- Carbon Indicators of Compromise
- Gazer Indicators of Compromise
- Mosquito Indicators of Compromise
- Turla Outlook Indicators of Compromise
- LightNeuron Indicators of Compromise
- Turla PowerShell Indicators of Compromise
- Turla Watering Hole Armenia
- Turla ComRAT v4 Indicators of Compromise
- Turla Crutch Indicators of Compromise
- To the Moon and back(doors): Lunar landing in diplomatic missions — Indicators of Compromise
The blog post about Carbon is available on WeLiveSecurity at https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
-
Win32/Turla.AN
-
Win32/Turla.BT
-
Win32/Turla.BU
-
Win64/Turla.E
-
Win64/Turla.K
-
Win64/Turla.S
-
Win64/Turla.T
(hacked websites used as 1st level proxies)
-
www.shoppingexpert.it:80:/wp-content/gallery/ -
soheylistore.ir:80:/modules/mod_feed/feed.php -
tazohor.com:80:/wp-includes/feed-rss-comments.php -
jucheafrica.com:80:/wp-includes/class-wp-edit.php -
61paris.fr:80:/wp-includes/ms-set.php -
doctorshand.org:80:/wp-content/about/ -
www.lasac.eu:80:/credit_payment/url/
All hashes are SHA-1
1ad46547e3dc264f940bf62df455b26e65b0101f a28164de29e51f154be12d163ce5818fceb69233 20393222d4eb1ba72a6536f7e67e139aadfa47fe 1dbfcb9005abb2c83ffa6a3127257a009612798c
777e2695ae408e1578a16991373144333732c3f6 de2132d7d07b0b21f3c283c68031e0dd6d2b5cbd
fbc43636e3c9378162f3b9712cb6d87bd48ddbd3 554f59c1578f4ee77dbba6a23507401359a59f23 a08b8371ead1919500a4759c2f46553620d5a9d9
7ce746bb988cb3b7e64f08174bdb02938555ea53 311f399c299741e80db8bec65bbf4b56109eedaf 87d718f2d6e46c53490c6a22de399c13f05336f0
The white paper about Gazer is available on WeLiveSecurity at https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf.
A high level summary is also available as a blog post on WeLiveSecurity at https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/.
-
%TEMP%\KB943729.log -
%TEMP%\CVRG72B5.tmp.cvr -
%TEMP%\CVRG1A6B.tmp.cvr -
%TEMP%\CVRG38D9.tmp.cvr -
%TEMP%\~DF1E06.tmp -
%HOMEPATH%\ntuser.dat.LOG3 -
%HOMEPATH%\AppData\Local\Adobe\AdobeUpdater.exe
-
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ScreenSaver -
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Explorer\ScreenSaver
-
hxxp://daybreakhealthcare.co.uk/wp-includes/themees.php -
hxxp://simplecreative.design/wp-content/plugins/calculated-fields-form/single.php -
hxxp://169.255.137.203/rss_0.php -
hxxp://outletpiumini.springwaterfeatures.com/wp-includes/pomo/settings.php -
hxxp://zerogov.com/wp-content/plugins.deactivate/paypal-donations/src/PaypalDonations/SimpleSubsribe.php -
hxxp://ales.ball-mill.es/ckfinder/core/connector/php/php4/CommandHandler/CommandHandler.php -
hxxp://dyskurs.com.ua/wp-admin/includes/map-menu.php -
hxxp://warrixmalaysia.com.my/wp-content/plugins/jetpack/modules/contact-form/grunion-table-form.php -
hxxp://217.171.86.137/config.php -
hxxp://217.171.86.137/rss_0.php -
hxxp://shinestars-lifestyle.com/old_shinstar/includes/old/front_footer.old.php -
hxxp://www.aviasiya.com/murad.by/life/wp-content/plugins/wp-accounting/inc/pages/page-search.php -
hxxp://baby.greenweb.co.il/wp-content/themes/san-kloud/admin.php -
hxxp://soligro.com/wp-includes/pomo/db.php -
hxxp://giadinhvabe.net/wp-content/themes/viettemp/out/css/class.php -
hxxp://tekfordummies.com/wp-content/plugins/social-auto-poster/includes/libraries/delicious/Delicious.php -
hxxp://kennynguyen.esy.es/wp-content/plugins/wp-statistics/vendor/maxmind-db/reader/tests/MaxMind/Db/test/Reader/BuildTest.php -
hxxp://sonneteck.com/wp-content/plugins/yith-woocommerce-wishlist/plugin-fw/licence/templates/panel/activation/activation.php -
hxxp://chagiocaxuanson.esy.es/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/ngglegacy/admin/templates/manage_gallery/gallery_preview_page_field.old.php -
hxxp://hotnews.16mb.com/wp-content/themes/twentysixteen/template-parts/content-header.php -
hxxp://zszinhyosz.pe.hu/wp-content/themes/twentyfourteen/page-templates/full-hight.php -
hxxp://weandcats.com/wp-content/plugins/broken-link-checker/modules/checkers/http-module.php`
| SHA-1 hash | Component | Compilation Time | Certificate | ESET Detection Name |
|---|---|---|---|---|
|
Gazer loader x32 |
05/02/2002 17:36:10 |
admin@solidloop.org valid from 14/10/2015 to 14/10/2016 |
Win32/Turla.CC |
|
Gazer loader x32 |
05/02/2002 17:36:10 |
admin@solidloop.org valid from 14/10/2015 to 14/10/2016 |
Win32/Turla.CC |
|
Gazer loader x32 |
05/02/2002 17:36:10 |
admin@solidloop.org valid from 14/10/2015 to 14/10/2016 |
Win32/Turla.CC |
|
Gazer loader x64 |
05/02/2002 17:36:26 |
admin@solidloop.org valid from 14/10/2015 to 14/10/2016 |
Win64/Turla.AA |
|
Gazer loader x64 |
05/02/2002 17:36:26 |
admin@solidloop.org valid from 14/10/2015 to 14/10/2016 |
Win64/Turla.AA |
|
Gazer loader x64 |
05/02/2002 17:36:26 |
admin@solidloop.org valid from 14/10/2015 to 14/10/2016 |
Win64/Turla.AA |
|
Gazer loader x32 |
04/10/2002 18:31:37 |
admin@solidloop.org valid from 14/10/2015 to 14/10/2016 |
Win32/Turla.CC |
|
Gazer loader x32 |
04/10/2002 18:31:37 |
admin@solidloop.org valid from 14/10/2015 to 14/10/2016 |
Win32/Turla.CC |
|
Gazer loader x32 |
04/10/2002 18:31:37 |
admin@solidloop.org valid from 14/10/2015 to 14/10/2016 |
Win32/Turla.CC |
|
Gazer loader x64 |
04/10/2002 18:34:18 |
