Protect Against Russia-Ukraine Cyber Activity

New Mirai Variant Targeting Network Security Devices

A conceptual image illustrating a Mirai variant, such as the one discussed in this blog.

This post is also available in: 日本語 (Japanese)

Executive Summary

On Feb. 16, 2021, Unit 42 researchers discovered attacks leveraging a number of vulnerabilities, including:

  • VisualDoor (a SonicWall SSL-VPN exploit).
  • CVE-2020-25506 (a D-Link DNS-320 firewall exploit).
  • CVE-2020-26919 (a Netgear ProSAFE Plus exploit).
  • Possibly CVE-2019-19356 (a Netis WF2419 wireless router exploit).
  • Three other IoT vulnerabilities yet to be identified.

On Feb. 23, 2021, one of the IPs involved in the attack was updated to serve a Mirai variant leveraging CVE-2021-27561 and CVE-2021-27562, mere hours after vulnerability details were published. On March 3, 2021, the same samples were served from a third IP address, with the addition of an exploit leveraging CVE-2021-22502. Furthermore, on March 13, an exploit targeting CVE-2020-26919 was also incorporated into the samples.

The attacks are still ongoing at the time of this writing. Upon successful exploitation, the attackers try to download a malicious shell script, which contains further infection behaviors such as downloading and executing Mirai variants and brute-forcers.

Palo Alto Networks Next-Generation Firewall customers with Threat Prevention, WildFire and URL Filtering security subscriptions, as well as AutoFocus can detect and block all the exploit attempts from this kind of malware family.

Vulnerabilities Being Exploited

Five known vulnerabilities and three unknown vulnerabilities were exploited in this attack. Upon successful exploitation, the wget utility is invoked to download a shell script from the malware infrastructure. The shell script then downloads several Mirai binaries compiled for different architectures and executes these downloaded binaries one by one. Vulnerability information is shown in Table 1, below.

ID Vulnerability Description Severity
1 VisualDoor SonicWall SSL-VPN Remote Command Injection Vulnerability Critical
2 CVE-2020-25506 D-Link DNS-320 Firewall Remote Command Execution Vulnerability Critical
3 CVE-2021-27561 and CVE-2021-27562 Yealink Device Management Pre-Auth ‘root’ Level Remote Code Execution Vulnerability Critical
4 CVE-2021-22502 Remote Code Execution Vulnerability in Micro Focus Operation Bridge Reporter (OBR), affecting version 10.40 Critical
5 CVE-2019-19356 Resembles the Netis WF2419 Wireless Router Remote Code Execution Vulnerability High
6 CVE-2020-26919 Netgear ProSAFE Plus Unauthenticated Remote Code Execution Vulnerability Critical
7 Unidentified Remote Command Execution Vulnerability Against an Unknown Target Unknown
8 Unidentified Remote Command Execution Vulnerability Against an Unknown Target Unknown
9 Unknown Vulnerability Vulnerability Used by Moobot in the Past, Although the Exact Target is Still Unknown Unknown

Table 1. List of vulnerabilities.

Exploit Payloads

1. VisualDoor: SonicWall SSL-VPN Remote Command Injection Vulnerability

VisualDoor SonicWall SSL-VPN exploit payload.
Figure 1. VisualDoor SonicWall SSL-VPN exploit payload.

The exploit of SonicWall SSL-VPN targets an old version of Bash, which is vulnerable to ShellShock. An attacker can send a crafted Common Gateway Interface (CGI) request to a particular shell script leading to an unauthenticated remote code execution (RCE) vulnerability.

2. CVE-2020-25506: D-Link DNS-320 Firewall Remote Command Execution Vulnerability

D-Link DNS-320 exploit payload.
Figure 2. D-Link DNS-320 exploit payload.

The exploit targets a command injection vulnerability in a system_mgr.cgi component. The component does not successfully sanitize the value of the HTTP parameters f_ntp_server, which in turn leads to arbitrary command execution.

3. CVE-2021-27561 and CVE-2021-27562: Yealink Device Management Pre-Auth ‘root’ Level Remote Code Execution Vulnerability

Yealink Device exploit payload - we observed one of the IPs involved in the attack leveraging CVE-2021-27561 and CVE-2021-27562 to serve a Mirai variant
Figure 3. Yealink Device exploit payload

The exploit works by chaining a pre-auth Server-Side Request Forgery (SSRF) vulnerability and a command injection vulnerability, making it possible to execute commands as root without authentication, simply by sending an HTTPS request to the remote target.

