redleaves - X-Industry - Red Sky Alliance2024-03-29T08:04:48Zhttps://redskyalliance.org/xindustry/feed/tag/redleavesChinese APT10 Intrusion Activities Target Worldwide Government, Cloud-Computing MSPs and Customer Networkshttps://redskyalliance.org/xindustry/chinese-apt10-intrusion-activities-target-worldwide-government-cl2019-01-14T21:01:49.000Z2019-01-14T21:01:49.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><strong>SUMMARY:</strong></p>
<p>Information regarding a group of Chinese APT cyber actors stealing high value information from commercial and governmental victims in the US and abroad was recently collected and analyzed by US federal authorities.  This Chinese APT group is known within private sector reporting as APT10, Cloud Hopper, menuPass, Stone Panda, Red Apollo, CVNX and POTASSIUM.  This group heavily targets managed service providers (MSP) who offer cloud computing services; commercial and governmental clients of MSPs; as well as defense contractors and governmental entities.  APT10 uses various techniques for initial compromise including spear phishing and malware.  After an initial compromise, this group seeks MSP administrative credentials to pivot between MSP cloud networks and customer systems in an effort to steal data and maintain persistence.  This group has also used spear phishing to deliver malicious payloads and compromise victims.<a href="#_ftn1" name="_ftnref1" id="_ftnref1">[1]</a></p>
<p><strong>TECHINICAL DETAILS:</strong></p>
<p>APT10 uses custom tools which should be immediately flagged if detected and given highest priority for enhanced mitigation.  The presence of such tools is typically part of a comprehensive, multifaceted effort to maintain persistent network access and exfiltrate data.  The custom tools used by this group are as follows:</p>
<p>REDLEAVES - The REDLEAVES implant is a remote access Trojan (RAT) which operates largely in memory with functionality suitable for system enumeration and lateral movement within victim networks.  Industry reporting provides REDLEAVES may be used in spear phishing campaigns as an intrusion vector.<a href="#_ftn2" name="_ftnref2" id="_ftnref2">[2]</a>  REDLEAVES source code shares commonalities with TROCHILUS RAT. Variants of REDLEAVES include HIMAWARI and LAVENDER malware.  REDLEAVES comprises an executable file (EXE), custom loader (DLL) and an encoded data file (DAT) containing shellcode and the REDLEAVES DLL.  </p>
<p>Upon execution of the EXE file, the custom loader DLL is side-loaded and conducts a function call to load and decode an XOR encoded data file containing (a) stage-one shellcode, (b) stage two shellcode and (c) the REDLEAVES DLL.  The stage-one shellcode launches “svchost.exe” to process hollow the stage-two shellcode; stage-two shellcode, in turn, allocates memory in “svchost.exe” to load REDLEAVES DLL. After the REDLEAVES DLL runs, the EXE file process terminates.  REDLEAVES is able to utilize a named pipe to execute commands in remote shell or, alternatively, pass instructions through “cmd.exe” to execute commands directly in the command shell.  