MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a245fd4c1bd3a3f93749c7e8f7165ce7873d32e3cd7185f18019355b8f393334. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a245fd4c1bd3a3f93749c7e8f7165ce7873d32e3cd7185f18019355b8f393334
SHA3-384 hash: 987d0f920c6ecc7cb82acdb1b21d9eeda8c7c254708d604537ef26a251b3e94cfe927de4fd117de8ea489dc0bf2dcae6
SHA1 hash: d20a2ef2183a5be7d72a472685f1a511f541aeb9
MD5 hash: 1f9a193b3cfe27fee5998d3bbb3631ec
humanhash: shade-asparagus-oklahoma-fish
File name:RFQ DM03058 pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:690'688 bytes
First seen:2024-04-03 12:57:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:nU0YOwqJS5KxlVa1lNMYnpIIr5D/30MTxy7MJWOgjWH0zrRDyAOlacfnyvxamG:IO7JS5KxqViGv0sYXWQrR3Ol9fwxamG
Threatray 694 similar samples on MalwareBazaar
TLSH T1DFE4221133B9A750E1628BB41AB25584173FBE372975EB1C4ED921CE6F33B00A661F23
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
304
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
a245fd4c1bd3a3f93749c7e8f7165ce7873d32e3cd7185f18019355b8f393334.exe
Verdict:
Malicious activity
Analysis date:
2024-04-03 13:52:50 UTC
Tags:
evasion agenttesla stealer
Link:
https://app.any.run/tasks/2210a6ba-371c-4e4c-8369-66025da02d8d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending an HTTP GET request
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/660d527aeda31927461b1a3e/reports/a10ed403-d828-4f0e-b63b-31d5ec1db56a/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/a245fd4c1bd3a3f93749c7e8f7165ce7873d32e3cd7185f18019355b8f393334
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9240e88a-8166-4380-af19-69f850666d23
Result
Threat name:
AgentTesla, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1419401
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1419401 Sample: RFQ DM03058 pdf.exe Startdate: 03/04/2024 Architecture: WINDOWS Score: 100 59 us2.smtp.mailhostbox.com 2->59 61 ip-api.com 2->61 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Antivirus / Scanner detection for submitted sample 2->71 73 18 other signatures 2->73 8 RFQ DM03058 pdf.exe 7 2->8         started        12 xLnvLejQlXS.exe 5 2->12         started        14 ZUHFqcY.exe 2->14         started        16 ZUHFqcY.exe 2->16         started        signatures3 process4 file5 55 C:\Users\user\AppData\...\xLnvLejQlXS.exe, PE32 8->55 dropped 57 C:\Users\user\AppData\Local\...\tmp45CF.tmp, XML 8->57 dropped 81 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->81 83 Adds a directory exclusion to Windows Defender 8->83 85 Injects a PE file into a foreign processes 8->85 18 RFQ DM03058 pdf.exe 16 5 8->18         started        23 powershell.exe 23 8->23         started        37 2 other processes 8->37 87 Antivirus detection for dropped file 12->87 89 Multi AV Scanner detection for dropped file 12->89 91 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->91 25 xLnvLejQlXS.exe 14 4 12->25         started        27 schtasks.exe 1 12->27         started        93 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->93 95 Machine Learning detection for dropped file 14->95 29 ZUHFqcY.exe 14->29         started        31 schtasks.exe 14->31         started        33 ZUHFqcY.exe 16->33         started        35 schtasks.exe 16->35         started        signatures6 process7 dnsIp8 63 ip-api.com 208.95.112.1, 49713, 49718, 49722 TUT-ASUS United States 18->63 65 us2.smtp.mailhostbox.com 208.91.198.143, 49715, 49719, 49725 PUBLIC-DOMAIN-REGISTRYUS United States 18->65 51 C:\Users\user\AppData\Roaming\...\ZUHFqcY.exe, PE32 18->51 dropped 53 C:\Users\user\...\ZUHFqcY.exe:Zone.Identifier, ASCII 18->53 dropped 75 Tries to steal Mail credentials (via file / registry access) 18->75 77 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->77 39 WmiPrvSE.exe 23->39         started        41 conhost.exe 23->41         started        43 conhost.exe 27->43         started        45 conhost.exe 31->45         started        79 Tries to harvest and steal browser information (history, passwords, etc) 33->79 47 conhost.exe 35->47         started        49 conhost.exe 37->49         started        file9 signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a245fd4c1bd3a3f93749c7e8f7165ce7873d32e3cd7185f18019355b8f393334