admin@solidloop.org valid from 14/10/2015 to 14/10/2016 |
Win64/Turla.AA |
|
Gazer loader x64 |
04/10/2002 18:34:18 |
admin@solidloop.org valid from 14/10/2015 to 14/10/2016 |
Win64/Turla.AA |
|
Gazer loader x64 |
04/10/2002 18:34:18 |
admin@solidloop.org valid from 14/10/2015 to 14/10/2016 |
Win64/Turla.AA |
|
Gazer loader x64 |
09/01/2016 19:30:10 |
not signed |
Win64/Turla.AA |
|
Gazer loader x64 |
06/02/2016 19:29:15 |
admin@ultimatecomsup.biz valid from 16/12/2015 to 16/12/2017 |
Win64/Turla.AA |
|
Gazer loader x64 |
16/02/2016 16:00:44 |
admin@ultimatecomsup.biz valid from 16/12/2015 to 16/12/2017 |
Win64/Turla.AA |
|
Gazer loader x64 |
18/02/2016 15:29:58 |
admin@ultimatecomsup.biz valid from 16/12/2015 to 16/12/2017 |
Win64/Turla.AA |
|
Gazer loader x64 |
01/01/2017 08:39:30 |
admin@ultimatecomsup.biz valid from 16/12/2015 to 16/12/2017 |
Win64/Turla.AG |
|
Gazer loader x64 |
11/06/2017 23:43:51 |
admin@ultimatecomsup.biz valid from 16/12/2015 to 16/12/2017 |
Win64/Turla.AD |
|
Gazer loader x32 |
19/06/2017 01:28:51 |
admin@ultimatecomsup.biz valid from 16/12/2015 to 16/12/2017 |
Win32/Turla.CF |
|
Gazer loader x64 |
19/06/2017 01:30:00 |
admin@ultimatecomsup.biz valid from 16/12/2015 to 16/12/2017 |
Win64/Turla.AD |
|
Gazer orchestrator x32 |
05/02/2002 17:31:28 |
not signed |
Win32/Turla.CF |
|
Gazer orchestrator x32 |
05/02/2002 17:31:28 |
not signed |
Win32/Turla.CF |
|
Gazer orchestrator x32 |
05/02/2002 17:31:28 |
not signed |
Win32/Turla.CF |
|
Gazer orchestrator x32 |
05/02/2002 17:31:28 |
not signed |
Win32/Turla.CC |
|
Gazer orchestrator x64 |
05/02/2002 17:34:25 |
not signed |
Win64/Turla.AA |
|
Gazer orchestrator x64 |
05/02/2002 17:34:25 |
not signed |
Win64/Turla.AA |
|
Gazer orchestrator x64 |
05/02/2002 17:34:25 |
not signed |
Win64/Turla.AA |
|
Gazer orchestrator x32 |
04/10/2002 18:31:28 |
not signed |
Win32/Turla.CC |
|
Gazer orchestrator x32 |
04/10/2002 18:31:28 |
not signed |
Win32/Turla.CC |
|
Gazer orchestrator x64 |
04/10/2002 18:33:02 |
not signed |
Win64/Turla.AA |
|
Gazer orchestrator x64 |
04/10/2002 18:33:02 |
not signed |
Win64/Turla.AA |
|
Gazer orchestrator x64 |
04/10/2002 18:33:02 |
not signed |
Win64/Turla.AA |
|
Gazer orchestrator x64 |
09/01/2016 19:28:29 |
not signed |
Win64/Turla.AA |
|
Gazer orchestrator x64 |
06/02/2016 19:29:04 |
not signed |
Win64/Turla.AA |
|
Gazer orchestrator x64 |
06/02/2016 19:29:04 |
not signed |
Win64/Turla.AA |
|
Gazer orchestrator x64 |
18/02/2016 15:29:32 |
not signed |
Win64/Turla.AA |
|
Gazer orchestrator x64 |
01/01/2017 08:39:19 |
not signed |
Win64/Turla.AG |
|
Gazer orchestrator x64 |
11/06/2017 23:42:28 |
not signed |
Win64/Turla.AD |
|
Gazer orchestrator x32 |
19/06/2017 01:28:21 |
not signed |
Win32/Turla.CF |
|
Gazer orchestrator x64 |
19/06/2017 01:29:46 |
not signed |
Win64/Turla.AD |
|
Gazer comm x64 |
05/02/2002 17:57:07 |
admin@solidloop.org valid from 14/10/2015 to 14/10/2016 |
Win64/Turla.AH |
|
Gazer comm x32 |
05/02/2002 17:58:22 |
admin@solidloop.org valid from 14/10/2015 to 14/10/2016 |
Win32/Turla.CC |
|
Gazer comm x32 |
06/02/2016 19:23:52 |
not signed |
Win32/Turla.CC |
|
Gazer comm x32 |
11/06/2017 23:44:24 |
not signed |
Win32/Turla.CF |
|
Gazer wiper x32 |
05/02/2002 17:39:07 |
admin@solidloop.org valid from 14/10/2015 to 14/10/2016 |
Win32/Turla.CL |
|
Gazer wiper x32 |
07/04/2016 15:04:24 |
not signed |
Win32/Turla.CL |
There are few samples of Gazer that use the current function name as first parameter for the log function. Here is a list of some function names used in Gazer:
-
AutorunManagerClass-
AutorunManager::~AutorunManger -
AutorunManager::Init -
AutorunManger::ReInit -
AutorunManager::BuildAutorunSettings -
AutorunManager::FreeAutorunsSettings -
AutorunManager::FullCheck -
AutorunManager::StartAutorunEx -
AutorunManager::FullStart
-
-
HiddenTaskAutorunClass-
HiddenTaskAutorun::IsPathsEqual
-
-
LinkAutorunClass-
LinkAutorunClass::InfectLnkFile -
LinkAutorunClass::ClearLnkFile -
LinkAutorunClass::CheckLnkFile
-
-
RemoteImport32Class-
RemoteImport32::RemoteImport32 -
RemoteImport32::GetRemoteProcAddress -
RemoteImport32::GetRemoteModuleHandle
-
-
ScreenSaverAutorunClass-
ScreenSaverAutorun::ChangeScreenSaver -
ScreenSaverAutorun::WndProc1 -
ScreenSaverAutorun::GetMessageThreadProc -
ScreenSaverAutorun::CreateHiddenWindow -
ScreenSaverAutorun::CloseHiddenWindow
-
-
ShellAutorunClass-
ShellAutorun::AutorunInstallEx -
ShellAutorun::AutorunUninstallEx -
ShellAutorun::AutorunCheckEx -
ShellAutorun::IsPathsEqual
-
-
StartupAutorunClass-
StartupAutorun::AutorunInstallEx -
StartupAutorun::AutorunUninstallEx -
StartupAutorun::AutorunCheckEx -
StartupAutorun::IsPathsEqual
-
-
TaskScheduler20AutorunClass-
TaskScheduler20Autorun::Init -
TaskScheduler20Autorun::AutorunCheckEx -
TaskScheduler20Autorun::AutorunInstallEx -
TaskScheduler20Autorun::AutorunUninstallEx -
TaskScheduler20Autorun::IsPathsEqual
-
-
DllInjectorClass-
DllInjector::LoadDllToProcess -
DllInjector::GetProcHandle -
DllInjector::CheckDllAndSetPlatform -
DllInjector::CopyDllFromBuffer -
DllInjector::MapLibrary -
DllInjector::Map86Library_tox64 -
DllInjector::CallEntryPoint -
DllInjector::FindDllImageBase -
DllInjector::WindowInject
-
-
InjectManagerClass-
InjectManager::~InjectManager -