Basic REDLEAVES functionality includes victim system enumeration, file search/deletion, screenshots, as well as data transmission.  Prior to transmission, REDLEAVES compresses raw data with MiniLZO and encrypts said data with RC4 encryption.  REDLEAVES is able to communicate with command and control (C2) servers on HTTP/HTTPS or custom TCP protocols across ports 53, 80, 443 and 995.  Although REDLEAVES operates in memory to avoid detection, early versions may not conduct anti-forensics; evidence, therefore, of files copied to/from an infected host may still be present on disk.  If a machine is believed to be infected, it is recommended to examine for “svchost.exe” processes which do not have “services.exe” as parent; “svchost.exe” memory pages mapped as read-write-execute (RWX); as well as reviewing forensic memory capture for anomalies commonly associated with malicious processes.</p>
<p>·         Agriculture<br />
·         Automotive<br />
·         Defense contractors<br />
·         Electronics<br />
·         Energy<br />
·         Financial<br />
·         Government<br />
·         Human Resources<br />
·         Manufacturing<br />
·         Medical<br />
·         Military<br />
·         Mining<br />
·         Shipping<br />
·         Technology services<br />
·         Telecommunications</p>
<p>In addition to and through cloud-computing MSPs, APT10 targets victims in the industry segments listed.  Any activity related to APT10 detected on a network should be considered an indication of a compromise requiring extensive mitigation and contact with law enforcement.  Researchers are providing the following information with HIGH confidence:</p>
<p>UPPERCUT/ANEL - UPPERCUT, also known as ANEL, is a backdoor Trojan used in spear phishing campaigns to deploy second-stage payloads such as credential harvesters.  Industry reporting states APT10 deploys UPPERCUT through decoy Word documents containing a malicious Visual Basic macro (VBA). UPPERCUT is known to exploit CVE-2017-8759 and CVE-2017-1182. It may be detected by antivirus engines as “TROJ_ANELLDR”, “BKDR_ANELENC”, “APT.Backdoor.Win.UPPERCUT” and/or</p>
<p>“FE_APT_Backdoor_Win32_UPPERCUT”. </p>
<p>Installation commences when the victim user enables the Word document macro, resulting in the download of three Privacy Enhanced Mail (PEM) text files.  These PEM files are decoded with “certutil.exe” to produce an EXE, DLL and DAT containing shellcode and the UPPERCUT DLL.  Upon execution of the EXE file, the custom loader DLL is side-loaded and conducts a function call to load and decrypt the shellcode; the shellcode decodes and decompresses the UPPERCUT DLL.  After the UPPERCUT DLL runs in memory, the PEM files are deleted with “esentutle.exe”.  UPPERCUT is known to use Blowfish encryption when communicating with C2 servers.  UPPERCUT communicates with C2 servers through HTTP GET or POST requests.  UPPERCUT initially collects victim computer information, such as hostname and OS version, and then aggregates and encrypts the data into a string embedded within the Uniform Resource Identifier (URI) of HTTP requests.  Upon receiving an initial request, the C2 server will respond with an HTTP status response; if no C2 response is given, UPPERCUT may resend the HTTP request with a “GetLastError” code contained within the Cookie header.  </p>