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a245fd4c1bd3a3f93749c7e8f7165ce7873d32e3cd7185f18019355b8f393334/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-03-28 11:25:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ujc72ta32or7sn2jy7upofs446dt2mxdzvyyl4made2vxdzzgm2a._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
189366b5282eba120afb62f0013934f656d1243240644dc1da02feb64bf47b98
Formbook
ad7131b66e0218e87b565bebac20995ac672871eb45d17b0c7a41afd28d0fb0b
Formbook
af83c0d8ccb38c430dce3b0c4a18eeda3c91832ae8bb432a9614619fd5727e7b
Formbook
c4caf87daba54f6d5e35ebd680122efadc83c8f7a0eb7614d390206612e09f53
Formbook
cd477b7ce28707ff2a532ddf8054f743f0a5ac7cf31a01ae96fe55e089f82955
Formbook
+ 684 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/240403-p7ptkadg88/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
640abd76bc3e761722b0962e266795fe99aab66a2cfad05b0ce73204b5360008
MD5 hash:
9e280a91d83bc4b5613ace467151e242
SHA1 hash:
d1aeaef0ed6073e33140fd441bf46f3188f6253d
Link:
https://www.unpac.me/results/1d3ceb62-1e86-47d2-98f5-d71394e7a411/
SH256 hash:
b88408d4a126d8a7e650ea13c3c9ad254adfec2ca095a77f1206d19ffb85e4a5
MD5 hash:
d8484a81ecf6c39a09cd56583a0e1d44
SHA1 hash:
55b0ebf1def4b7805e6897986a2b6f03636ff70e
Link:
https://www.unpac.me/results/1d3ceb62-1e86-47d2-98f5-d71394e7a411/
SH256 hash:
e3902aefcbf651b2ca4d7a9aa1689fee1729fc6cdce0d45e75ae5572c5a1e703
MD5 hash:
7dae6b96e27ec2bb707b0aab34022d7d
SHA1 hash:
5498799e82d023c0403c492db416643f7883e634
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/1d3ceb62-1e86-47d2-98f5-d71394e7a411/
Parent samples :
6c37a2a936f9bbfd57948d3563b2fde3a492cf72904889d85bafcce2e4ca3b9d
d55b373e0639d13bd90f2d5c43b28edb01d0b0331b22f4630fe0f76578f9ce3f
8b78d6da98f169fd75cb59064e11661d4b56461385985214833732b0b7958301
d2b7803600c528285bfca80adec85460612c69c83585b9c79a3d4b988a4d4b89
96b3276c7d34980a39195cdf235b99147bd715655869c3b70692979ddd290d53
275f0215c61c0ac28c4da0e355f33fabdf5709dfc46eca4249a76f7925805030
84b2a0360556088e4aad29627d4ed15d53b18aa72d9d98b4b0d1be27916c681e
be629a7b933524a2e5a2376124aeee2654857d77a0a0361a7d57a814dfedece0
fd70b499b3f61717a04333c9fd4f7f244252854b6deb0ebd627ba2934b53d00b
a83c288ee02e53fc492939cbba3b33070d3e6ba9ae70053936b6dcd72a2c8828
9f172db7ed366ff9f5862b467b80202720badaa722712c38f880b8e9a80093e0
904b3bd6dc96843fa949ece4b33ef83650d2f735f0caac028cd3384e864ef8de
624698f7e331e05b6111be58e067127dc5ce81112564fbc99e1f7189c3583e01
aca0a4c82fb2575678e1bfbf0ac200f24e9ae1e95db27a37868bb592c7f62906
3eea942e74619bb0b7d8a07df37e53886685018278672a6f7db07db54fa2d172
3a93ebec868141d7e6d804c825c79934f5db6b72825c74635b9f6c0f98217b76
4fca30510ffdf9d9ba2d4bc4475154c11eb9ca9c07e5c2b694d9fec4ff0c34d8
a9b65628029d712ca8aa767fe9427c04afde4eb9902b516a33f54bf93b3abe64
873ed554676a269bc32af837ce8ce2730c8fd401293d323daf7e80498be3bccb
625cca7c3fb4e9528da051a098016617056fa18f34d28877a20ca917ea232348
c07987b5aaad7e8ba333194b3b602ccde40759ab7d957a4af0eac7da722f72ef
e0b1bcb5ca129ff46e5623f8fb3bb079df557e688e04ce79747eb7ab8ad1d3b6
7ab78e7d259ab104796723c7246268165dea4e0b3fe7dd377a55a51108710030
2c24f2a38003524a1e35b9eda13cb6ab305cdae7d604534ec5fb7ecd2e31fed2
a546f9b6698ebddb8c6ee9cf0ea57d95e3e09d226105f8b2f520a119fd8697bc
bfc02cc838f9c37b322bc2a390f7cc864c8ba3f817b66c2f0ebdd19d17622011
d3ccc0fb9071140e8f53038fe2485e98ef1f862811ddef342f9626a3dfa9db5e
ed8a3593d056c5afa99fc4331390b42645b3800fa98e5b5e0089f7e3260ba283
0a6c1a3b213126aacb4bdf23a40b18facef7b2fb6efd7bb49f3549d4a0c10eb1
f80634354eaa11b9bd3c8cc13f1dbd03b4b3b73de43bc6101ce99b05ffab4660
dceba55af1e605a6d7a75e46bc2a0f15a8d33c980ee8f261cf78a8d7061f81b5
2f34b538be532d42d6bf9c9f2f54442355991ed12b15ea11a3cf0c7382df6f7c
65425223dfa8ae8334cf347355822d3fe7589ccd6b35733db1e473a335c0e49e
347cd01ca6795fb55f94e8198074df3ec9e61bbed474f73b8e89f320339a795e
1c28cccf93bd2b76cbe8f847addfbe78205d569b317277cb2fce736290df2a52
80bf4a9fa656711ecb841491d70fb6cb3696e6b23eae176c904489a382e66a87
58c468eb6c6c1c30e136a4c6eb71d894188609b6eb176fb13e72848735790530
8edd24877baa6dd61d0f2e4a6062b76336ea418f26bc96a661c3f942d13663b2
71ae98c7e6f3e776c17594e8007ecf47ea0209f0ca1142515e4958c02267bed9
5f834237db6598266c1127b74062bd1d92150daf483ccdb0b37f1d306494a5a4
78843dadc6d72c707ae1ee2fcb784831b8761ee14491757fae9b46bf491368ea