4. CVE-2021-22502: Micro Focus Operation Bridge Reporter (OBR) Remote Code Execution

"Micro Focus Operation Bridge Reporter exploit payload. "
Figure 4. Micro Focus Operation Bridge Reporter exploit payload.

The exploit works due to the unsanitized use of the “username” and “password” parameters in requests made to the LogonResource API. The vulnerability can be exploited to allow unauthenticated RCE as root on the OBR server.

5. CVE-2019-19356: Netis WF2419 Wireless Router Remote Code Execution Vulnerability

Netis WF2419 exploit payload.
Figure 5. Netis WF2419 exploit payload.

The exploit targets an RCE vulnerability in a diagnostic tool utility. An authenticated attacker can perform command execution via multiple vulnerable parameters such as IP address or domain name.

6. CVE-2020-26919: Netgear ProSAFE Plus Unauthenticated Remote Code Execution Vulnerability

Netgear ProSAFE exploit payload.
Figure 6. Netgear ProSAFE exploit payload.

The exploit targets debug web sections and an attacker can execute system commands through it. This is due to lack of proper checks on access controls leading to RCE with administrator privileges.

7. Unidentified vulnerability (lang parameter command injection)

Unidentified vulnerability exploit payload, found in connection with our observations around the delivery of a new Mirai variant.
Figure 7. Unidentified vulnerability exploit payload.

The exploit of an unidentified vulnerability targets a command injection vulnerability in certain components. The component does not successfully sanitize the value of the HTTP parameter lang, which in turn leads to arbitrary command execution.

8. Unidentified vulnerability (key parameter command injection)

Unidentified vulnerability exploit payload, found in connection with our observations around the delivery of a new Mirai variant.
Figure 8. Unidentified vulnerability exploit payload.

The unknown exploit targets the login CGI script, where a key parameter is not properly sanitized leading to a command injection.

9. Unknown vulnerability (op_type parameter command injection)

Unidentified vulnerability exploit payload, found in connection with our observations around the delivery of a new Mirai variant.
Figure 9. Unidentified vulnerability exploit payload.

This exploit targets the op_type parameter, which is not properly sanitized leading to a command injection. It has been observed in the past being used by Moobot, however the exact target is unknown.

Malware Behaviors

Binary Functionality
lolol.sh After deleting some key folders from the target machine (such as ones containing the existing scheduled jobs, as well as startup scripts), this script downloads the “dark” binaries explained below, saves them to a misleadingly named file “nginx” and tries to run each one. Since the “dark” binaries downloaded are each compiled for a different architecture, only the one compatible with the target machine would actually execute.

Following that, it schedules a job that would (supposedly) run every hour to rerun the lolol.sh script. However, the cron configuration is incorrect. This would have been an attempt to ensure the process is re-launched in case it crashes or is killed for some other reason.

Finally, several packet filter rules are created to block incoming traffic directed at commonly used ports like the standard SSH, HTTP and telnet ports, among others. This is probably to make maintenance of and remote access to the affected system more challenging for an administrator.

In one of the two observed versions of the script, it also downloads and runs the “install.sh” script described below.

install.sh This script downloads GoLang v1.9.4 onto the target system and adds it to the system path. In addition, it also installs the GoLang standard SSH package and zmap (a common network-scanning package).

It also downloads the “nbrute” binaries and the “combo.txt” file described below. As was the case for the previous script, the “nbrute” binaries downloaded are each compiled for a different architecture, increasing the probability of compatibility with the target machine.

Finally, zmap is run to scan port 22, and IPs found with port 22 open are sent as input to the nbrute binary.

nbrute.[arch] These binaries are written in GoLang and mainly serve the purpose of brute-forcing the various credentials found in “combo.txt” while initiating an SSH connection with a certain IP.
combo.txt Plain text file containing numerous combinations of credentials (often default credentials on devices).
dark.[arch] These binaries are based on the Mirai codebase, and mainly serve the purpose of propagation – either using the exploits described in the section above, or by brute-forcing SSH connections using some hard-coded credentials in the binary.

The key used for the standard Mirai byte-wise XOR encryption routine is 0xbaadf00d.

Table 2. Malware behaviors.

Conclusion

The IoT realm remains an easily accessible target for attackers. Many vulnerabilities are very easy to exploit and could, in some cases, have catastrophic consequences. We strongly advise customers to apply patches whenever possible.

Palo Alto Networks customers are protected from the aforementioned vulnerabilities by the following products and services:

Indicators of Compromise

Samples

First Seen URL SHA256
Mar 13, 2021 02:43 UTC 203[.]159.80.241/bins/dark.arm5 60135a7817a0a1734c2e211a8613873548f4611fddc8666890f6a69860c43e61
Mar 13, 2021 02:43 UTC 203[.]159.80.241/bins/dark.arm6 087fc3206ddb94e80118e7e7f0215c88409a0071b657d21071e15b7917f7cc4e
Mar 13, 2021 02:43 UTC 203[.]159.80.241/bins/dark.arm7 33f75999a3b4c354b6281399e541b97fd6463c5cd2ab13a538522d72a8870f30
Mar 13, 2021 02:43 UTC 203[.]159.80.241/bins/dark.m68k 02d48570f1089e2e7f4f9256bb033136c773834af31054e477e094e48cba110e
Mar 13, 2021 02:43 UTC 203[.]159.80.241/bins/dark.mips 45ff08b1de872379f965d423a0f4e1f2e82f0ea8d101220b83d3aed3b2e7f1c9
Mar 13, 2021 02:43 UTC 203[.]159.80.241/bins/dark.mpsl 85acead88180809d47524aac87d6f76799e7c0a1729d9614446be73aa8e7d871
Mar 13, 2021 02:43 UTC 203[.]159.80.241/bins/dark.ppc 0bbdb062ecfae7e1b59084a5e5fe052908ecfdea7db0777a9c318e9e55fdb5ff
Mar 13, 2021 02:43 UTC 203[.]159.80.241/bins/dark.sh4 77a1f62dc76cc9ee2d924008a0fdcc329396021f027ebe1cfa468f9625c2455b
Mar 13, 2021 02:43 UTC 203[.]159.80.241/bins/dark.x86 8d11635019b077d36ce7de2a3ca9261f126e0ff5808f722fcb967e7cd000be23
Mar 11, 2021 19:22 UTC 203[.]159.80.241/bins/dark.arm7 519b2d04e80c2cb7c000a3c00cb30098df363bd825281b2b7384d964b832df3b
Mar 11, 2021 19:22 UTC 203[.]159.80.241/bins/dark.arm6 7a571f666c8f272cce1ee7ad75520a013bbed800e7d0c80a17804500a3474a13
Mar 11, 2021 19:22 UTC 203[.]159.80.241/bins/dark.arm5 5d7487a5d6febb015a21a98eddffc617cfc06453fe2a7dacac6e1719f56c56fb
Mar 11, 2021 19:22 UTC 203[.]159.80.241/bins/dark.mpsl e9d056afe12210ddf98967e3291127ef9d0d24cbd36862ebc8b0726a565eefb8
Mar 11, 2021 19:22 UTC 203[.]159.80.241/bins/dark.mips 73aaf3ce3e5ea7a598f01d727e8278ff64ff0067fc2f2b22387b09de64c2ff4f
Mar 11, 2021 13:12 UTC 203[.]159.80.241/bins/dark.x86 64f9bc6e925fd2f538c89fd8a8c25d11521b9fcc51c8c5308e9850c990bea04b
Mar 11, 2021 12:59 UTC 203[.]159.80.241/bins/dark.ppc 0c4ec06f32d5f15846239d224d68086cbeaf513b63f0fcafa4eddd8e18a3d372
Mar 11, 2021 12:30 UTC 203[.]159.80.241/bins/dark.sh4 2f590f5af68dd30cdd51de85cb55dd16160ffce16dd326b2ac4c85e0007fca51
Mar 11, 2021 12:30 UTC 203[.]159.80.241/bins/dark.m68k cd59c912b9af910db1880d6fb86cd6cb656477552cf2c2fc82e372bafbe004b8
Mar 5, 2021 14:13 UTC 45[.]133.1.133/bins/dark.ppc 63e66d6f0ddf5fea5b1f71643bdb30f3fff4531c364b6fd1b0e0e0cfe5da833f
Mar 4, 2021 10:19 UTC 45[.]133.1.133/bins/dark.m68k 0a664a74fcc00910170edcd5f548569b40c2c5d58fc5ced1f475dbe938684e17
Mar 4, 2021 10:19 UTC 45[.]133.1.133/bins/dark.mips 05102e5abb23c761426c2c0f19f70f650938ea9e9295ccbb92349513c1d26c63
Mar 4, 2021 10:19 UTC 45[.]133.1.133/bins/dark.mpsl cc996d19c3e9b732b5f61fb7a2ad20a4f9e1fd7e62f484f15c7cc984a32dec01
Mar 4, 2021 10:19 UTC 45[.]133.1.133/bins/dark.sh4 f05225fec1fda7c6405e6961207ee12e198272d352144f516e970829a74093e2
Mar 4, 2021 10:19 UTC 45[.]133.1.133/bins/dark.x86 9aa0ded21b8c21075a6ad24180befc47dbfeb3985a433f1baa6181ec945a19b9
Mar 3, 2021 14:24 UTC 45[.]133.1.133/lolol.sh ecae298b18493bf2366f6081e8215a474cce4554e07a7b2380a7f8e8a3a9a37d
Mar 3, 2021 14:24 UTC 45[.]133.1.133/bins/dark.arm5 fb940b1049e0e95c03adb7a2750347108cadf6b19ef4149a5103f7625c07c8ec
Mar 3, 2021 14:24 UTC 45[.]133.1.133/bins/dark.arm6 515dc2fd8819c7fc82395acc4c7fb5b2903982a5f48bc26bc8d0235bc0664d1f
Mar 3, 2021 14:24 UTC 45[.]133.1.133/bins/dark.arm7 a9c4ea40b08ce4281c2dc9776355186dfc5649f9ec2b36c32fa5540f8d2aef2d
Mar 3, 2021 14:24 UTC 45[.]133.1.133/bins/dark.m68k ac75cb71c2f052141a238b8f7215d5a0956f7034cf90f231d228ce58254d23ba
Mar 3, 2021 14:24 UTC 45[.]133.1.133/bins/dark.mips 1e56f8ca44f84eff212805fa061ecb0f6fb8bc9499ff2e541ad3c43fb2f4420a
Mar 3, 2021 14:24 UTC 45[.]133.1.133/bins/dark.mpsl 1d9496814d35d9e302d7e99339e9730fc81c022bc085c0711b73ebad962cbc2b
Mar 3, 2021 14:24 UTC 45[.]133.1.133/bins/dark.ppc 971b5a96d84ca0d7dd906b639cd97a04835013be32356d09037cff64516c73bf
Mar 3, 2021 14:24 UTC 45[.]133.1.133/bins/dark.sh4 e2a6ac516ec8b5dcc76becc26cf992434882d490d8f2c9d7071298dba7a641a2
Mar 3, 2021 14:24 UTC 45[.]133.1.133/bins/dark.x86 a5ca43106a713c4a8e978575b8685889c244501288b9fa7c7dc7f1e8c5ef1291
Feb 26, 2021 13:14 UTC iotlmao[.]xyz/bins/dark.m68k a6cb6356432ca83467f6da2168be2aabbabe5d2f2dd4c01d6c4a93d01a57df53
Feb 26, 2021 13:14 UTC iotlmao[.]xyz/bins/dark.sh4 c686712f9be64e3d2957754ce181e5b4680b205cb6773b85b35df57983ed31cf
Feb 24, 2021 15:59 UTC 185[.]239.242.63/bins/dark.arm5 8cc6375f2eabe865e8400f27381a513a69e4100748458c3d2c706f3d4002bf1e
Feb 24, 2021 15:59 UTC 185[.]239.242.63/bins/dark.arm6 4414bf4f41663a6458372bcc4743d6e50bbb2d40c26d71bcb945926c98cd5537
Feb 24, 2021 15:59 UTC 185[.]239.242.63/bins/dark.arm7 8d0beb4b143dc4a9543b4bc5d7f44a6771a973709aaf8c3a4754d120b99d0afd
Feb 24, 2021 15:59 UTC 185[.]239.242.63/bins/dark.m68k f9770197d2254e6d5d4cb872b07dc25feb2994d4d5f0b3c854a98f9dfa3c6854
Feb 24, 2021 15:59 UTC 185[.]239.242.63/bins/dark.mips 74ab77e1069c6fb32925e89563c57f09c842cad0de6ab6b7c9ec2fa44d2641b1
Feb 24, 2021 15:59 UTC 185[.]239.242.63/bins/dark.mpsl 0039231b2fd5e5a3d86ae3b626d35b8fed7f2887a58e32b480ac82cd82150f7c
Feb 24, 2021 15:59 UTC 185[.]239.242.63/bins/dark.ppc 9d55aa1d9841be74cdc0c9d0a9fe2f20e0704ea30c721a7b2dcae02675416629
Feb 24, 2021 15:59 UTC 185[.]239.242.63/bins/dark.sh4 7aa437a562f3a956cf60fce652e6a0fb2d3c7cda0e5312c1a7fa62e177c45906
Feb 24, 2021 15:59 UTC 185[.]239.242.63/bins/dark.x86 8e65d7b16939834e1cd86b36b495924d34f10a8c477b53c9c8e648c804b97c2d
Feb 24, 2021 15:59 UTC 185[.]239.242.63/lolol.sh 5715d9c632c646c856f2775de8e98c00cade29f7bfb6fbe33a5741b01e897521
Feb 23, 2021 09:03 UTC 185[.]239.242.63/bins/dark.arm 5525b282df49206e76e884ca0f86806ddc97ec08343bab1d9a98f029a2697b08
Feb 23, 2021 09:03 UTC 185[.]239.242.63/bins/dark.arm5 b82b8957a4397eae1061a74fb7a8014cbbcbe7064d4edf2e0b15233fd2ce8cca
Feb 23, 2021 09:03 UTC 185[.]239.242.63/bins/dark.arm6 ec9dc19758ba74fb254c69d2b60ae1012b1bd65390e936990e4bd8573bcb83aa
Feb 23, 2021 09:03 UTC 185[.]239.242.63/bins/dark.arm7 38d8f2d17b3b676f5258a28b6b4093a1c3cdfa0d34d97c80d86686a3cff7ed55
Feb 23, 2021 09:03 UTC 185[.]239.242.63/bins/dark.m68k b066b1c1d019fc97e3649b99ad10294783b13a12b67d34b9c8500e762c37b7e7
Feb 23, 2021 09:03 UTC 185[.]239.242.63/bins/dark.mips 904b086dbf3e8f4dd1711d758d54675ce2d6002ff607a72d72d7e3aea612ba7d
Feb 23, 2021 09:03 UTC 185[.]239.242.63/bins/dark.mpsl 4f6a9d2c775e0ba38189390aa7975973209f8e703d6f974c2ab67c97ad263204
Feb 23, 2021 09:03 UTC 185[.]239.242.63/bins/dark.ppc c26401490ab9343b023f1f89b39d8d32835a795117ef7d7a129871bc05010dd6
Feb 23, 2021 09:03 UTC 185[.]239.242.63/bins/dark.sh4 73b35ddbf9784a6f6ebad7f5a1f4965daedc2f92cbb45a9cb76e61c0104bf553
Feb 23, 2021 09:03 UTC 185[.]239.242.63/bins/dark.x86 a925f0486b33f3f05d610d33c5a4b6bb2d5531c89e804e001ec01c4f5c25975e
Feb 23, 2021 09:03 UTC 185[.]239.242.63/lolol.sh 4fe20e73217d0bde39616ebf6f50f0f27882f939537561849f7b17968c5b8e30
Feb 22, 2021 16:30 UTC 37[.]46.150.102/bins/dark.mpsl 6b1bea5f17eb2c16815b8cb87d6e24e707248e5384fc4dd33c86c189657c73ff
Feb 22, 2021 16:30 UTC 37[.]46.150.102/bins/dark.ppc 918395bac079ab747736246b9d84e66921774d3eb95bb47045704624646b1287
Feb 22, 2021 16:30 UTC 37[.]46.150.102/bins/dark.sh4 528179f34ed9a6e69f582c23b3cbb50343164bf0e5995624a8d16f8b0df202e8
Feb 22, 2021 16:30 UTC 37[.]46.150.102/bins/dark.x86 f05d21a5b4b72a761c1540f1400dff7e39f10ac1c8b843ec8986d2e780a7807a
Feb 22, 2021 16:30 UTC 37[.]46.150.102/lolol.sh b3a20c8dfa5adaa8247c4d2097f3cc8423b4e270c9735f616628bf9bde583cbe
Feb 22, 2021, 12:32 UTC 185[.]239.242.63/bins/dark.arm5 2102b6a9f4b6745b0963ac3040945fb351c3d7df5b8e75dbc4ebf587c921998f
Feb 22, 2021, 12:32 UTC 185[.]239.242.63/bins/dark.arm6 bfd14a2f5c26501efb5d4010839b7d0bbc9a639d86ab5d12af663de598f15427
Feb 22, 2021, 12:32 UTC 185[.]239.242.63/bins/dark.arm7 d9f7504b3fe81f5264da5f23bdb7529f6d1dd713e28a92828180787729872a8d
Feb 22, 2021, 12:32 UTC 185[.]239.242.63/bins/dark.m68k 40808fb06796aeb740368b9bc322c12193d1bebb8e5eeddc420a98db6ac82689
Feb 22, 2021, 12:32 UTC 185[.]239.242.63/bins/dark.mips 3c47dceb9b8fbb0d40c3f1efa8ebc8d7dcf82aa0af46c4486ec3fc8ca29a83b2
Feb 22, 2021, 12:32 UTC 185[.]239.242.63/bins/dark.mpsl d31f1fecde01cc37950dc5b5330cd72e8ab1943f251bdfa5990f0d9d3a0a8e8f
Feb 22, 2021, 12:32 UTC 185[.]239.242.63/bins/dark.ppc 5446350c771766589e6d79e8185e10fcc0a6681eb76723b7f26dfef03c9080a5
Feb 22, 2021, 12:32 UTC 185[.]239.242.63/bins/dark.sh4 02f08ccc4a4136c89276135664267e08f1bb6795842a84c06c15478d3c3101e6
Feb 22, 2021, 12:32 UTC 185[.]239.242.63/bins/dark.x86 f467e6335a4a0250a17d61b3d138b31998f3e6669e1fcd1c3648db1b44b55ffa
Feb 22, 2021, 12:32 UTC 185[.]239.242.63/lolol.sh 4fe20e73217d0bde39616ebf6f50f0f27882f939537561849f7b17968c5b8e30
Feb 16, 2021, 11:01 UTC 37[.]46.150.102/brute/combo.txt 6a68acd757fab908b2455c9b5882c25ab4a550121c2badb960b0a514a04a8d3d
Feb 16, 2021, 11:01 UTC 37[.]46.150.102/brute/nbrute.386 baedd59eba62c289dcb722588895eb165f4a1570b3c012efc3dcc60d3bdea521
Feb 16, 2021, 11:01 UTC 37[.]46.150.102/brute/nbrute.amd64 8524826a687491c6bfd161df3e4fb2f537f50ea32834d7710dcf3b788a5ddfc2
Feb 16, 2021, 11:01 UTC 37[.]46.150.102/brute/nbrute.arm 4f69555ab71b49c2c1067f0907eb73b185327b57c566a8311ba9f9e58f4e85a5
Feb 16, 2021, 11:01 UTC 37[.]46.150.102/brute/nbrute.mips a5c2b758da21d7895c7945de8684c9b27370af6c5bf48ce3d94626261982659f
Feb 16, 2021, 11:01 UTC 37[.]46.150.102/brute/nbrute.mipsle b37da8e6afa2b3223b1f8f73e6801cf3fed3c0f114cfb9c134b5f06322a337ca
Feb 16, 2021, 11:01 UTC 37[.]46.150.102/bins/dark.arm5 a447bb67be310702807ff148f53f2b4c64ddba0c37f92caf6acabdfaa9ad6603
Feb 16, 2021, 11:01 UTC 37[.]46.150.102/bins/dark.arm6 b2122c5a9c738d964fa770760db40d6708de377e2e671feccb836054ceda2f47
Feb 16, 2021, 11:01 UTC 37[.]46.150.102/bins/dark.arm7 80cd13bfcc2fc29096abf18525d17766700a6d25a9806e55c7b7de776cba0302
Feb 16, 2021, 11:01 UTC 37[.]46.150.102/bins/dark.m68k 66ea76a427b69f153486f962baff29d4a68393e985c7d88c94d773b25ad4964a
Feb 16, 2021, 11:01 UTC 37[.]46.150.102/bins/dark.mips def1959fae2d8a3dfe606126ceb9d5403deae97a4b4e216dc8e60354980eeac4
Feb 16, 2021, 11:01 UTC 37[.]46.150.102/bins/dark.mpsl 667640d293e4ce2287546fc2e0056ee14f414868bf5b77f72078096c516a9fb0
Feb 16, 2021, 11:01 UTC 37[.]46.150.102/bins/dark.ppc beb0b7178b242f2dba21c3d91abf80e8738847b8086d2a42e9352738c83542b5
Feb 16, 2021, 11:01 UTC 37[.]46.150.102/bins/dark.sh4 554bee9f896a7a013804485894875348ff760b08ff7b0ae14c210e2b37da75f6
Feb 16, 2021, 11:01 UTC 37[.]46.150.102/bins/dark.x86 2a09719254934fe8ee8f200a0a7537d35a293fe1f8d0e396e23374e9b209f273