hunt on two multi-scanners

1. 348e3fd080c8002b826be2577ffa3bc64f263aa779c9f8ff88e4642c294c4381
2. 418dbcf5f8d5ad7e16a0bb48c1e14cb269bf5bd814f0a70c3aa90ce787136047
3. 990982736492bfa0b2a39b0fd05959fa92ca3a282e36977a2523b3fe641a4c34
4. 54cce7adca859d6bd85779ec7fa4fc7eb327f5067d25b1dada722ccdcf108281
5. 9e77a03223de62be70afe19961ca8d0b88b46c20c834a5bab30ab3334baa2415
6. 07f5932be35a720a74fc10e7ee6011fa2a8ee4c6df7cf9a6f06bfdc7bd5ec4a1
7 09d44bdae0db9a91b86831f857efb45b05f62024a9b68c6977502a4dd729af76


-----

8. 33166f904f6820a1ed22c75ead41102ce62dad0070dd314b899ab76b60a21378
9. 0eb71171482dd5db49bae10f9bf55d7bcbf0b4370f4a86654fac9d3bdc6b20ab
10. f044d1de37ca8903c7bf6038e465bebc0c1ca2c9c8b53e19e1b8226fa820302f

11. 2e77d53186bd0a1a269864aca2369aae7a2629d1914c77bf6bc69e76aac491e2
12. 7c8c4ab0dd084a7e6e784923f1b125e3b6009f75269331639b120641508f7f51
13. 98db1f47e98a007ad5dfe0c5e1c6eb80dd5e171d6f252dda14c628ecf7c3f836
14. fbd0c68e699e9d78da85ab11c7d50af71cb84e6d652f9ab8f8ac657bfb102920
15. c52c0ae1c558be6eead13f50a9ea27a0eba1c4cdce17901ec3903c7b5e9eada0
16. 5c2e9c3cbcf7da70493da3f6efd6f6199d37ad68030a85303644992fbf12293c
17. 875cf24a3863f3e379c158de11baf5e0c70507ab7f37556ed8704e178ddf66ec
18. 1c1c64cf15b13aa67952830b5d606e7793456ddbf266910056ae16505fc57b0d
19. ce53debed7256fb71532e0348214356383070d24cc86ac59e94395225761f765
20. f752698342d8dc62ff0e27a065e79c71bca87604ef786f838fc8e0513ce97cfc
21. ae9e53806d5287f3e22f4e6549b1286c28aa529b1267b4369f9db60529fefbfa
22. 643d400cbdcff21ca2c0b8539f6990e22ababc740ced01f466150e44b669edf5
23. 79aaa08982958ac5fa37e3709a6787619777e11af773609fd974095dfdb0f0fa
24. 9d9252149a6db832fd205e4d0d3395cee5c6251f91df9730315ae4b354e839f0
25. 8802e4b1a460d8f8b369928ed6379f800a1053506c33b3422c52d4c30628b560
26. de8d3218d1509d255da05f3e3c1846a92d82badddbcebffd5e721256d7635fd5
27. aad423e2956e0f5b3fabe3b6ac624c929533acd9f2c93ecd210227a9b13a36f7
28. 8f04e52d69b1bdd7e4d6877ce0841ba8779f7649c16712d9d962044b2409b482
29. bc4ed9ef17e608a4b00ab3b5f0c2cfe956275eb0106a9b5b82076ce2c64cfb15
30. f36406b797ab4f739d0a6add29fdf72289c70019b5200ebdce78b3d3db0d79dc
31. 8ac60cd9bc9a44e558e840a6bebdd27c73a9ce167a66cf6c8d462e46848fe8a3
32. 29eeba2cbe0f3f6b119ebcc33f23d13964af26ee744419711aa24c6110c1510a
33. 9a2f575d77cc03afe1230666ed23c1da58dd1644abf02e2487c6cd0db8b2a26d
34. 73edad845ab2ba5aa55ac7757c8ff19072cba49dc44d811710858e1e42d6763d
35. 33f6daf3ee3b851800b5928b41fc208ac915d5ec2ffb3ebe13490c474c6cef58
36. edf3b71d1f4e7adae5b58a8f3f865882b5851d3d5e6ef142643eb3ea2066efe1
37. 0604586fcea208bcb4350d7dd9d5c250702f1a0e9ec0d6801b272ace6918d34c
38. f90ff089745109a3d59f8ba05d33547ae27df08cc269644ba1a41c9b9fcb782c
39. 2298b7ee6aeb19cd6c9e2f3ae6377e1cf5aab0d2d3f3102d4d51683c79a91da8
40. 4494da2105572a5ad07bd08110e35045c34967306f12a7ea7c91fffc0f79f599
41. 113232ed76536c2255f972f4bb2e3d2aafd01b643da83a04eb80f1809729a898

## Thank you to all who have contributed:

– Corsin Camichel @cocaman
– David Montenegro @CryptoInsane

[Pedro Tavares](https://seguranca-informatica.pt/author/pipocaz/)
**[Pedro Tavares is a professional in the field of information security,](https://www.linkedin.com/in/sirpedrotavares/)**
working as an Ethical Hacker, Malware Analyst, Cybersecurity Analyst
and also a Security Evangelist. He is also a founding member and
Pentester at CSIRT.UBI and founder of the security computer
[blog seguranca-informatica.pt.](https://seguranca-informatica.pt/)

In recent years he has invested in the field of information security,
exploring and analyzing a wide range of topics, such as pentesting (Kali
Linux), malware, hacking, cybersecurity, IoT and security in computer
networks. He is also Freelance Writer.

[Read more here.](https://seguranca-informatica.pt/contacto/)


-----