296d5ba75c695171bc26ce33a02e4b16818bddcfdb7688011d741fb78d3dab18
6fe1240f60f2c861c5cebbf1bceb98553850be3ac19624ea676a13480b2dd8ba
951f86d33d0cae5be953aa0d77048b3237eaad2f8dc067522a592e14862db975
d334afd3da3c629abf0772c5be572d1d7b252b9a1ad2fae0e1809d04635f3e4b
5f8a2e11f5a15dbb011d8517c65cf242e67c06ded9b3bdb093678bbd0a5ad797
bd9a2450499f87561deff9f7862b4ca34b5afb27089b8ae90578f7ed28054808
0a2d5142d03f0dd333f371e089c5f0d5fe8c3169e4ee78d7ca23b1472b2f7b48
27aca3b944c0bbd1b6d020de7a9ef916ba170e017ba63304adfef012822cf20f
4008ca2e1341ca2b4bbd918537d4802fadf4bfa3dba0e058c840ffd6df43c651
5471b0242f94741e723825fa78a8fb6bf31ccd641398fefb9b45d065e5c9735f
7beb85da1bc8b1c935309f219347d8534a77ba114ca4217bd60f98b4ad05836e
badaf9c6f71a7c03ecd0e08bb38e428d3d475625b27454d8fbc13796eba13e1a
883c03eade18d7b56edf9b057f55d4976ba31c2557aaf583197e3ca9b2d8a775
771c49d7430b930313e8af81f4b89fefd3d6b6450fceab630b125a6a6d4cf11c
1caf814744f9e228c8ad8049345ef8e068a957643ff0f5ccb45cbf731d501086
83f95633e684da09fca39117dbded6dbf2b934e6224b274a5116e798fd423fcf
f6eea72845ed2286d5faf76e537b1e94081c2fea7be4772c5f63a04e6a847795
cb348e8dbd6c518a9ad671a9fb235cea3eeba8b7036fc5498f6b118d4bc3060b
90f4e7731fc41021b7ce9f9d15704c9849cf3215161585721a370745f7392e71
d85a4e28a6003aaf9cf0a6c0bf3f5bee31eb82f39930f8ecec7657dd24093c49
cc6df33b7d5eb3995d52b12f9b2ecb96f8bc3d9690c815d6be5794256a83b403
03f947f4c599c0110fa53c06a124aeed81ee3685c7172962995a029291647432
934ab6f1c60d5ea181148d9de4b7b74da36479595558d2d19e4f51cde8ed4289
c9442f4c2448bbf998c2ca2a095a7215a5890bdedf109bf4af6eb742ee20bda2
53cbb972306a7569a1762feaa5df42ad66de898691b4cabcf1c2c35526361d8e
5d687e5dc31945246f2a483f6bcf8879c44438ccb7885b936e1fbf358faadf9c
a97377cfba7cbb86a985eb4820a3642b8d72693627a7321a6d1cdb859e3e6265
a898ed790cde47b79f0c27f18406d6e290178bea8c35788d5ac22622cfadf2b6
5762147a28aaed979353975b6f7e2d31d71fb827af0dafb991b442c30e161caa
e251e91c26b24c6bafb419121155f89ea9bd320b5f9f143eb2f38151d18dacd6
b01f723c553f2255990656cbbfa5835293fd9489d65cd05b3d50799f063c3087
874a7b6a03a1e0377317411213dcc583179a51784d70e3eaec29e1b0e0eb0892
4af0ad255ce753c34b265d5714681b436ef635cbfc8dab10349ea913547be805
b21d51bd3eae9c07144b4d2527d732227a775c18e42812eea7a6f3a84c4d3a2d
f2ae643021b4a576851c6883f50730229228ab9b2fddf6c61103a0a632cbe6df
1cd783e8b8452da8b87fef52742d4ecf53cb1938e375b62ab03214ad145405db
86cc6304f5610bd7836b6706c2fe5d5c1fd88ad5de23927e41a1848dddf744e1
0415cad6fdc37b6ef123d454f71afbb74f7d1a4865498606f3f6b7d12b1eb100
35283152bb31940827ea64cdef4baf0f332f38b348d83dd3c34364b97f6d3d87
9dfd52d9008fad9915a2ce18b0f9e9a2dc6c513f7396d049a82faf97410950c1
4a24e019d09e4e0655cd1eb40bc2a335aaa9fc6045f0fb5179cf702635e37f3c
e21944c3530815d8311ac5ecb0bb8322e719fa46f542e40b2a0204c1acd08406
95258e985767b6f8f212339274fff99ef5916504cfdee6c5e4dfb0ba6346c6d1
6fa243236634b85abe3be8a3e0754427e39c2d8529e44090d7145c0873535d16
9f0139fadc3ae86c62acc7c217e8e3ddbd5965c0784d64737874566ccd28920a
8c771651742ebfa4cba67e8fbc99373376cfe9894e2f86eba405b0e22ac018c4
b6d91bc05bcc51b0a9e9f6e605493168b1a78ccd6f234030d05461e12544cffb
a5810d5e9262b17b5506cbfc546421debd1ddbb593ae8440c2b39793044200df
a66429ccd03b43ece44da4841bbfb0239e3bd8046d19a4663cb1d5b4cb176b94
a25bdcab7a38affd0798e5d674341724726c866e7cd7348b3d75bdb47ccca230
8094dba1e87d004dcade1f0c8c15b78af99e3568d7912fa7b85cafd1e88bc83b
7e714a80d7aa37f095574ad215cea691c865fc3314bae6489346974f6c4cbefd
f3c4c44285b5439a4c608e38beb95ada32d34f68b83ed9795649185754d9d5bd
d8385e24dcc05c0115ca31d9af40862be2918e6e14f1d5c83925827484ecdf8a
ae26b0a63c0bd0afe48f8b9e662dce85e23a096b3c34178634417bca5495b024
425f76eb82d3accf2865ff9f455a49675c2ca3f273ade57fd865c8fec5163f1e
6ea6f267651edf5a261e20c68eccb8881e0aaeb0d96189980d18aa39b15b8848
81ace4c307c53dcb5aa5e1d7a971d373a734c747408be3a9158bb00b5b11f8a2
10a2ba9cfcb7738cbaf5a4a01fe235d437e303c74225f6792536daf532d0e7ec
d5af1b5ed5eeca90dc835ed26ffc8a8854890eeefa32aacaa094b5d606d4edda
e7692d992063cc29d26970d7b1721587b343687e12afc68683450650643ed103
a5c3adbc3170961645549d41320184a231c0eef43e2c5eea71f235bb4e273d89
cc01947c77b007c115766cfc45885b9c9363afba490b38516d0e82a80d185ca2
00666bf61ffa5fa165f2bea9a18d7e902baae99f456d740b4272e476ecd3cfc1
bbc7fdaebde9c78601c1965f662082874bae5e023f85701316f930266b0482c6
29aa45ee8553d1697f4a8cf318fe4b57a6628d3eb6836b1dd9fef6b67741c60d