InjectManager::BuildInjectSettingsList -
InjectManager::FreeInjectSettingsList -
InjectManager::Stop -
InjectManager::DetachAll -
InjectManager::FindAndInjectInVictim -
InjectManager::FindProcessSimple2 -
InjectManager::LoadNtdll -
InjectManager::UnLoadNtdll -
InjectManager::LoadWinsta -
InjectManager::UnLoadWinsta -
InjectManager::SetStatusTransportDll -
InjectManager::GetTransportState -
InjectManager::DestroyManuallyCreatedVictim -
InjectManager::VictimManualCreateIE
-
-
NPTransportClass-
TNPTransport::Init -
TNPTransport::ReInit -
TNPTransport::~TNPTransport -
TNPTransport::Receive -
TNPTransport::RunServer -
TNPTransport::ServerProc
-
-
ExeStorageClass-
ExeStorage::Migrate -
ExeStorage::SecureHeapFree
-
-
FSStorageClass-
FSStorage::~FSStorage -
FSStorage::Init -
FSStorage::GetBlock -
FSStorage::GetListBlock -
FSStorage::Migrate -
FSStorage::SecureHeapFree -
FSStorage::Update -
FSStorage::Empty
-
-
RegStorageClass-
RegStorage::~RegStorage -
RegStorage::Init -
RegStorage::FreeList -
RegStorage::GetListBlock -
RegStorage::DeleteListBlock -
RegStorage::Migrate -
RegStorage::SecureHeapFree -
RegStorage::Update -
RegStorage::Empty
-
-
ResultQueueClass-
ResultQueue::~ResultQueue -
ResultQueue::DumpQueueToStorage -
ResultQueue::RestoreFromStorage -
ResultQueue::ClearQueue -
ResultQueue::RemoveResult -
ResultQueue::GetNextResultToSendWithModule -
ResultQueue::SetPredeterminedResult -
ResultQueue::print
-
-
TaskQueueClass-
TaskQueue::~TaskQueue -
TaskQueue::DumpQueueToStorage -
TaskQueue::RestoreFromStorage -
TaskQueue::ClearQueue -
TaskQueue::RemoveCompletedTasks -
TaskQueue::print
-
-
CExecutionSubsystemClass-
CExecutionSubsystem::~CExecutionSubsystem -
CExecutionSubsystem::Stop -
CExecutionSubsystem::TaskExecusion -
CExecutionSubsystem::TaskConfigure -
CExecutionSubsystem::TaskUpload -
CExecutionSubsystem::TaskDownload -
CExecutionSubsystem::TaskReplacement -
CExecutionSubsystem::TaskDelete -
CExecutionSubsystem::TaskPacketLocalTransport -
CExecutionSubsystem::FinishTask -
CExecutionSubsystem::PushTaskResult -
CExecutionSubsystem::UpdateStorage
-
-
CMessageProcessingSystemClass-
CMessageProcessingSystem::~CMessageProcessing -
CMessageProcessingSystem::ListenerCallBack -
CMessageProcessingSystem::WaitShutdownModule -
CMessageProcessingSystem::SetCompulsorySMC -
CMessageProcessingSystem::UnSetCompulsorySMC -
CMessageProcessingSystem::IsCompulsorySMC -
CMessageProcessingSystem::GetCompulsorySMC -
CMessageProcessingSystem::Receive_TAKE_NOP -
CMessageProcessingSystem::Receive_GIVE_SETTINGS -
CMessageProcessingSystem::Receive_TAKE_CAN_NOT_WORK -
CMessageProcessingSystem::Receive_GIVE_CACHE -
CMessageProcessingSystem::Receive_TAKE_CACHE -
CMessageProcessingSystem::Receive_TAKE_TASK -
CMessageProcessingSystem::Receive_GIVE_RESULT -
CMessageProcessingSystem::Receive_TAKE_CONFIRM_RESULT -
CMessageProcessingSystem::Receive_TAKE_LOADER_BODY -
CMessageProcessingSystem::Receive_TAKE_UNINSTALL -
CMessageProcessingSystem::Receive_NO_CONNECT_TO_Gazer -
CMessageProcessingSystem::Receive_TAKE_LAST_CONNECTION -
CMessageProcessingSystem::Send_TAKE_FIN -
CMessageProcessingSystem::Send_TAKE_SHUTDOWN -
CMessageProcessingSystem::Send_TAKE_SETTINGS -
CMessageProcessingSystem::Send_TAKE_RESULT
-
-
CryptoClass-
Crypto::GetPublicKey -
Crypto::EncryptRSA -
Crypto::Sign -
Crypto::EncryptAndSignBufferRSAEx -
Crypto::DecryptRSA -
Crypto::Verify -
Crypto::DecryptAndVerifyBufferRSAEx -
Crypto::EncryptAndSignBufferRSA1 -
Crypto::EncryptAndSignBufferRSAC -
Crypto::DecryptAndVerifyBufferRSA0 -
Crypto::DecryptAndVerifyBufferRSA1 -
Crypto::DecryptAndVerifyBufferRSAL -
Crypto::VerifyLoaderFile -
Crypto::VerifyLoader -
Crypto::CompressBuffer -
Crypto::DecompressBuffer
-
-
LTManagerClass-
LTManager::~LTManager -
LTManager::Init -
LTManager::GetResultFromQueue -
LTManager::SetResultToCache -
LTManager::GetTaskFromCache -
LTManager::SetTaskToQueue -
LTManager::IsSendPacketFurtherOnRoute -
LTManager::SendPacketNextRouteUnit -
LTManager::SetCache -
LTManager::SetPacket -
LTManager::DumpCacheToStorage -
LTManager::DeSerializeCache -
LTManager::DeSerializePacket -
LTManager::DeSerializeRoute -
LTManager::DeSerializeTask -
LTManager::DeSerializeResult -
LTManager::SerializeCache -
LTManager::SerializePacket -
LTManager::SerialiazeRoute -
LTManager::SerializeTask -
LTManager::SerializeResult -
LTManager::ClearCache -
LTManager::ClearPacket -
LTManager::ClearRoute -
LTManager::ClearTask -
LTManager::ClearResult -
LTManager::PrintCache -
LTManager::CreateEvents -
LTManager::SetEvents -
LTManager::ResetEvents -
LTManager::WaitEvents -
LTManager::DeleteEvents
-
-
LTMessageProcessingClass-
LTMessageProcessing::ListenerCallBack -
LTMessageProcessing::Send_TAKE_OK -
LTMessageProcessing::Send_TAKE_ERROR_CRYPT -
LTMessageProcessing::Send_TAKE_ERROR_UNKNOWN
-
-
LTNamedPipeClass-
LTNamedPipe::ReInit -
LTNamedPipe::BuildLocalTransportSettings -
LTNamedPipe::~LTNamedPipe -
LTNamedPipe::Receive -
LTNamedPipe::RunServer -
LTNamedPipe::Stop -
LTNamedPipe::CreateNewNPInstance -
LTNamedPipe::ServerProc -
LTNamedPipe::ClientCommunication
-
The blog post about Mosquito is available on WeLiveSecurity at https://www.welivesecurity.com/2018/01/09/turlas-backdoor-laced-flash-player-installer/.