<p>Subsequent commands and modules between the C2 servers and UPPERCUT are Blowfish encrypted and then embedded within the body of HTTP requests or responses.  Basic functionality includes the ability to execute commands, upload/download files, load executables and take screenshots.</p>
<p>CHCHES - CHCHES, also known as CHINESE CHESS, is a RAT which communicates with C2 servers using HTTP Cookie headers.  Industry reporting provides CHCHES may be used in spear phishing campaigns as an initial intrusion vector designed to deploy second-stage payloads.  The CHCHES EXE is known to disguise itself with a Word icon or shortcut, as well as use expired or revoked certificates.  CHCHES initially collects victim computer hostname; process identifier (PID); current working directory (%TEMP%); screen resolution; as well as kernel32.dll or explorer.exe version.  </p>
<p>This data is aggregated into a string, encrypted and embedded within the Cookie header of an HTTP GET or POST request and beaconed to a C2 server.  The C2 server responds with a HTTP status response containing a unique identifier within the “Set-Cookie” tag.  After a second HTTP GET beacon is sent containing the unique identifier encrypted and embedded within the Cookie header, the C2 server will transmit modules and commands. CHCHES modules loaded onto memory include the ability to execute commands, upload/download files, load and run DLLs, as well as encrypt communications using AES encryption.  APT10 also acquires legitimate credentials and uses commonly available tools as part of their effort to maintain persistent network access.  Mitigation efforts should also focus on identifying such access and removing. Researchers have identified the following specific, but not wholly exclusive, malware and tools previously used by this group:</p>
<p>QUASAR RAT - Please see APPENDIX A and APPENDIX B for technical indicators and indicators of compromise (IOCs) associated with this APT.</p>
<p><strong>RECOMMENDED STEPS FOR INITIAL MITIGATION</strong>:</p>
<p>The following mitigation measures should be taken within the first 72 hours of detection:</p>
<p>Prepare Your Environment for Incident Response</p>
<ul>
<li>Establish Out-of-Band Communications methods for dissemination of</li>
<li>intrusion response plans and activities, inform network operations</li>
<li>centers (NOCs) and computer emergency response teams (CERTs)</li>
<li>according to institutional policy and SOPs</li>
<li>Maintain and actively monitor centralized host and network logging</li>
<li>solutions after ensuring all devices have logging enabled and their</li>
<li>logs are being aggregated to those centralized solutions</li>
<li>Disable all remote (including remote desktop protocol and virtual</li>
<li>private network) access until a password change with two-factor</li>