c37ab5dfe51203a7597c48320584457c90fdfa9c9d0f8f6a86e24a5f1e719463
226c51d48dc1734480b8e37ea9a4fdf57c5a7e6cb316905b38f9650292d980c0
06310626cb603e88a438ef3bda2702ea27867e3552ddd7010fe1e55d6ed74839
7f7230e7228c5ddd4e0536f6401123cc6eb5f3a6b1fb05abdce2d664870b590b
d56e9061e7f6df6e094d1582d817c381f8ce9ac6c3925cba5da96464487a18b7
a325a9a1c6a1c0d8df497b180021ae7a5860103f8ed859956679a5a0f608afae
da453b1b8927be6d7714036b6089a94641f7eafcac495be86d121543d42b4679
95e526a19a39942ee7073e28adddb685bb5bb41f889858c91bea644c657acb36
f34c081e10503e1930c7a24c39e144c78bf59c22e6741e9c991334ca78fd34c7
69aae743926fcf585511c62b5499296003ae896e0c25bc435981edf30bec678f
4de0c431cb9805cb419d42e5f3630a74393ed10409bf0e6d3d65c7b95e380aa5
4d907c3d7974732445e036c17d48ffa394628c26a25c5eac76eafd101d4299a3
2f1acdeff407a2ddcc16a30e5524e07cc543d45e0df27cc0d6da3722f0f7c998
a87e27a64d0e52356582fb694d7466f79118ae9f2efd15884eb772fda468774b
9a565700a3d3c7a802780c0e4ba717b082175fd33b5afc7dcfeb95905b6db784
ee1f5806bdc523e06b98c513142a735ac3c16da9948c645a9916bd68cf24673b
fd2d0fbf84a26d2dbf9b64e57c4acef804d83eb2c5b10273c1642f9e8ef7db47
377e4f1424a442481aaf05cc99550f80ca5a889bd904f44e04963244274eaaec
f5e5065093aba6e737332f46cfd1b0672dd9c7025e599d9832f8b25b65033c94
895665fab2e077f4ac46cc0e9ebbf5e84da4a851c163320734cfd39f3916bba0
67f529dd5840b8cfa3b8c08d4ff21f6767fda83343a508536ce7a9a643198f0f
d3fe532dd98ebd8732a11a78ae670a6ebfba1702c1a36c26aa9aa22a799d8f02
12fb27d7a59c168a82317baa0b127b8a826cc98dd108fc37fd022d8a842b06bc
3d6012eb13b5a891571ea2d7c7bf120b9c12d479e5cb2c6ffc7e515e14c46866
e95d5046970872f51ad1d86cef75cf697d06f3a6b16515aa2eef09f9145e5ef6
d38c0d55a08eaf025aa10acc369013f10031a2e09916e208d9c08aaae66f4e78
b5cf618624df43618a33e366aed44a39db6c92c6e4c9dbe7905e415307028aee
3510d84f8b7c07db80eaf1f190ff3727c3ae95921cab2d308a711b1e14f62099
3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a
210759f49f032d8823c360b0e6d609ccf2259b885e86a15a70a39c09124b9a60
19299c911d297fef582c50c022ef66afdfba6b761f329d7ffe05e96353cb8122
3bcef269e37701fa26f27b3c759d1fddeeb96998e2f7aea05ea02acb15e53a3e
fe4b792ecc090ae8bcbef6fcff695cfdb39218a8407bcadb6dcbfabfc6109ca5
8cb37e1ab48747e7fb63dd2ac1bffe1c9f0fa98c160613922a995935d6abd2cc
5e0297afd07492a109d03b5fad4c86d557de5d92aa1a04dbe350687f5e5baef6
0385e72feabb9b4207ae2266774849feb9d5179d036b4292e5ffed33c27a5f4a
5fd7aaecea93b94823aa67414bf4314bd1f19c8e8ca44ea569210bffbc623f55
ac517064216de46a3c1ab91e2623170b89eef04b4e64b1c24149c1bb64b24ec8
96d8f946d4ba59979608136ba3117652705bfdca1365f5e5b8a148fa5a601e11
fd62e09831ebcfa6b2fa8da868a3e6da9eac62580a7516633a8490bb6f7ea29f
ffd4e8b034ae025652b864be756effb0bbcde4042a7d9dff66c50631f3de6e9d
4658db261066122d0f627ac3452a3dbc06dea0c458f706a7be9f615a0f00995d
d1f0868ae3889a44d3a0f4e0650c8c9f0806cbae37dd5d8966376463b6bcf505
454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743
c724d2ea45ca1042a13c6213a95abadce85b4ad844200b0c594baa5028eb4201
79216525955a188f2a55f94514cfe9b9c0c1ce1e116d930cd9c5600dfb46ddfd
922ed44d8e5c7526f172f18f7f2bcb352ae3c89295aa0b18448e6e18892ec4ef
f17b902f094220be7501fbf02ca5e258de6458939b097f60705f8872fc3c73b7
2222a80b782ef6c2fc2c6a78e63f812b21c7767a81f3afc7f2eb81aee9f433fb
f1966d8c36df489b3dbf5b888a502de7799b3ff66213806e4dd3633ed8ee2b80
66411161faca1e2387d246ef7d69d73cf2f848725546f6cfcc87bb4c4851bb9b
8e1168d2a5b92eecae7005aaff5ed4dde8c6cabc09924c3f14665c4242350ef8
83b34f0f0a0bdbc115ce0d7e44687ce16c35249650c9d242a646a5ed804fa2f1
2eab6a48a08726441514655a1d84a3921af8139cd2e7b61f23a30c11785f28f2
ed70aaa765d3f4e890b381829f6ab14eef928f6fc9bc6207f83dec6695525924
a39d4b589dc608fa2dfc06259a2d15b9a7edd2ed8d0a3adde6b71151db0a7102
4ac227785c3f1cdd4b05a9d2ebb94e88a4af65303833c4dbfc35113dc21c97aa
76bd7d4ab00c260d021b928207d2617b19784eedfe615c1352419512e62fb8cf
c2a6bcd8a0594ef65687fad97e30f52c0a6995efd5739c1a431376de5ad2857a
15d2a43a0424b074f4e9f306f95bd04f9a3c33561b021364a8edaa78767c631c
1ed60fc77b07f949a7cc3ced2dd0e0de84ce806a5ebb71d7fc51f31323f2b928
31aeeb6ce979eed704ead00a328df97e2d26690a02e5a29a1d2070dff1ab27b6
bf97d8ee1b61a6699e0a1ff3cda31252cfbd154804673d83dd68b1fee155f953
b089fa2bc45c847783b8eb957d9d1023f707a96073f2657d6a838eaf5619949b
b85123da03ee5c76a1a98d7b8a5c56cc07efe444b9cbf9f2c1f8813fa324ce6a