-
Win32/Turla.CQ
-
Win32/Turla.CP
-
Win32/Turla.CR
-
Win32/Turla.CS
-
Win32/Turla.CT
-
Win32/Turla.CU
-
Win32/Turla.CV
-
Win32/Turla.CW
-
Win32/Turla.CX
-
smallcloud[.]ga
-
fleetwood[.]tk
-
adstore.twilightparadox[.]com
-
bigpen[.]ga
-
ebay-global.publicvm[.]com
-
psychology-blog.ezua[.]com
-
agony.compress[.]to
-
gallop.mefound[.]com
-
auberdine.etowns[.]net
-
skyrim.3d-game[.]com
-
officebuild.4irc[.]com
-
sendmessage.mooo[.]com
-
robot.wikaba[.]com
-
tellmemore.4irc[.]com
-
https://script.google[.]com/macros/s/AKfycbxxPPyGP3Z5wgwbsmXDgaNcQ6DCDf63vih-Te_jKf9SMj8TkTie/exec -
https://script.google[.]com/macros/s/AKfycbwF_VS5wHqlHmi4EQoljEtIsjmglLBO69n_2n_k2KtBqWXLk3w/exec
E0788A0179FD3ECF7BC9E65C1C9F107D8F2C3142 CDE4D12EF9F70988C63B66BF019C379D59A0E61F 04FB0667B4A4EB1831BE88958E6127CD7317638A BA3519E62618B86D10830EF256CCE010014E401A 4B5610AC5070A7D53041CC266630028D62935E3F
24925A2E8DE38F2498906F8088CF2A8939E3CFD3 48BCEC5A65401FBE9DF8626A780F831AD55060A1 E441CC1547B18BBA76D2A8BD4D0F644AD5388082 240D3473932E4D74C09FCC241CF6EC175FDCE49D
-
{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D} -
{08244EE6-92F0-47F2-9FC9-929BAA2E7235} -
{4E14FBA2-2E22-11D1-9964-00C04FBBB345} -
{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7} -
{603D3801-BD81-11D0-A3A5-00C04FD706EC} -
{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31} -
{9207D8C7-E7C8-412E-87F8-2E61171BD291} -
{A3B3C46C-05D8-429B-BF66-87068B4CE563} -
{0997898B-0713-11D2-A4AA-00C04F8EEB3E} -
{603D3801-BD81-11D0-A3A5-00C04FD706EC} -
{1299CF18-C4F5-4B6A-BB0F-2299F0398E27}
The white paper about Turla Outlook is available on WeLiveSecurity at https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf. A high level summary is also available as a blog post on WeLiveSecurity at https://www.welivesecurity.com/2018/08/22/turla-unique-outlook-backdoor/.
The MISP event is available at https://github.com/eset/malware-ioc/blob/master/turla/misp-turla-outlook-event.json.
| SHA-1 hash | Component | Compilation Time (GMT) | ESET Detection Name |
|---|---|---|---|
|
Backdoor |
2013-06-28 14:15:54 |
Win32/Turla.N |
|
Dropper |
2014-12-03 20:50:08 |
Win32/Turla.AW |
|
Backdoor |
2014-12-03 20:44:27 |
Win32/Turla.R |
|
Backdoor |
2016-09-15 08:14:47 |
Win32/Turla.DA |
-
%APPDATA%/Microsoft/Windows/scawrdot.db -
%APPDATA%/Microsoft/Windows/flobcsnd.dat -
mapid.tlb -
msmime.dll
-
HKCU\Software\Microsoft\Windows\CurrentVersion\Settings\ZonePolicy\ -
HKCU\Software\Classes\CLSID\{49CBB1C7-97D1-485A-9EC1-A26065633066} -
HKCU\Software\Classes\CLSID\{84DA0A92-25E0-11D3-B9F7-00C04F4C8F5D}
The white paper about Turla LightNeuron is available on WeLiveSecurity at https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf. A high level summary is also available as a blog post on WeLiveSecurity at https://www.welivesecurity.com/2019/05/07/turla-lightneuron-email-too-far/.
The MISP event is available in misp-turla-lightneuron-event.json.
| SHA-1 hash | Component | Compilation Time (GMT) | ESET Detection Name |
|---|---|---|---|
|
Transport Agent |
26/10/2016 |
MSIL/Turla.A |
|
Companion DLL |
02/09/2016 |
Win64/Turla.CC |
|
Transport Agent |
16/08/2015 |
MSIL/Turla.A |
|
Companion DLL |
25/07/2014 |
Win64/Turla.CC |
|
Transport Agent |
20/06/2014 |
MSIL/Turla.A |
|
Companion DLL |
01/07/2016 |
Win64/Turla.CC |
|
Transport Agent |
20/06/2014 |
MSIL/Turla.A |
-
%tmp%\winmail.dat -
C:\Windows\ServiceProfiles\NetworkService\appdata\Local\Temp\msmocf.xml -
C:\Windows\ServiceProfiles\NetworkService\appdata\Local\Temp\msmodl.dat -
C:\Windows\serviceprofiles\networkservice\appdata\Roaming\Microsoft\Windows\814ad43-58ab-2cd3-3e68-b82a8f402fd0 -
C:\Windows\serviceprofiles\networkservice\appdata\Roaming\Microsoft\Windows\42cf8a1-6e20-8c24-d35f-82c46d8b70ba -
C:\Windows\serviceprofiles\networkservice\appdata\Roaming\Microsoft\Windows\36b1f4a-82b9-eb06-7c1e-90b4b2d5c27d -
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\thumbcache_idx.db -
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\thumbcache_32.db
The blog post about Turla PowerShell scripts is available on WeLiveSecurity at https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
The MISP event is available in misp-turla-powershell-event.json.