<li>authentication has been completed</li>
<li>Implement full secure socket layer (SSL) / transport layer security</li>
<li>(TLS) inspection capability (on perimeter and proxy devices)</li>
<li>Monitor accounts and devices determined to be part of the</li>
<li>compromise to prevent reacquisition attempts</li>
<li>Collect forensic images including memory capture of devices</li>
<li>determined to be part of the compromise.</li>
<li>Implement core mitigations to prevent re-exploitation (within 72 hours)</li>
<li>Implement a network-wide password reset with two-factor authentication</li>
<li>(preferably with local host access only, no remote changes allowed) to</li>
<li>include:</li>
<li>All domain accounts (especially high-privileged administrators)</li>
<li>Local Accounts</li>
<li>Machine and System Accounts</li>
</ul>
<p>Patch all systems for critical vulnerabilities: A patch management process which regularly patches vulnerable software remains a critical component in raising the difficulty of intrusions for cyber operators.  While a few adversaries use zero-day exploits to target victims, many adversaries still target known vulnerabilities for which patches have been released, capitalizing on slow patch processes and risk decisions by network owners not to patch certain vulnerabilities or systems.  A few of these targeted vulnerabilities include the identified CVE’s.</p>
<p>While watching for infections from the malware families detailed above, we also recommend ensuring you are patched against older vulnerabilities commonly exploited by cyber operators, such as CVE-2012-0158.  After initial response activities, deploy and properly configure a mitigation tool kit such as Microsoft's Enhanced Mitigation Experience Toolkit (EMET).  EMET employs several mitigations techniques to combat memory corruption techniques.  It is recommended all hosts and servers on the network implement mitigation toolkits.</p>
<ul>
<li>USDHS Cybersecurity and Infrastructure Security Agency Mitigation Guidance: The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has multiple alerts and additional mitigation guidance related to this APT and managed service providers. This information can be found at: <a href="https://www.us-cert.gov/china">https://www.us-cert.gov/china</a></li>
<li>US National Security Agency Cybersecurity: The NSA has Cybersecurity Advisories and Operational Risk Notices (ORNs), guidance, and other cybersecurity advice on their Cybersecurity website. This includes Info Sheet: Cloud Security Basics (August 2018) and Tech Report: NSA/CSS Technical Cyber Threat Framework v2 (November 2018)</li>
</ul>
<p>Additional Source:</p>
<p>Wapack Labs Technical Intelligence Report, #TIR-008-2017 (available upon request)</p>
<p><strong>APPENDIX A – TECHNICAL INDICATORS</strong></p>
<p><strong>(I.) REDLEAVES:</strong></p>
<p>REDLEAVES configuration block structure overview (XOR encoded).</p>
<p>| <em>C2 Domain/IP</em> | <em>Port 995, 80, 53, 443</em> | <em>HTTP/HTTPS/TCP</em> | <em>GroupID</em> | <em>Mutex</em> | <em>RC4 encryption key</em> |</p>
<ul>
<li>RC4 encryption is used in conjunction with MiniLZO for compression of raw data</li>
<li>known RC4 key: 0x6A6F686E3132333400</li>
</ul>
<p>REDLEAVES C2 communication structure overview (TCP).</p>
<p>Packet_01 (12 bytes):</p>
<p>0 4 8 C</p>
<p>| <em>generated 32-bit value</em> | <em>FIXED 32-bit value</em> | <em>total length of second packet</em> |</p>
<p>Packet_02 (12 bytes):</p>
<p>0 4 8 C</p>
<p>| <em>uncompressed data length</em> | <em>compressed data length</em> | <em>FIXED 32-bit value</em> | <em>encrypted & compressed data</em></p>
<ul>
<li>Packet_02 headers may be XOR encoded with first four bytes of key</li>
</ul>
<p>REDLEAVES sample, variant and/or artifact hash values.</p>
<p>MD5 hash: 6a1c14d5f16a07bef55943134fe618c0</p>
<p>Certificate: 01 00 00 00 00 01 2A 60 4F B6 B4 [Tsingsoft Imagination Information Technology Co., Ltd.]</p>
<p>Certificate: 04 00 00 00 00 01 1E 44 A5 EC BE [not time valid]</p>
<p>Certificate: 04 00 00 00 00 01 23 9E 0F AC B3 [not time valid]</p>
<p>MD5 hash: 81df89d6fa0b26cadd4e50ef5350f341</p>
<p>MD5 hash: b3139b26a2dabb9b6e728884d8fa8b33</p>
<p>MD5 hash: 06b0af6ff00647f57119d8a261829f73</p>
<p>MD5 hash: 080f8017607bb14e0b1ad25ec6e400f5</p>
<p>MD5 hash: 265cf3ddc1e43449ae067e0e405ecd2f</p>
<p>MD5 hash: 4f1ffebb45b30dd3496caaf1fa9c77e3</p>
<p>MD5 hash: 627b903657b28f3a2e388393103722c8</p>
<p>MD5 hash: 797b450509e9cad63d30cd596ac8b608</p>
<p>MD5 hash: c9460df90bd8db84428b8c4d3db1e1e1</p>
<p>MD5 hash: c9e7710e9255e3b17524738501fa8d45</p>
<p>MD5 hash: d2d086f62f3fcdc5be8eba3879e04b90</p>
<p>MD5 hash: dd0494eb1ab29e577354fca895bec92a</p>
<p>MD5 hash: ddc8df45efe202623b3c917d766c9317</p>
<p>MD5 hash: e2627a887898b641db720531258fd133</p>
<p>MD5 hash: ed65bbe9498d3fb1e4d4ac0058590d88</p>
<p>MD5 hash: fb0c714cd2ebdcc6f33817abe7813c36</p>
<p><strong> </strong></p>
<p><strong>(II.) UPPERCUT/ANEL:</strong></p>
<p>UPPERCUT/ANEL C2 communication structure overview.</p>
<p>(1.) HTTP GET Request beacon URI:</p>
<p>GET /<em>page</em>/?<em>encrypted string of victim computer data</em></p>
<p>Structure of URI string (decrypted):</p>
<p>?| <em>generated_string_01</em> |=| <em>data_01</em> |&| <em>generated_string_02</em> |=| <em>data_02</em> |&| <em>. . .</em> |&| <em>generated_string_X</em> |=|</p>
<p><em>data_X</em> |</p>
<ul>
<li>String is Blowfish, XOR, Base64 encrypted</li>
<li>Known Blowfish key: this is the encrypt key</li>
<li>Known Blowfish key: f12df6984bb65d18e2561bd017df29ee1cf946efa5e510802005aeee9035dd53</li>
</ul>
<p>(2.) C2 HTTP Response:</p>
<p>HTTP/1.1 200 OK</p>
<p><em>. . .</em></p>
<p><em>Body contains Blowfish-encrypted commands and modules</em></p>
<p><strong> </strong></p>
<p>UPPERCUT/ANEL sample, variant and/or artifact hash values.</p>
<p>MD5 Hash: 4f83c01e8f7507d23c67ab085bf79e97</p>
<p>MD5 Hash: cca227f70a64e1e7fcf5bccdc6cc25dd</p>
<p>MD5 Hash: f188936d2c8423cf064d6b8160769f21</p>
<p><strong>(III.) CHCHES:</strong></p>
<p>CHCHES C2 communication structure overview.</p>
<p>(1.) HTTP GET Request beacon Cookie:</p>
<p>GET /<em>generated value</em>.htm HTTP/1.1</p>
<p>Cookie: <em>encrypted string of victim computer data</em></p>
<p>Structure of Cookie string (decrypted):</p>
<p>A| <em>hostname</em> |*| <em>PID</em> |?| <em>FIXED value</em> |?| <em>temp folder path</em> | <em>ChChes version</em> |(| <em>screen resolution</em> |)|*|</p>
<p><em>kernel32.dll/explorer.exe version</em> |</p>
<ul>
<li>known fixed value: 3618468394</li>
</ul>
<p>(2.) C2 HTTP Response:</p>
<p>HTTP/1.1 200 OK</p>
<p>Set-cookie: tag= <em>16 byte ID of infected host (middle 16 bytes of MD5 hash value based on hostname * PID)</em></p>
<p>(3.) HTTP GET Request reply:</p>
<p>GET /<em>generated value</em>.htm HTTP/1.1</p>
<p>Cookie: <em>encrypted</em> B| <em>16 byte ID of infected host</em> |</p>
<p>CHCHES sample, variant and/or artifact hash values.</p>
<p>MD5 Hash: 19610f0d343657f6842d2045e8818f09</p>
<p>Certificate: 3F FC EB A8 3F E0 0F EF 97 F6 3C D9 2E 77 EB B9 [not time valid, revoked]</p>
<p>Certificate: 52 00 E5 AA 25 56 FC 1A 86 ED 96 C9 D4 4B 33 C7</p>
<p>Certificate: 18 DA D1 9E 26 7D E8 BB 4A 21 58 CD CC 6B 3B 4A</p>
<p>MD5 Hash: 1d0105cf8e076b33ed499f1dfef9a46b</p>
<p>Certificate: 3F FC EB A8 3F E0 0F EF 97 F6 3C D9 2E 77 EB B9 [not time valid, revoked]</p>
<p>Certificate: 52 00 E5 AA 25 56 FC 1A 86 ED 96 C9 D4 4B 33 C7</p>
<p>Certificate: 18 DA D1 9E 26 7D E8 BB 4A 21 58 CD CC 6B 3B 4A</p>
<p>MD5 Hash: 472b1710794d5c420b9d921c484ca9e8</p>
<p>Certificate: 3F FC EB A8 3F E0 0F EF 97 F6 3C D9 2E 77 EB B9 [not time valid, revoked]</p>
<p>Certificate: 52 00 E5 AA 25 56 FC 1A 86 ED 96 C9 D4 4B 33 C7</p>
<p>Certificate: 18 DA D1 9E 26 7D E8 BB 4A 21 58 CD CC 6B 3B 4A</p>
<p>MD5 Hash: 684888079aaf7ed25e725b55a3695062</p>
<p>Certificate: 3F FC EB A8 3F E0 0F EF 97 F6 3C D9 2E 77 EB B9 [not time valid, revoked]</p>
<p>Certificate: 52 00 E5 AA 25 56 FC 1A 86 ED 96 C9 D4 4B 33 C7</p>
<p>Certificate: 18 DA D1 9E 26 7D E8 BB 4A 21 58 CD CC 6B 3B 4A</p>
<p>MD5 Hash: ca9644ef0f7ed355a842f6e2d4511546</p>
<p>Certificate: 3F FC EB A8 3F E0 0F EF 97 F6 3C D9 2E 77 EB B9 [not time valid, revoked]</p>
<p>Certificate: 52 00 E5 AA 25 56 FC 1A 86 ED 96 C9 D4 4B 33 C7</p>
<p>Certificate: 18 DA D1 9E 26 7D E8 BB 4A 21 58 CD CC 6B 3B 4A</p>
<p>MD5 Hash: 37c89f291dbe880b1f3ac036e6b9c558</p>
<p>Certificate: 3F FC EB A8 3F E0 0F EF 97 F6 3C D9 2E 77 EB B9 [not time valid, revoked]</p>
<p>Certificate: 52 00 E5 AA 25 56 FC 1A 86 ED 96 C9 D4 4B 33 C7</p>
<p>Certificate: 18 DA D1 9E 26 7D E8 BB 4A 21 58 CD CC 6B 3B 4A</p>
<p>MD5 Hash: c0c8dcc9dad39da8278bf8956e30a3fc</p>
<p>Certificate: 3F FC EB A8 3F E0 0F EF 97 F6 3C D9 2E 77 EB B9 [not time valid, revoked]</p>
<p>Certificate: 52 00 E5 AA 25 56 FC 1A 86 ED 96 C9 D4 4B 33 C7</p>
<p>Certificate: 18 DA D1 9E 26 7D E8 BB 4A 21 58 CD CC 6B 3B 4A</p>
<p>MD5 Hash: b0649c1f7fb15796805ca983fd8f95a3</p>
<p>MD5 Hash: 1b891bc2e5038615efafabe48920f200</p>
<p>Certificate: 3F FC EB A8 3F E0 0F EF 97 F6 3C D9 2E 77 EB B9 [not time valid, revoked]</p>
<p>Certificate: 52 00 E5 AA 25 56 FC 1A 86 ED 96 C9 D4 4B 33 C7</p>
<p>Certificate: 18 DA D1 9E 26 7D E8 BB 4A 21 58 CD CC 6B 3B 4A</p>
<p>MD5 Hash: f5744d72c6919f994ff452b0e758ffee</p>
<p>Certificate: 3F FC EB A8 3F E0 0F EF 97 F6 3C D9 2E 77 EB B9 [not time valid, revoked]</p>