24565cd1781c0378bf33859bddd21713cf1b624d2ab697921341ffb2c995e456
0e3829a03b5d78e96c929e089ef91ca74c2e3bf3bdc1b263c9409c0d35b5166a
f6386e0d3724eb32912521c957a1108862892dcf473f5ab73cbbbaaf29955e9c
ea81cdeba0b369e1e569612f98fd470a3727d5452c98d828010647c5ac9d0534
9c49bbe71a875101949fd0ddf980825c8ac09d566c9e55c2ac94caf8052f5e2e
d9626d89b255a1226c4abe2d59a56f9dd6e720a90461591e0434c0ed2ddd3e05
0409163681798c7dc104320e5cc50a45826e1aac81b858fb426779745f322d3a
0dbd99dde1de7165ccde4c0b87b7c533fb79fb3c99e59356a23f74f939d7a32d
b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a
3f756a83cc26f83550f25a526816879b5c086dcbe824612f0ae2f514853302a7
1ddead5d6964c8e382d3b2ea694774ff58486bcfb7996015561cc9a03c61b536
0353461e3456838001ee98fd63e0df5563fab3836b26600059e4deed142a73f6
1351b990d6a707e3a6e70890c2e4a637ce36c074210bed4ed5861e111f766ecb
d77a164d8b30492de1b35ad59a1739780b8691ab5bcdaa63585b1e02127abe04
bd97d642866f3aaa69be60fe0ca7f96bc495e5d060a4c0827a9929b02df7b449
38d45a0e0f376be174d788c93424ef4724daad94ce4139beba1868a36d8ad47f
0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305
8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e
1d4c77db2631d25a6fa5355f7bbf1254936c675a9618f35ecdd96fed46d113af
9a71fbe977c8db9b96f804494901b49117db817bce171818140629a345b7eeaf
c0faac0aacd6a63d5cb4e508a2884434d77aced3c6299dad91e982daeb26d827
63235afcdd767af4bb5bd09488642bbdfb0124e9b4066d00b4815050faae9079
106f7db89f2f660262cab7c367d2174e2bc1cd1f3dffaa984ebe5ae21d2834d7
13c8ddb6f93accdd2ecf3725d709b438fe1eeb3637e42a2df7e141ec339287b4
cd477b7ce28707ff2a532ddf8054f743f0a5ac7cf31a01ae96fe55e089f82955
17f1c3567b5334eca6e41e7a341faa999fdb22f64004a185874e23dd4a43d06d
b700c973b1bf8d288ca8cfff7d713485f9792d8901e6658bd419ecf7cee76168
e9666b1c4832b4fae3effce740700f565e6336bcaf47852005c1e0553436e7b7
42507b45f4cc3ac0dd1bc6ba841fee90c67a8617a740b1f7a0725b55ce99c49d
d11ccc73abf2ec6aba5040c45e89eabe23a9a364af505abaacd19294148b7ff3
8a54d486d4b795af1b8f7506dfa69e2e9fc298a361521af183cb9809cdc3d68b
5a2666c6e1d72ae675ade0ecbc29228224b3c631151019891e6f07ec7f5aefe8
fbad66e0031f03c7f1ad457e3fc929c1259f236c938c5d7c70f8e77320d7d8b9
f9c6d61e21bab262adb55358862e97b2c0cd9b13a6a73129510f24a917558911
ad7131b66e0218e87b565bebac20995ac672871eb45d17b0c7a41afd28d0fb0b
c4caf87daba54f6d5e35ebd680122efadc83c8f7a0eb7614d390206612e09f53
189366b5282eba120afb62f0013934f656d1243240644dc1da02feb64bf47b98
ca92b43dfeef29646eb50854fb424097800485d266b0a265b6f225382fe56600
540ee02cde457f4389894abe69d9ae02aa4dbb9b2d7d04df5adf9af6b1b8a5ce
9172e4c414e78d7439122599ea987912ab0385b4eaece0ab86c5ccc6dd138bc7
a4dc379a6ca20fa75f16c167cb516e37866b36c845eefd7bba23df27435497df
ee82a7d799150b129c7e27b8328e987cabf5de9d204b7e028ae2849d92672e20
e77c8ca31128a1a181b99a8234f39559854855d871d7abe167e004bb970e7f3c
af83c0d8ccb38c430dce3b0c4a18eeda3c91832ae8bb432a9614619fd5727e7b
b582fac0b16e16390868882590ac8d81dc00ecd845bffa59a478baa11573617c
9deafcf231a2603f660970083c2661ea86eb470e0693537b68147b4c418d9534
fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e
201659dbdfcf74863cd21befac24ee34f3a1fd86985a2a5b4077810f7156e993
c26bd0f7c7c00b7cbe2545cf2f9240020f9498928f96091da19e1af943ac837b
4d62deb9e012ee45a9b2d5c90a15955965957d3c8065b24efdde65a9c8a33b66
a4b1168f95a6e4fb04f2b53e4d71ed2f75c585a012a449226881b90c7e40c2c0
e09a94300d0d920a995471c0831f191466c9fad9bca1240656f166e0a12eaea1
c1554b4539b962eeeb79e84058197827abae4cad2dbf81e5055f7c9259bb3584
c10a19322708c99c4ef58c4c756f9b9091375143e45bbd6511acce9ecb8a8d05
1408213c15754a0bb54ea752fbd95cd21ced805e8398548fc400526058d6606b
9ae07d0154fb02732fc009f43d854b0cb691cb44a84eb2dabef37e53ebbbbb93
7a4c2dd51f51dcb5cbe4190ba3713047c7fee995c5b87ee44aa55590a4e533b2
68422d64e61c6a3e2735c5d0270d203612dac080689762786f2eec9b61768e3d
69ea9340276650865e2fc2fdd0a0f5e2ba3bd1882ffb6c9ad9dfdc66ba50593d
2e368631139e75aa6cce30aef3ccdfe59dc2131a7f5166fa5b0e36c969eb5ada
498b4a265a27f8362fea4fcf15a184b220475c891249c892406030eb3b245c00
79e473fb7f021d7b394ac013c2abcca1a094a918b6f2edb48c0ed18d7b3b7460
53ffe79bd4c176d257a5b0a5a147ecaa522356d3ea80ab83dc6f8c55bd545c08
a48b8a6ca726f32569a7e2041803898a902437ee7724da53accfb6dc52fa8a87
4d71dea7fedeac5da79730368e3e524f82efcfa368293651bf6c0bb0e423eb8c
105c79d054029dcf3d38c5ba526dc7c111cc2e2e6fb2555a88c0820a6ba9eb52
e6284eafa60ee032f4517d1ce32329cf9a43918aed4026e68b486bc0986bd392