| SHA-1 hash | Description | ESET Detection Name |
|---|---|---|
|
PowerShell loader with encrypted payload |
PowerShell/Turla.T |
|
RPC backdoor (client) |
Win64/Turla.BQ |
|
RPC backdoor (server) |
Win64/Turla.BQ |
|
File exfiltration RPC plugin |
Win32/Turla.BZ |
|
RPCSpoofServerInstaller |
Win64/Turla.BS |
|
RPC interface patcher |
Win64/Turla.BR |
The blog post about the Turla Watering Hole campaign in Armenia is available on WeLiveSecurity at https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/
The MISP event is available in misp-turla-wateringhole-armenia-event.json.
| SHA-1 hash | Description | ESET Detection Name |
|---|---|---|
|
NetFlash Dropper |
MSIL/Turla.D |
|
NetFlash |
MSIL/Turla.D |
|
NetFlash |
MSIL/Turla.F |
|
PyFlash |
Win32/Turla.EM |
|
Skipper communication DLL |
Win32/Turla.EJ |
-
http://www.armconsul[.]ru/user/themes/ayeps/dist/js/bundle.0eb0f2cb2808b4b35a94.js -
http://mnp.nkr[.]am/wp-includes/js/jquery/jquery-migrate.min.js -
http://aiisa[.]am/js/chatem/js_rA9bo8_O3Pnw_5wJXExNhtkUMdfBYCifTJctEJ8C_Mg.js -
adgf[.]am
The white paper about Turla ComRAT v4 is available on WeLiveSecurity at https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf. A high level summary is also available as a blog post on WeLiveSecurity at https://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/.
The MISP event is available in misp-turla-comrat-v4-event.json.
| SHA-1 hash | Description | ESET Detection Name |
|---|---|---|
|
PowerShell dropper |
PowerShell/Turla.X |
|
ComRAT orchestrator |
Win64/Turla.BY |
|
ComRAT orchestrator |
Win64/Turla.AP |
|
ComRAT orchestrator |
Win32/Turla.EI |
-
(HKLM|HKCU)\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{59031A47-3F72-44A7-80C5-5595FE6B30EE} -
HKLM\SOFTWARE\Microsoft\SQMClient\Windows.WSqmCons
-
arinas[.]tk -
bedrost[.]com -
branter[.]tk -
bronerg[.]tk -
celestyna[.]tk -
crusider[.]tk -
davilta[.]tk -
deme[.]ml -
dixito[.]ml -
duke6[.]tk -
elizabi[.]tk -
foods.jkub[.]com -
hofa[.]tk -
hunvin[.]tk -
lakify[.]ml -
lindaztert[.]net -
misters[.]ml -
pewyth[.]ga -
progress.zyns[.]com -
sameera[.]gq -
sanitar[.]ml -
scrabble.ikwb[.]com -
sumefu[.]gq -
umefu[.]gq -
vefogy[.]cf -
vylys[.]com -
wekanda[.]tk
The blogpost about Turla Crutch is available on WeLiveSecurity at https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open.
The MISP event is available in misp-turla-crutch-event.json.
| SHA-1 hash | Description | ESET Detection Name |
|---|---|---|
|
Crutch dropper similar to Gazer |
Win64/Agent.VX |
|
Crutch v3 backdoor (packed) |
Win32/Agent.TQL |
|
Crutch v3 backdoor (unpacked) |
Win32/Agent.TQL |
|
Crutch v4 |
Win32/Agent.SVE |
-
C:\Intel\ -
C:\AMD\Temp\ -
C:\Intel\outllib.dll -
C:\Intel\lang.nls -
C:\Intel\~intel_upd.exe -
C:\Intel\~csrss.exe -
C:\Program Files (x86)\Google\Chrome\Application\dwmapi.dll -
C:\Program Files (x86)\Mozilla Firefox\rasadhlp.dll -
%LOCALAPPDATA%\Microsoft\OneDrive\dwmapi.dll
The blog post on Lunar toolset is available on WeLiveSecurity at https://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/
-
MSIL/Agent.ERT
-
VBA/TrojanDownloader.Agent.ZJC
-
Win32/LunarLoader.A
-
Win64/LunarLoader.A
-
Win64/LunarLoader.B
-
Win64/LunarLoader.C
-
Win32/LunarMail.A
-
Win64/LunarMail.A
-
Win32/LunarWeb.A
-
Win64/LunarWeb.A
| SHA-1 | Filename | ESET detection name | Description |
|---|---|---|---|
|
N/A |
VBA/TrojanDownloader.Agent.ZJC |
Malicious Word macro that installs LunarMail. |
|
|
MSIL/Agent.ERT |
Compiled version of ASP.NET web page that installs LunarWeb. |