<p>Certificate: 52 00 E5 AA 25 56 FC 1A 86 ED 96 C9 D4 4B 33 C7</p>
<p>Certificate: 18 DA D1 9E 26 7D E8 BB 4A 21 58 CD CC 6B 3B 4A</p>
<p>MD5 Hash: f586edd88023f49bc4f9d84f9fb6bd7d</p>
<p>MD5 Hash: 0c0a39e1cab4fc9896bdf5ef3c96a716</p>
<p>Certificate: 3F FC EB A8 3F E0 0F EF 97 F6 3C D9 2E 77 EB B9 [not time valid, revoked]</p>
<p>Certificate: 52 00 E5 AA 25 56 FC 1A 86 ED 96 C9 D4 4B 33 C7</p>
<p>Certificate: 18 DA D1 9E 26 7D E8 BB 4A 21 58 CD CC 6B 3B 4A</p>
<p>MD5 Hash: 23d03ee4bf57de7087055b230dae7c5b</p>
<p>Certificate: 3F FC EB A8 3F E0 0F EF 97 F6 3C D9 2E 77 EB B9 [not time valid, revoked]</p>
<p>Certificate: 52 00 E5 AA 25 56 FC 1A 86 ED 96 C9 D4 4B 33 C7</p>
<p>Certificate: 18 DA D1 9E 26 7D E8 BB 4A 21 58 CD CC 6B 3B 4A</p>
<p>MD5 Hash: c1cb28327d3364768d1c1e4ce0d9bc07</p>
<p>Certificate: 3F FC EB A8 3F E0 0F EF 97 F6 3C D9 2E 77 EB B9 [not time valid, revoked]</p>
<p>Certificate: 52 00 E5 AA 25 56 FC 1A 86 ED 96 C9 D4 4B 33 C7</p>
<p>Certificate: 18 DA D1 9E 26 7D E8 BB 4A 21 58 CD CC 6B 3B 4A</p>
<p>MD5 Hash: db212129be94fe77362751c557d0e893</p>
<p>Certificate: 3F FC EB A8 3F E0 0F EF 97 F6 3C D9 2E 77 EB B9 [not time valid, revoked]</p>
<p>Certificate: 52 00 E5 AA 25 56 FC 1A 86 ED 96 C9 D4 4B 33 C7</p>
<p>Certificate: 18 DA D1 9E 26 7D E8 BB 4A 21 58 CD CC 6B 3B 4A</p>
<p>MD5 Hash: 07abd6583295061eac2435ae470eff78</p>
<p>Certificate: 3F FC EB A8 3F E0 0F EF 97 F6 3C D9 2E 77 EB B9 [not time valid, revoked]</p>
<p>Certificate: 52 00 E5 AA 25 56 FC 1A 86 ED 96 C9 D4 4B 33 C7</p>
<p>Certificate: 18 DA D1 9E 26 7D E8 BB 4A 21 58 CD CC 6B 3B 4A</p>
<p>MD5 Hash: 7891f00dcab0e4a2f928422062e94213</p>
<p>Certificate: 3F FC EB A8 3F E0 0F EF 97 F6 3C D9 2E 77 EB B9 [not time valid, revoked]</p>
<p>Certificate: 52 00 E5 AA 25 56 FC 1A 86 ED 96 C9 D4 4B 33 C7</p>
<p>Certificate: 18 DA D1 9E 26 7D E8 BB 4A 21 58 CD CC 6B 3B 4A</p>
<p>MD5 Hash: 8a93859e5f7079d6746832a3a22ff65c</p>
<p>Certificate: 3F FC EB A8 3F E0 0F EF 97 F6 3C D9 2E 77 EB B9 [not time valid, revoked]</p>
<p>Certificate: 52 00 E5 AA 25 56 FC 1A 86 ED 96 C9 D4 4B 33 C7</p>
<p>Certificate: 18 DA D1 9E 26 7D E8 BB 4A 21 58 CD CC 6B 3B 4A</p>
<p>MD5 Hash: 3afa9243b3aeb534e02426569d85e517</p>
<p>Certificate: 3F FC EB A8 3F E0 0F EF 97 F6 3C D9 2E 77 EB B9 [not time valid, revoked]</p>
<p>Certificate: 52 00 E5 AA 25 56 FC 1A 86 ED 96 C9 D4 4B 33 C7</p>
<p>Certificate: 18 DA D1 9E 26 7D E8 BB 4A 21 58 CD CC 6B 3B 4A</p>
<p>MD5 Hash: dbb867c2250b5be4e67d1977fcf721fb</p>
<p>MD5 Hash: d1bab4a30f2889ad392d17573302f097</p>
<p>MD5 Hash: f03f70d331c6564aec8931f481949188</p>
<p>MD5 Hash: 75500bb4143a052795ec7d2e61ac3261</p>
<p>MD5 Hash: 3cbb5664d70bbe62f19ee28f26f21d7e</p>
<p>MD5 Hash: ac725400d9a5fe832dd40a1afb2951f8</p>
<p>MD5 Hash: c2a07ca21ecad714821df647ada8ecaa</p>
<p>MD5 Hash: e8f3790cfac1b104965dead841dc20b2</p>
<p><a href="#_ftnref1" name="_ftn1" id="_ftn1">[1]</a> FBI PIN Alert Number AB-000102-MW</p>
<p><a href="#_ftnref2" name="_ftn2" id="_ftn2">[2]</a> Wapack Labs reported on REDLEAVES in 2017 – available upon request: report #TIR-008-2017</p>
</div>