8c02e5b872b0c6d8c528a697e26bd8e6a39ee6373101d13002b61bb8969fb607
fad66fe6b9c99e9b74fc56c06512b5d90a1296d15afba3cc356389524deb56f4
229ec7247f6417ca029b4bac8fffbaffebcef4cf42bceff5c40bd15b6149e92b
60235490311c9eeb41327a7e151c465af9b8442ad93a98d270d8e50210b97199
f25fd991e42376de0f43137ce7756f37eed5e39a36ba8dfc2991ee962963a51a
0ab7b1d8cbcae94f3609db67caaacaa8fd58ddb59a84801606be7d2b7187fd3d
a245fd4c1bd3a3f93749c7e8f7165ce7873d32e3cd7185f18019355b8f393334
bd20db8cb3f5922cc0d0463f4183731c765db8ce00c3b5390529ea6a806dd946
b963cb7357ada0ea54e2cbce1c525fb0b69553296e233eff8e1fe02fdf63b5b7
d7068c23337a266991d88993f5b73c093a8b864f8f90359aba2026c02a1d027f
c94be0d3693316359c2e48e43baf51dff4f0b8d5efab6050962a09ef46ead4dc
de64c0a6d7c265a6f917c40454d8f4fad3208d796c8f4616fd271a4882a82843
65592ca7266175aad70994b48f085c1d00b2fe4d49d64b22a4c6e6d70c33c594
60403226eab2c0804d72c9af7892289d728c8e601ca6bde6d9c09cd51c5ba6d3
f3c578f72d54829d84db9ee7388b7afeebfd96fce52475c24b50bad9384eb739
0408bd468824d124d9115806910e468348cccaa6efea5f0392da90ef1b2101b6
557e4f3670624f5c317ff12a9396ab75c58fa21b19319562cc492d26fdff6224
60735059f883e9fbc51948675ea2f743fc1c1b1e240295464daec6d4276a314b
7171159688e2f33a0545f09701d5d20ac73314cefc2cef8b62e8d4632fa650b3
16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce
f190dedb34ba43c2299841dd65fe7eee19a299b83624cafad2d004d5e45df2f6
bec65c0ef5eb78d5e7996e148a4542f44b03acd9bf3ed7e7c33411d803b35cbb
5a24a831aa5458941012dd18a274a1ca466b6dd5e52fe156da63022774c084d2
56b1b13bbe42015f512de69de47af0abda07316f4edef30f2c1ebc4c5bde5bf2
92e145a48dd996cfeb21875602cfaa7265f5d759a81c638687925b8610eb4f55
c3f09a0d0dacc5d6ab41cc028c18523cba4e1667f9688a21c4cafac980a19232
2668647908117790fd4d82c13e88f1f78ce3a2ebdd73fe37eb2ec67774992714
43c39d43466c7500e6b992fc872402328530f74af2a1458c991e59e004e0a5b6
24798002b81be4c9b37539e1abea61cccb014cbd427fe1a27d6822e1ffedc7d9
9fc2770fbd67c9b6f9f244ac6ac0fa8810c3d50e08c7d77b332bf1447ab77fab
2c8008052d15b5a7a61808357f2085226f7f9bc9619bb2040c27024a6423b9d2
1ba9c4dfbdfb55f6588c8887006f2851716eb6e53eb2bd1bccd591aa9e182da7
9c11640197fc3371df9f310674ba555eed0d033d7f438ec43ba57031bc3d16ba
1ad287b46085949f122b49d41d7cd66155f1b10e745cd64810f6586a3f22b60c
29b22f8a33e8dd40cec2001bb1634769e1ab182fa93f4cfd90b13d8e3d955c28
38f97adf003d63f84a6c5bc35c9d9096901e7292e763bd9fbeabdafa1aa5fa78
b2252be1efab10924f14a9843431b6413498517d4687b5214a5ef7447dc33996
b8e18bc0e70d66f8c75b8ab1aad8f9f25a6d37c45470643558ea9d9f0d1069b1
12f1562e82415f8f320bc830dc6047870ea78ceb7e827af394dbe428d8ebc930
450160aa7afe149bc82992b2dd8f44fdaf64fcaec24d7b9c8522251f538a7636
859876f4be1e8206802a3468eb52a143bf5bc15724c0b66b70d98edd79c06a08
f48dfafeefb4b36315d6b8f987df1026d29c102bd24703a08cc4d4d41a483505
5408e8b840c407984e92034c26e937b1785c5f4b6762b14f2f7a31cec4d982d8
da1903e676a7609f931a23ef7a653af4c1be9ef5242a80bdca67cb076d372bfd
cf432fc47407df80dcf984cf5d8d1a6aaed7c8c2a4c9b3a76627b4194bb9c782
73c44dbb7ece4e2fee17409d2d0ebcc82a77dd86c7ab0c9da9d8453cab59fbcc
c161b936b669673a3441c19755270abebe800846e8a01be9477e634d91b44635
191239a61c70ba900694d294a164f4a162b84d11672871fbb5389967bbf52c7e
ff2ae4fd71daa1a98edd5f88b743a5daa5fb29f70b87dee08fec25313a3640f1
554b40336bad24df88cbde544cdf20d553d02ce7fee5dab9a82318d7c21471e0
6a8efc3348d8b25bf4070dc9ad8d1e69d59b1ac1646e55fbef4a015c25ab07db
5d4c2d7fd974a27b151f948878af80220538328e121ce4cf3a8cad2156f6e48e
bc5f1294caaee05297ad1547f2f6ec4a309c16f7caf906f21038269d72f54957
15df84ca3a0c112b7ab461d6ee7603fcec8e24da91d4042d3ab018f87530b6ac
32aeea1990475960922b9a0bbda5a7edc864a3c70e4b8c5e84b16e269ea6fc7c
677f5939951053c165cdff92b6fa68d53748365869a978b77c2a501a46d1c4c8
67a792fced715c64610c55d8c01b16d66080c10004ed572e664c324468afdd7d
02a5ec5d9037cdd26b3f1ade8ea4028fbd0947284bfb3d7649e065d22db0ef91
704427aa451d261a1a92a6e834a1ee2be50971a012e711f9f660403904a9622c
9f6eb9b6b3bf92a75e32208dd51ce6307fa5ccdae27f02f0c7e2712544c2c04f
8506e0fdcf9ce49bd939a62bacd3e4d1af3522d72e660382684b1e4d1bb8e6b7
8fb359ccf3a3b6a0eff8204f9ee27c2dc41b3270721716192a7ef9253453b59b
8f53280f0b7807f08cf03152768d385200db1ad864b256fd9e7decbc846b05a2
70517116e2400906af6125849ac27b66159a45f6f1782178351e82bfe5ba205c
1711d935991cb37bd208dec08aefb47cf049baa4aa465d3188feccd8d330e72d