|
|
Win64/LunarLoader.B |
LunarLoader (x64) used to load LunarMail. |
|
|
Win32/LunarLoader.A |
LunarLoader (x86) used to load LunarMail. |
|
|
Win64/LunarLoader.B |
LunarLoader (x64) used to load LunarWeb. |
|
|
Win64/LunarLoader.C |
LunarLoader (x64) used to load LunarWeb. |
|
|
Win64/LunarLoader.A |
LunarLoader (x64); a trojanized AdmPwd, used to load LunarWeb. |
|
|
Win64/LunarLoader.A |
LunarLoader (x64); a trojanized AdmPwd, used to load LunarWeb. |
|
N/A |
Win64/LunarMail.A |
LunarMail backdoor (x64). |
|
N/A |
Win32/LunarMail.A |
LunarMail backdoor (x86). |
|
N/A |
Win32/LunarWeb.A |
LunarWeb backdoor (x86). |
|
N/A |
Win64/LunarWeb.A |
LunarWeb backdoor (x64). |
|
N/A |
Win64/LunarWeb.A |
LunarWeb backdoor (x64). |
|
N/A |
Win64/LunarWeb.A |
LunarWeb backdoor (x64). |
|
N/A |
Win64/LunarWeb.A |
LunarWeb backdoor (x64). |
| IP | Domain | Hosting provider | First seen | Details |
|---|---|---|---|---|
N/A |
|
N/A |
2020-02-01 |
Domain (Free DNS) pinged by malicious Word macro. |
|
N/A |
Akamai Connected Cloud |
2020-05-20 |
C&C server of LunarWeb (compromised VPS). |
|
N/A |
Akamai Connected Cloud |
2020-05-20 |
C&C server of LunarWeb (compromised VPS). |
|
N/A |
IONOS SE |
2022-08-03 |
C&C server of LunarWeb (compromised VPS). |
|
N/A |
IONOS SE |
2022-08-03 |
C&C server of LunarWeb (compromised VPS). |
|
N/A |
Akamai Connected Cloud |
2023-06-15 |
C&C server of LunarWeb (compromised VPS). |
|
N/A |
Contabo GmbH |
2023-06-15 |
C&C server of LunarWeb. |
|
N/A |
Contabo GmbH |
2023-06-15 |
C&C server of LunarWeb. |
|
N/A |
Webglobe, a.s. |
2023-06-02 |
C&C server of LunarWeb (compromised VPS). |
|
N/A |
Webglobe, a.s. |
2023-06-02 |
C&C server of LunarWeb (compromised VPS). |
|
N/A |
Host Department NJ, LLC |
2023-10-29 |
C&C server of LunarWeb. |
|
N/A |
Contabo GmbH |
2023-10-29 |
C&C server of LunarWeb. |
|
N/A |
Hetzner Online GmbH |
2023-10-29 |
C&C server of LunarWeb (compromised VPS). |
-
C:\Windows\System32\DynamicAuth.bin -
C:\Program Files\LAPS\CSE\admpwd.cache -
C:\ProgramData\Microsoft\WinThumb\adcache.clb -
C:\Windows\System32\perfcache.dat -
%USERPROFILE%\Gpg4win\tempkeys.dat
-
C:\ProgramData\Microsoft\Windows\Templates\content.tpl -
C:\ProgramData\Microsoft\WinThumb\thumb.clb -
C:\ProgramData\Microsoft\WinThumb\cfcache.clb -
C:\Windows\System32\perfconfm.dat
94A4CE9C75BC847E7BE59B96C4133D677D909414 4C84110F1B10DF5FDD612759E210E44B0F0505EF FCAE66F6D95C78DC829688CC0F4C39BB5A57828B 00006B30806F915911349D82BEEB1AEB9025ADB4
-----BEGIN RSA PRIVATE KEY----- MIIJKAIBAAKCAgEAiO6+Q5TpXexFQZVXEYhrzo0y2PI/XWE+k5ATmmX/jAg73oFo +g5vYFztkqxZDwyF1ZI2WYq+2hvEadxKaHsstHKblGP2CrVcIcbvJllofG3VYYfI RnZC1OFgVafqgVR+n2GATFFKiG0A+vwNlwUJp9AOHVyMzLrhDg873Kci8BHdFl9l 3RAWozwYXVyODj6m3JKtppk4cerNEQJJVVYK+5ZZpufyM63Xq/2bZOJz2ZirKokK 8P0JCiLVvuAsSN0yHoielXL1RA6bQHfrcsRb8P6qaGiA8bF9RNC+og5QkDYFf1Hf 73EbCHasPe+7xBAx9L6N9FWUVPROEi45LwWvO1D+ZkF8vJxeUtQXyFwa5nTZ4N4D FqcDLt4jw37qdJQL5SyUnmxlbqqUGqX9unsw43Fpc34VQkWb05eFruf/8/s9TZ4H 6opvJ/POP61j5OAZF67EYyOMeh5PuPb2l79DGgv/V/czsXv/+zv0CVaZ5P9btIfP RFl8+rikTMP/Vf8202XE4IzzO44yMLSCSKLtoL2yVCCj7ZSJTL3jJ/YxcMSV1Cf/ i97ZiZLWCaH0AofGfP3bz/leFyzAiYX2uccer9pula6qBCBO54sQv/3VIpzvuhqw lFVQLa40DrnrvjCr0oJUBkNlsgN+HeO4eIgJQWf+fOObTKKl9fA4/o1Vr3UCAwEA AQKCAgAD2UH7wEm23BcuOrZRxdXR3mIZeuWRCFSr7Ra/9jHyi6CzJkv/CzzSJop+ 3t058Q4p7IwehCnNE463svtcaGnfQIFi8FRQBLzsLh02pLitFqEytpBIerZyKUt9 3NRYgjl03VavznEb2IR4iXEQV5Hn548eACXs8yu0K3VxRDlVKgtev5urVPJt8Bh3 N0y+1b/23yCGWDQf74uH+Np6zYpNe/JVIJvMHAy9xskBUuQSr5nP/j4Se+ovIL+F N+PGwIDSHuDmLm76VLbEXxp9BUvYQDAl8xn8sRJmRr+06lYVV49b/r8eib1KxZsd uok6f4IH8PsobOdYY+110VrGGZDNPWCLWag5Q5m/OLPlrOtZnGAJi8mP6CoQy/XH /GvhBwH59oUDdpifd9uaGqNN/gDKIyEpdFX/QoXYaY8OoxIa+fDN+f+iSxhOwBIN ljH2le48ohw+IWqz3Qe1rgqUFgYSpXHewIsWMVltqY671GVqxCwvS5ptucHRmPsQ QdTu27dB78beLyMTQyRSywNxqC4vaBFKzMuTsYisxlorlGQ24iCxlDlsYgXAYLeK YCqOqPbmt35juX4bXw6KcIzZHPqfLWog8OlYenkuSWsCsABakv4bF9C+vN5KDQmL YuHorxk0jwJwKJ5hRzuN9lmSWrfMMFTPPcZllQogPWYQoxfQ2QKCAQEA1lMQO2BY dbjbvuA/RNI01V6w86zgMC85Ku0PZAY6VHjGX8d3/4+CYOE4a+FUrD0wuiyYkMuL qWLtR4ysMUBfedtK11mTX3q2d0TW0+UNoNryRTlw03XRImCLwuAs/USxuA9unvnK F7qIE0noIYFEDa/Q7rQi9kPE2Tq5w3NVkTGBgeriiaEMV6laM0sdF/Th9TC48Xvi yaWH/S47rUPwcEkPNh069Sfsw7+LKOxvbl7RY/qdTefC0KjaIGBnHuns74Y56Ka3 MT5qFoyOdwwfHebLyk0vWGvJ80z2oVF7KR8xhboBB1Em3SwErbJx9vDXBdJlj2o1 NjjV0kc8Q3yxwwKCAQEAo48pPpiCwDeOpZmaNf6u4a8tKQBdscJQlsgVXMlXlrbX ktmpHred1jJ42OhU8vpZgJPGbYDOKhsHMb+5UKJjTOEMq8XtKgmW9VZQE6bCIw37 HUKkz0cf/NPWg9NpSMgcykabdW8rblSY0v+MV6rzjgewe65DjPsJkO+oAKjQQLKJ VoljvsSl3wj8Zjh3elDqYztwpPViwEat0UC+5kfwTJNpXm02ByOFHgocrAtZ5/1B pNgiSV2/xJ4CWtiGGnvlqEtDKyZoehdVWIpLPGzt6AI/fSmAjzvRng0dmI/CePjN biXzBT9dD/ffr9WQHbir9r3NCFv8ijVbHDv4DTCOZwKCAQBxe2fT2K7eHnSUO86k VR1OgSX20GmgedCuTvlgP//wrEZ1fnumYMlrHLWwQY6A6KF9YpGh0XTwyoXS5cRj C6/CKQAWyMJEwwgMXPHXHqg5rNStHL4F6ZNDvZUjKWoI7K+hQuKS4LZGHCli9TYp T3XGPXrGebEtbjKzxumHePEswObO8JzkvNZ5MB2nnTUZczuVhSfYDX3GwZQg1bMZ iiise7LHN3D5UBuIhkpb790Mtr3uT0utbXL04wMkM4dGkhw3s33EF0pWk7K+n8vr cwqi3Yq4YmgYTHKRFgZc4nTxECg7o4JZ6nlGkMEla5/2Xg2scnv+FQF55VwqTDe3 kDXbAoIBAQCW8jGLTm8k/GEOneK/QCufpu7Trz3JJt7/OOrWNg86zcXIBk7ZRXZK T0xOSqTTlY5yZm8zcjNSkp0iIaHiM+vW8L+j68eEC1OhWiYO7NCwT1/YUkAN98Mi r1KDWOIKxHwlheJFD/MSIMrlt+iKo/+graIHkv1OqAPdGgB/k0yW2O58ydEfJxc5 7m4Z3LUPUovuRtYft0OK1e/mdY14sx2nXkhZWAsLrZFV9tkdQmCYBJfHjZye/wFT cMwVkUy6Nmvt1H/J2+mB+/TNANyMiK9Ldn+ngFzgU8GRzuLogIxm3p+gry9IQYEe kpGDEmKtu1ghIGuP8mzwFGvgc8vqSEyzAoIBAHOr6G8e8jaaHhyp8L38xhWdE2Ie DmipmB93SPxiPVh9/9sgCR0uZ4XwClSgPhJZBd7nCA4Zc2btSodihFSLj3mBo1OC +uKtxL7m1sPWe48ACeDV+u2gydcQBsPCwEJM/1aXETKnZ2bpPa7eT7NQxnSpQmqY A/U57lfLMlBZ/kVhAttdiSQRLkhw3IoysBxQTb8drT9u4g3ZAreAmU3VJeQgzBc9 c4xdN84GRqww/+UTPCiaKySG/WESbiXMBkB6vde21lmxf1ppufysZKcRDdJNllcC gHaq6DN8PvoP4SDkoGT7AAjrSqXkGS3oMIQN0Pb0pG79KUailBqJsrpQmxg= -----END RSA PRIVATE KEY-----
-----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmQOmypln0WTn/C6t9Exl SK0mhTY9EBh55l6AUw2eKKey0v6o7XNvT8YtEXblgwErh7W5o4BFqPp2Xb/06ITf 3NXl2KofilRla4Eq9/eZVuxwOdhw9IhLE5jrT0v8pvAZxrJXPDlR31/x8wNhIa9A IB4ZRpjPf3rPBCuik3O0Or8TBUJytRlxoVXaT2bRsDiL9nKH3F7Db8iWiTYB39VV K8Ksg/Bf2VPeEoUnZIVUxnMvsKZ3a89Gt5G3GGRFySkGHVk/KAL1Q1ANFtoUJmJ9 vv44lGaCMA48TUp0GS6vuBuTdh5XzbuTDy8ld9RXFIXOzdMpGTDaRyUR2dMArxoW 6tO4HQ370539I+8rcY1/JZ3Laz+yNXWQ7k/QkivQvXB0S5EPEcBnn93GNT3RF6NS 5VtBM8MU8r9WpvU2HYLYqsS+njE7OBF9q0fQfnf9IDX65jQgEnNkxjGZzMV0MQts 0QlmkZNi2bCxEP9EcITPV5gn1FuCEfRGPYSjOe2UUP39oiWy8734J0b44o8ceZhD RoLZBRezNAfGBGT3ZIb4qG6XUtNcM/tB11qY4uhlc12LmoMA9M2FW5LAlQQ/HEJ5 +Q3BEI9XGvpHB2JyksthL6tjqwcdU+agRf+Gk2IVajTStH6GYXaa/E+ej0u8K5CT EqrToRDhMm1axCDURPRqA3UCAwEAAQ== -----END PUBLIC KEY-----
-----BEGIN RSA PRIVATE KEY----- MIIJKAIBAAKCAgEAjU6108QsXlTWZLknhNhowbnezTuwFNET9K02ITFCAuRlG5cz GkfvJfdf4efTr+UAbzi4CidOnCT29eZfQkyRxaL2ZNiQC6DyvEIZCMCschUcBblL /7NRmh2/F3v/QArQONQ48YKvtFyALOk+q+QXwDUm9zVPJQ4VYrihWtFyRD0mFGi9 3C2qRNQvN2STPRo5KzX54o/iBZxqVlVwSVO/8+N2QHWQTaPwwC7sedEj9hU+zeCc idJUir9+eL46o6FBTUSccYoHry5/cpi6YM4oRPVkl1rD58KeBfOnnoweHyt62n+Y wGfYp8GxSf53jUCt9nts329kO0UPfpTsx5yvO/Srk8IRfTEU2/Q71a1ggzY5FTjK X5eWJ+/tRzCA5gDOTeNhQ8grdCJafC+ZifrPHDz/RGcHjilOpI9CwssRnEOH8Lq0 dYx+HyPVFBVHZl2EJx8UOsCTfncxZFDgQJhuBoyfbTjoWA295IpKsSAZchgiylzY VTy0YChWjclxkFymIZpf6q0nJjhTzsz0nI0oMzIIRLosxfx9urhoH4caiWdbGdfR frZCL4LtuEQUDQivg4EHlRD6VsWUJTN7E7sGOJyG6Ydh+8TyXuVQiToHdguj67qa X/KIdienEzV5HOIZeEoLuN/E7V1IJqrkfXs2ORdIsD0+UGCOxODPCRJZPI0CAwEA AQKCAgAu6UuJ4x2Lr4SBacqJ2sJkVg12evNI5eRHHV3UBSNSDHrYfwizF+B37TkC qVDomxDa26yVilkZk1f9aJ6FRyA5yZEdB5xCkAslnpfrBPP657Em4U4utFxJ2sg+ xqaFn1FjHGlPHECykubmggSRUibkY4DtHuCIf7Vv0bWXjeLubpJ+wgsN1ocpVHvc WuJaraL/CmtL4NJ7ZGMVCEY/wbL/B6uRWLYwYFWjp7BP/LOAlasE9CVjx9TTPyGA ej7DZdxlB3scYmOMr9YVuEhfrPFHe2QKr1JMVZrahPpHs2KonGmrsiKG9bLCdpYh 533PAgL+yhjp0HQpDRNIxa4Z0pWFw1MdcQpq20ddhGRIIEasw1f4zgEDB91EOLym 8f6CempULULdAj2QE6irJ1ze9SHnyRtdOe/yhEDzDnZMWiGb26+dVFtuysMblXlE y4zjWby15iB/zdeQWX4fMKxqYt6a1iXZ7OqdjdkkXyNITyVVhVS4s27TeMUfE5vF isQFV0L7XHNB7O1mnxspwsdcz9Wh6ymPdLaoK3E073VxKc+eu9SaROlZns/apC+6 qm6/cNlcluRjyw2n3jPpzR9BAuLSi5Ji8J2qT7WWclDUaNDfLV3PIExauNdK3Z4M kuK7kmrX2AmHUmarwN7rDPpde7c6PvfN5sdVReVJWwy1crvajQKCAQEAlt5swawm jnZ4VWbbJ3WRIBgnFt9ec32JEXU5Y0ApYGGcr4oH27jrWFl1oAE19hvEh4DFwGNS 977TLYdktPrSZAqJNBLIvSa6Dky35NFZrQMAxzlodkCATDtcR6T9NPeAEhxG0gCQ o8x5Hueb/Obk9ob4ngG++mewUFNtLFtYUa12fUvW4D2W4fdlOY2RJ+7aFm8OR4C6 ROiiO3oAsvrUmoL/eyV8SPe8Q1Km9yR9aZAct8qhE7QkH2iHcuFfzPIuf1dA1Cde 3nTZpdOtvBbLTeJclHLpbwDbivYSsHj2rSZOWCeKRnK9o2W+XbArHHl/Jpf7BQtS PnjR1hjVirYLuwKCAQEA78af8h/9J+eyHdEH4hLwXkttrgWVjRhrZy70FbFbymi7 U4zwNMGrwYkF5tGLSOZZwZONcw5PpCACtpAd31Q4fx459IsqD2kESZawNvvAY6Vn 90WmFIk1t0rh0kmSBQDFd3TsdJ5Z/kjjTaVVYGj8euB/vn2lekPXJYHNSjjAeFjr 4dPjOhOVMOZHsH/LPjmlJ++L9l8JWdXsdlwv5gjljfYAAtosnnryFsiy+tBPpx1E QrzJQra7YCDEgp1fVBUg8qPSaWZfari0Czfr9QweLYlPceNrBAqXFU8dnlFv+t3L CgIHavk7Lh217N5Z/mLbBln61YMh73Xdk3uWXJ3AVwKCAQEAlIhDNqHQC+4jJqFv HfgnexuMUH51NOrg6akpaMegdN1lL4WLmw0B1yesIG1QvQ41fNqQ1opzAqqCqo5j 3bIbNJcS4YukymS4RJ/PZJ2f1i/gskOYzuNN7L98aKTNDTqmgi4Io3Qe8sS6cmzA LEr+HKBhYN6DMXCoK00XbNY5q6BFybHCyV6Zj7rLk9AGmvQTDocj3c2klXcbUccZ rRw5+C0Ebi9Hn2cXmIhlDWiFeEqDm4cI8qcl8S4uPDIa6WF92a0DjFt+kTElnpc6 srUWT4WOdDB2Fe0YOEVvvQI6idnuw+eZwSXyAk6HDyIEL7KGNm7mmd69h/fXTxuA EWKNRQKCAQB+Of1X1LlL+bCN+83/mOLLcUADPdNWHQXloxVCGkVtUCdVu7t0uoQ1 9XGS6rs9nG6h9pCfgmgwyd1DyKjBOjAn03zFHUH+LNXh+582wt+sVZZe2V6uLvGF Vbl+H9bsJVTPJ1GXrwlHUY3AAYrpnztTYL4/RRwJOo+Xoja1nRzN/lnnX8meeFKx FHmnFA+l6WjlljkDcVKV5YV/Zdadbg+S5W9qEPsuTyEFF5EJcwKLwl9+Fq6JHXOV DosFC930gM8AjXemnwsaPrQht8XTEhcM991H4mYjEYQp5qV8A/lEguBxm1HWYfBi vadZVFDiF56gQFxJbKg/zLfh/UzR4wYvAoIBADPj8ATlsUPAv84ECWxgeAzS7YAn OeYCj77jiB5bZQYqvuRrIUD3yQVirYUp/F0ZDa2uXopdglvdXXodJXr3c8tdyDka p+hBeIMktP0V9AObBcQOy/iMsASaZAdAbYPuiuDjSd7irLVqO4ppkYZ59MT65DMw 4aLG+txll1IeMj1bcYK1s2dfYuwHgOdIWhZSBH9GVEEXxfFjq9KF7L9v0QCSkLBe oLzS7hGlPod2KJmV1qVVdxQGKXVn8fHg32G6uXpFJLCljxX4k02oBDeCuMwIbi0Y XU0nMfzR2zpIyIgRlZUu1HKxsZ3sw5utqEKNjLBApBRMocJw+SS1OVnncek= -----END RSA PRIVATE KEY-----
-----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAhIUKrESlo4HS8zT99ZX2 qRUnW4rxOEW/NhL5v2EdbZdTJdZsc0q7Qf9Ye1XxU2RrQgzbdBXeJdZmfZTydbXo 4KVgsv5rD2Ek9D2zkrRxiTx2RkZEUkznYKZo9zNJCsYqZB+34mHSLZI+HbIWTfMe XD2jLDlevja9X3TOpvyWqOJvxArLsvQVtNDT6WLX6ohBxwN9J3OuoC4mLUerO0cD rdPZcEI82rd9grUDvDURsOpSA9aPOfNtxF18YV8nwm9I5Q6RGbSvdaYwF9QLlrv6 BcFN4JoZN2ytyJC4exACPwW/CC+c9loEMnvVYUBuhggXC0sx7//Jr/BURFU8yPjb +rJdzSGsHrp5D22TpO+f7fxsqGX4VnzOthlO4NH1Jy1nwTudIAaR8bvKFdDpIuWO m8pY4TygEtSmwUJnT8ebAbLeECl8rsnPRnzzl2o0y6eBG+pct5mMqLBv+yzX3YeC pST9stE+iES76yDVfNIL2pNrDlxg4RSS0fvyLv2uBcxzwlkzFqvzMhJsY7iqy2x4 d5JipClvKI5sE4reaGjqjStoWiP1bgT40bwZ45xEPiH4oGoV6k4f6LF4mozuRONd Uk2qG2+YsBpIIRpUkZEq3VkSe5lmAoKumxWTU/Mj5IYDdRs35WbaDtd5S2sdFkNY BgDV8h0YcjbzQlz4tGMKpjECAwEAAQ== -----END PUBLIC KEY-----