190504e991bb8bb608cf87db9ee7c7549999a17970251490ce85282f85cb49aa
1477c5a22b7e441d175da26dbdb6511ee298965a149a4cdc220875399f3a9fce
21e28d2ae74d303a4d013aa13867dab25bdf38622f17ff83694321fa12509d62
2a0a27371b6f4d355c3264fcc668d8a0fe1af7ebb8b19dca3b5cdf20a3282d65
bd7f924e17174165e42ee077f973be26f07c6653ff33951ff9c53fb7cc833bae
1dea51f5680fedc83402ccb9401ae907c9493ef8625a76fe6f6cd9f475021e6a
a433dfdb99b293b73898ac05be0fbf6baa9d79976655b0c51ba5a5a0066a2632
da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92
ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04
32dc8827ff96982401777cd7feb77798660450a3e8960855577e8ace837f8b05
efb67364fa543ceddc607094c10c4b71f3baac1f45de5c2c759c489f97a64ec2
071fdf3d332a5a7dccfc49c2db122868a4c0cf104e60404fb180bb414a3ae943
57e5f349a7c47e168e15daa6c9825e9075022c9aba9b1928e74cc43dfa0cfe01
9ce963b4ba27abdf1395a51e9063d5d24be8b5388702b17e8f3ee27e88ebc746
f064387ab391aff2b0d120df58a0a98e269843462aca86076a9cb113885bd2cc
47cf473f0a0c146e5ae4a37b987c297be41d82af40d53e4dc750ca9b66fa7ea6
46a4aac3b75258524acbd39521865fdb1d747d8b6cb4e741a2cf2387ed422bef
9d1f9f7012962df24baa3c3ac0816333abecf2a433953f68dab7e7673fac59aa
ca1d2592c9726d9e3a6a57c55ac57b40d9aa3bc501393a40962afd5bd4946433
4b4c3585bbf95af33fac18ae92347069e2b732626cc6c7984ebfef92ea0a89b0
31fea186e7379793d1d9b37d2a981ed0fb05d40ee7d62e227eac695106ebbe2f
d23bd1fbaae83547ec6aba06ad8b4eef5119bd4a0f66634a6726b6ccd5dc3c78
7833f08faa8eba4210758800620948a39a9a7bea302880d5f44739aa10bc21dc
dd14afafbf11a0251a0c5c56b3ef8b0be205cd4ed5d70fe77df7fdc90a039a4a
408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c
f24092f3ff18dc8a33a8e87f1cd0271aaeb22a1d5202ddf59979b4b8d0d784fc
86690b4f9bbd7f4099260f5a10e331835f66f996f127af73efec26d507cc3204
36ea8608df9b009caf566d4309832531c532d9eaf5c28b5b1657acf54c471209
f19a4c4d5dd4120eb5871a858dc7c3042f9e34e20d755602f80bfba034c34ee4
29c3845ba540fbe8288c0d4c2f4ab65ec9d0ef646f9df8b684a64f5df60bf3ea
46f0d080c21db644ff9917f46065a7b19799b057ef65055404d7b8e576c70c2c
192efbc5cc7eab49c2a435ec3cfb87d3282d184fdf4f56eb999d2f67a37b1b01
1b4c13df4fb9e30a160560541c1fef1e59dd92fe6c3a9d1bc8d118be8148883f
1943e9143d1fdc17a6b8cb864c49b62f9576acfb983cd4cee3b566a22c5a5224
95e4dd6cc5a341f4440a113e0a832175aa2f5baafd9c7483255a18088e1c2764
937dd4fbf60356b9de4aed50c0dca945c517d56920b7742c95689f09b0c6830f
bac4006f6915d642eac0956279f9e30b5e22c81f0a46f9542bc175d84a0de2ee
10934d25ba3bc669cb55dd8482eb10359abc3070a815de0e3430d4a8c1699a40
2c7486c57838043601df73b7173f54599b869dd9b2aec7c49c26ba89cf44a467
5795da812968208e067795465789e438fe7df242795ea1883bb0ea95b22fcef6
35300023c3e0d4490e20cc16e4e35994e73ece38952e9de48cf961814cb3c139
f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5
4bf870740bff823bf828afa76b92547b9c862a08a95d78af51aff49cc2823db7
5674c6bfbaeab5c555aecba94111e912ff485de188fe98f8f24ade761656a670
3da762881f6b7896235df7a2b0744fe8abcc83450cd2fe533b6cb81e4caf0df4
aa29ab3beabcfd1b574182cbcb4d53330ed432fe371a39c38ef59a7b681361d9
a84e1b819b349474639fdedd97713f46afadae4203fb17f98954a1471cccfb74
350d74b5253acdc5472d50c85a9f2d380df768ac78b5cb14fff5324ead9c3e4d
2f765d29605f09ea8a3a21d06d403d9cf1764a6f38686131a289b99df05ad41c
7d935526979defff85b919891f551e05cd6bdb2e0d5b5f00ffd5d41a15eb34db
7a20c60af930a16bf38bcb27f7c02306235964d700392b96a52dd678a6977547
cabe68cea0baf0730ad2f1af8d89c78edfbf87678cab7658a5c099ceed7177b7
2320bdd2ef439c3c079ecf8c1c89ff9e8d2c20ed47f459c29186b00c476fa7d4
164f67a3195f9de86de5b14e88b22a3539c6c1abcabf2b67f0962fccc4dc6baa
742d5abe0d2712d207d02d22982ec5d84e3ac77e07e70c6e6c6720a147a16d89
b2e2738e3a2c2553a1318c454330948cf4c14f2f1b07b64e4a0689aefb4c4c88
b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da
19cfd625d4d50e2104dd254bb8596a316dbe8dbbba51d92dd77f4c92e89c9aa5
888714e20e0e1ea31a87ed8e975ea7dae65744d65870a52336146f40b2b07433
4e8077f0dbb336a020e8491806b49acc65f8a3e2b0c2e0481a6de1a41d8fbeee
bb5cc83f857d7ad7c07ff81596565db4238a065a4a63382b70aafb0a7327c4ca
faa61845650ddc7b18bb40f45cbc8e52bdf797218fd70554b876929b52f03706
f79b4aa8fe09fd0fede13a84ee404f9fb27d5440d130cded2704799e138d03b3
615f457d36ad1da20bd802ff15975732d9ebe71f5b4d540ef19c5ca3135fd863
e2b36a25345950bf0052a95107b9bef29b2ca3cb904685a98b5779041535fda9
d3664b1a15f1e037188acd5e5b01c6ce160a1322d40f48593917632dc4404455
5087e1fc9eae1748862d5cd3075b13eebb5a8983d637695e4e28835fef0c5f23
5ad07d5c373f4ddbf435b4e8a310bbf9a4c88faf481185392e2176b557f9f61f
17b618d190771925404e47f7a84ff19852d7cc2b6743d4b958fe8cbeed7d2d7d
07c8420481e7f1c8332243b68612c5fc03db49ad03e9b86baa21c9474ce31f51
9942af44037bcfef5830dd71011bbd6ecc4c79c8bc1e62018eadc3ea4012e38a
e5484106fb6fd4e1e9bd2d68a4a85758d6633e7732d0bc467b5e3deccb5cf854
dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532
61d36494c0c51a0c0a1fcad1f36c901a6debcc3c0061f2544a01c65c688e5c03
923a51c8fc40e0e02a4ca807ed7cd5042f1e59e52abea20c44bf88f7f7b78d6e
f0e269e83b71ba4647b2359703852475faa1288d44f0e3059c84f1c9b4037f07
0f3ef87a67bdf65c62ff5ef448fee9582964febb2732d9e21e6143f7dbc84660
f5d0cc0b20705f516fd4b613c5e10473dd6a49aff8f9a03db004e6e8b80f46d2
44ba13a119d19891a586d95310d8a51e9440fe2c1659b397d5795ecab37e3eeb
d97ec62704f6714c0100506510fda9b8326814aa18612e666b98a343572d54d9
64c3f8bf923b9869c7b0f2a77eb1b1db64eae1caec23fa0da3da85c2c885b139
7c8478fb4eeb0df6b009fddde2500e6158f76a6873f9be75e108348d0e22ae86
3599cd13875aebeea6d2cf9ec7aca467830f6d4c43efe5a1598a01f4128a0699
9681f60064bcf9cb185d49d8fc355fa75daef418188f0a20db66a96884f14733
bb1b31f63c63a642be94f71d4dbab8c30c498662ee4269722aca9448eb264d94
79d0926744b84fc30f2a528b4aa64b2aa015001616f7062f15695fa00de45081
1a38e29dff73f042b8abb0ed1398a37eefa8fe3f6030e27a9a22b8964263b146
a18411c60fb9f8f02d82b6d74662d7bef6798ba8119c9072b6c25ab29887f906
546569a42f00553d7fda79e6961779afadd95ea8e6a8738ef344275f2b642244
449b2930259030577c8ac1061e4fd12e815b06597f8a55becf318efd44eac323
20945b59d313100bc7b56644fa3f3f71bb240ef74b3642023b5dd6691afdf271
a8c3823229eea7d77b5f4a95176e9164ea666e7223ef94307973af7995c7764f
606533cae2be7f3b4d1be9445b36085b735b6d82bedbc96d966e00550b4fa61c
7f4177260e014e46d3b9f927cd11d0f4549c12ea800a57334ace23cf5078028a
dadafd098dc94e3706b0e84b36042b4dced32a372c4b086d85df4a23943b88ac
083f671bdfa7b080edff7dc531e68b5179f0adf3109bc5509952209d4c6bffd1
f2194f68330c38cf073cdcff1f0d7bd161f3169fb720b60b72f61ce39ab4cf7c
3daa5c6bbea7f9de6cce94ce7664835c83eca9706e5391c9d39f88d26d46586a
854c01469e87acd6814de7e8527418b7e649b451e8762449f69f6c3f3fa19811
5602699fa7f27b000e926dbc3116c5a4bb82c1b3502f82de9795769cbde9c324
b24af55a71d595d3a9d7ce6acf57771f80719d4c3ca6e4520a9dc65dc56b7524
bbebe5eaba75c33d56298f63487b7936c76c326abd782eb9ebe080a6b04561db
c26e9eac394686d44678f45fcd165d5dec4371f30e21509d7fc660e2469af921
ef0ccac9438fae7da22f200c1f041d05cc158b4e15303d38e7e5c713f45bd40b
9bb05db4d1636e0b6490266805f2293b9f968ec824ce67473f19e7d96af9f7cf
94b53c7dccd001b16198911a89943051770b4345ad19b437a1817c6816707ebc
acfcbd1c5515548f5c2c3819f718f834062fe1d69cc6979b245b9724aad85839
0895613dd4462d19ca353caea2efdf89d0fb8f1918e73d1ac74ec8a5fbfb827b
8e0820ff70c60d33f688098a454e4cbcaf04bafd4c2489be8bd91132b963ee63
SH256 hash:
eec85e738e3365c322d0f4372e448b666c8fd0754fd024b8781a3a8b69cad09f
MD5 hash:
7ec6c7cb795b09197580ae8c5c292537
SHA1 hash:
38975c3594a4d7a61b1d52b59f01a0db025f2ca5
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/1d3ceb62-1e86-47d2-98f5-d71394e7a411/
Parent samples :
6aca2f44a1662c235d42bcaefaf34e0f841b34c620a77e3358156e910e5a7651
73b33d80db78b966ca0df11be61989bafd0553165564a45959fcbe570595f68d
84b5e1b2883149321ba59ca2179d8ee2190a5d335cb6f15c5c4285dff78acefa
81a7838ccb236673b22b689c771c82c6f3f28500b7e473a1f2c32635f885e98d
900d537d757fdc15a522d6643dc9071294fa5b30ecdf0807fe3fcd0f9680ce40
a245fd4c1bd3a3f93749c7e8f7165ce7873d32e3cd7185f18019355b8f393334
SH256 hash:
a245fd4c1bd3a3f93749c7e8f7165ce7873d32e3cd7185f18019355b8f393334
MD5 hash:
1f9a193b3cfe27fee5998d3bbb3631ec
SHA1 hash:
d20a2ef2183a5be7d72a472685f1a511f541aeb9
Link:
https://www.unpac.me/results/1d3ceb62-1e86-47d2-98f5-d71394e7a411/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a245fd4c1bd3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a245fd4c1bd3a3f93749c7e8f7165ce7873d32e3cd7185f18019355b8f393334

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:AgentTeslaV5
Create hunting rule
Author:ClaudioWayne
Description:AgentTeslaV5 infostealer payload
Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_AgentTesla_ebf431a8
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe a245fd4c1bd3a3f93749c7e8f7165ce7873d32e3cd7185f18019355b8f393334

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments