Massive New AdLoad Campaign Goes Entirely Undetected By Apple’s XProtect

Executive Summary

  • AdLoad is one of several widespread adware and bundleware loaders currently afflicting macOS.
  • In late 2019, SentinelLabs described how AdLoad was continuing to adapt and evade detection.
  • This year we have seen over 150 unique samples that are part of a new campaign that remain undetected by Apple’s on-device malware scanner.
  • Some of these samples have been known to have also been blessed by Apple’s notarization service.
  • We describe the infection pattern and detail the indicators of compromise for the first time.

Introduction

AdLoad is one of several widespread adware and bundleware loaders currently afflicting macOS. AdLoad is certainly no newcomer to the macOS malware party. In late 2019, SentinelLabs described how AdLoad was continuing to adapt and evade detection, and this year we have seen another iteration that continues to impact Mac users who rely solely on Apple’s built-in security control XProtect for malware detection.

In this post, we detail one of several new AdLoad campaigns we are currently tracking that remain undetected by Apple’s macOS malware scanner. We describe the infection pattern and indicators of compromise for the first time and hope this information will help others to detect and remove this threat.

AdLoad | Staying One Step Ahead of Apple

AdLoad has been around since at least 2017, and when we previously reported on it in 2019, Apple had some partial protection against its earlier variants. Alas, at that time the 2019 variant was undetected by XProtect.

As of today, however, XProtect arguably has around 11 different signatures for AdLoad (it is ‘arguable’ because Apple uses non-industry standard names for its signature rules). As best as we can track Apple’s rule names to common vendor names, the following XProtect rules appear to be all partially or wholly related to AdLoad variants:

Signatures for AdLoad variants in XProtect

The good news for those without additional security protection is that the previous variant we reported in 2019 is now detected by XProtect, via rule 22d71e9.

An earlier AdLoad variant reported by SentinelLabs is now detected by XProtect

The bad news is the variant used in this new campaign is undetected by any of those rules. Let’s see what’s changed.

AdLoad 2021 Campaign | ‘System’ and ‘Service’

Both the 2019 and 2021 variants of AdLoad used persistence and executable names that followed a consistent pattern. In 2019, that pattern included some combination of the words “Search” , “Result” and “Daemon”, as in the example shown above: “ElementarySignalSearchDaemon”. Many other examples can be found here.

The 2021 variant uses a different pattern that primarily relies on a file extension that is either .system or .service. Which file extension is used depends on the location of the dropped persistence file and executable as described below, but typically both .system and .service files will be found on the same infected device if the user gave privileges to the installer.

With or without privileges, AdLoad will install a persistence agent in the user’s Library LaunchAgents folder with patterns such as:

~/Library/LaunchAgents/com.ActivityInput.service
~/Library/LaunchAgents/com.AnalyzerWindow.service
~/Library/LaunchAgents/com.AssistiveFile.service
~/Library/LaunchAgents/com.BoostConsole.service
~/Library/LaunchAgents/com.DefaultTool.service
~/Library/LaunchAgents/com.ElementaryType.service
~/Library/LaunchAgents/com.ExtendedSprint.service
~/Library/LaunchAgents/com.SwitcherGuard.service

To date, we have found around 50 unique label patterns, with each one having both a .service and a .system version. Based on our previous understanding of AdLoad, we expect there to be many more.

When the user logs in, the AdLoad persistence agent will execute a binary hidden in the same user’s ~/Library/Application Support/ folder. That binary follows another deterministic pattern, whereby the child folder in Application Support is prepended with a period and a random string of digits. Within that directory is another directory called /Services/, which in turn contains a minimal application bundle having the same name as the LaunchAgent label. That barebones bundle contains an executable with the same name but without the com. prefix. For example:

~/Library/Application Support/.3276169528277499560/Services/com.SwitcherGuard.service/SwitcherGuard.service
Indicators of compromise in the User’s Library Application Support folder

A hidden tracker file called .logg and containing only a UUID string is also dropped in the Application Support folder. Despite the location, if the dropper has also been granted privileges, then the tracker file is owned by root rather than the user.

The hidden tracker file in the User’s Library Application Support folder

Further, assuming the user supplied admin privileges as requested by the installer, another persistence mechanism is written to the domain /Library/LaunchDaemons/ folder. This plist file uses the file extension .system, and the corresponding folder in the hidden Application Support folder is also named /System/ instead of /Services/.

Indicators of compromise in the Domain Library Application Support folder

The LaunchDaemon is dropped with one of a number of pre-determined labels that mirrors the label used in the LaunchAgent, such as:

/Library/LaunchDaemons/com.RecordMapper.system
/Library/LaunchDaemons/com.SectionaAssist.system
/Library/LaunchDaemons/com.SectionAssist.system
/Library/LaunchDaemons/com.SectionChannel.system
/Library/LaunchDaemons/com.StandardBoost.system
/Library/LaunchDaemons/com.SwitcherGuard.system
/Library/LaunchDaemons/com.TypeCharacter.system
/Library/LaunchDaemons/com.TypeInitiator.system

The persistence plists themselves pass different arguments to the executables they launch. For the system daemon, the first argument is -t and the second is the plist label. For the user persistence agent, the arguments -s and 6600 are passed to the first and second parameters, respectively.

AdLoad 2021 macOS persistence pattern

Interestingly, the droppers for this campaign share the same pattern as Bundlore/Shlayer droppers. They use a fake Player.app mounted in a DMG. Many are signed with a valid signature; in some cases, they have even been known to be notarized.

Like much other adware, AdLoad makes use of a fake Player.app to install malware

Typically, we observe that developer certificates used to sign the droppers are revoked by Apple within a matter of days (sometimes hours) of samples being observed on VirusTotal, offering some belated and temporary protection against further infections by those particular signed samples by means of Gatekeeper and OCSP signature checks. Also typically, we see new samples signed with fresh certificates appearing within a matter of hours and days. Truly, it is a game of whack-a-mole.

The droppers we have seen take the form of a lightly obfuscated Zsh script that decompresses a number of times before finally executing the malware out of the /tmp directory (for a discussion of how to deobfucscate such scripts see here).

The dropper executes a shell script obfuscated several times over

The final payload is not codesigned and isn’t known to the current version of Apple’s XProtect, v2149.

The malware executes out of /tmp/ and is neither codesigned nor known to XProtect
Once infection is complete, the adware pops the following page in the user’s default browser

How New Is This Variant of AdLoad?

In our investigation, we found over 220 samples of this adware variant on VirusTotal, in both packed and unpacked form. At least 150 of these are unique. Interestingly, a lone sample of this variant was documented by analysts at Confiant, who described the malware’s string decryption routine in a post published on June 3rd, 2021. According to these researchers, the sample they observed had been notarized by Apple.

We note that across our corpus, all samples from November 2020 to August 2021 use the same or similar string decryption routine as that described by Confiant. Similarly, the earlier researchers’ sample, “MapperState.system” conforms to the AdLoad naming pattern that we observed and described above. Both these indicators definitively link our findings with theirs.

AdLoad binaries use a great deal of obfuscation, including custom string encryption
Three different samples, all using a similar string encryption routine

Our research showed that samples began to appear at least as early as November 2020, with regular further occurrences across the first half of 2021. However, there appears to have been a sharp uptick throughout July and in particular the early weeks of August 2021.

It certainly seems possible that the malware developers are taking advantage of the gap in XProtect, which itself has not been updated since a few week’s after Confiant’s research over two months ago. At the time of writing, XProtect was last updated to version 2149 around June 15th – 18th.

Version 2149 is the most recent version of Apple’s XProtect as of August 11th

None of the samples we found are known to XProtect since they do not match any of the scanner’s current set of AdLoad rules.

Running XProtect v2149 against 221 known samples shows no detections

However, there is reasonably good detection across a variety of different vendor engines used by VirusTotal for all the same samples that XProtect doesn’t detect.

All the samples are detected by various VT vendor engines

On our test machine, we set the policy of the SentinelOne Agent to “Detect only” in order  to allow the malware to execute and observe its behaviour. In the Management console, the behavioral detection is mapped to the relevant MITRE indicators.

Behavioral Indicators from the SentinelOne agent

Since AdLoad is a common adware threat whose behavior of hijacking search engine results and injecting advertisements into web pages has been widely documented in the past, we ended our observation at this juncture.

Conclusion

As Apple itself has noted and we described elsewhere, malware on macOS is a problem that the device manufacturer is struggling to cope with. The fact that hundreds of unique samples of a well-known adware variant have been circulating for at least 10 months and yet still remain undetected by Apple’s built-in malware scanner demonstrates the necessity of adding further endpoint security controls to Mac devices.

As we indicated at the beginning of this post, this is only one campaign related to AdLoad that we are currently tracking. Further publications related to these campaigns are in progress.

Indicators of Compromise

YARA Hunting Rule

private rule Macho
{
	meta:
		description = "private rule to match Mach-O binaries"
	condition:
		uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca
}

rule adload_2021_system_service
{
	meta:
		description = "rule to catch Adload .system .service variant"
		author = "Phil Stokes, SentinelLabs"
		version = "1.0"
		last_modified = "2021-08-10"
		reference = "https://s1.ai/adload"
	strings:
		$a = { 48 8D 35 ?? ?? 00 00 48 8D 5D B8 BA B8 00 00 00 48 89 DF E8 ?? ?? FB FF 48 8B 43 08 48 2B 03 66 48 0F 6E C0 66 0F 62 05 ?? ?? 00 00 66 0F 5C 05 ?? ?? 00 00 0F 57 C9 66 0F 7C C0 48 8D 7D A0 0F 29 0F F2 0F 59 05 }
	condition:
		Macho and all of them
}

Persistence Filepaths

~/Library/LaunchAgents/com.<label>.service.plist
/Library/LaunchDaemons/com.<label>.system.plist

Executable Paths

~/Library/Application Support/.[0-9]{19}/Services/com.<label>.service/<label>.service
/Library/Application Support/.[0-9]{19}/System/com.<label>.system/<label>.system

Labels

AccessibleTask
ActivityElement
ActivityInput
AnalyzerWindow
AssistiveFile
BoostConsole
BrowserActivity
CleanParameter
CompellingState
ConfigProgress
ConfigType
DefaultTool
DeskProduct
DesktopInput
DominantCommand
DominantPartition
ElementaryType
ElemntState
EssentialDesktop
EssentialType
ExploreActivity
ExploreAnalog
ExploreSync
ExtendedSprint
GeneralObject
GuideRecord
InetImprovment
InitialProgram
InitialSkill
LeadingUpdater
ManagerAnalog
MapperState
OperativeMachine
OperativeUnit
OpticalUpdater
OriginalModule
RecordMapper
SectionAssist
SectionChannel
SkillApplication
SkillFormat
SkilledObject
StandardBoost
SwitcherGuard
TopProcesser
TrustedAnalog
TypeCharacter
TypeInitiator
TypicalProcess
UnitHandler
ValidBoost

MITRE

T1211 Defense Evasion
T1105 Remote File Copy
T1160 Persistence

SHA1 HASHES

.service, .system files
4c644adcdcc68c6c52e95bd851e7c944f307d968
6056024b3cf90b01b737c54ed5c785271c3acfeb
c2663bfe8fcf0734263cdf0875dcfad517576238
c5e2851de071001614dd58ecfab565614a6151b6
8e657ad96feb624696bad2b7b1e0d5d58da3ca94
b70a3c4b7f3d4e99fdf84efbeae7a39638221e59
2336c5e42444619d0c69d4cab1fc5b54ae92a0ec
e8d202e3581bf29c31e6f7fc279dc70d517510a8
722352a3a4a6f2a876dea90624991053034da555
95f74e68ed970c304d9ea39e2cd75bc3309cb4d2
4d258fefe729f16a55904ba993d783241d95dcd9
f250b4be027ff4a6a87b0dcf2cff5fd0acc11f0f
dd7df2bd2280213545fd3c6c0f9095d8c349f480
4ca250b74d1ee759bb51f3c50161c793a17da61d
446804008faf8a5509a02412f1e2f3a97e433cc0
525244f96c0225f279a6fa6dff55ed6de114334b
cc56bd813f34a3e19286ef211132a39e5f3f4c50
dfa112d78d5a49282fe2494ab11bb4e924fc1d9a
bf78c2f48991a8024b0c831c5a54324ca937c1b6
f3b01c0710a5fe623c4a944b1357c279a7310f35
670abdf80ea4e689ca376514dd76865ad22e39ec
cc4b56ded4a1f28396cb1ac625467b1c43c3cc0c
9eff76bc9c6cc6c88c438f7c442027cdb22e5d8d
034feaca526a21fce14e5a59df2a15ec840dc15d
f0bf049ac35b5d239fd386b81d03d9efd9049d0b
5060e552a2a78ff477f6c8ed09147bac31a8ad23
a163ad595be34988fa70bd57b2fa238ac36e43e2
210d1951430f7a7daf88bf40c72df6a2d1336e97
a7ae668be424e4fe5ce1758dd507cef58274ebb2
67825f467de2f988d62537b17286c7411366bf3c
17620732836f1edaa7d4f4a3623bfaee9851f060
a1735e52f37288b5c96ba72b121de1c79ae72bc9
4270783f1347a5bd0df6a9ad77352ff6aa4a81ae
b157cbdf8877f1aaa4415020bf976dae3af2ad98
d0fc30037dde0d6705eff642cd80f0a92bc23ab7
e9682590793c44c1ef20f455aa4f9aefe606e3d8
823d61b03e96951167753003d203e72b4b4bd42c
ab4bd98c0f798bb7e9344fa7b51aabece59c25f7
45aef3a5a171e49aab7e165c184e43dcab349d91
7bfc4d9051e216b99e5858bf653ed983d1fe0aaf
8f9889f93a86ba80e42b5ed314ee926b202878e8
2ae527b7e10097280f5101b0b586f64d4e6bdb46
1925e3f88a092e1a543e1042bb403794832c4beb
dd14fd2d3e498a9b41295a7f9ddd69ca6de6742b
d6697b70f598ac6fb8c68231eea0fcda28225f7c
d2fc35e7c55ae26985dba531c4492188fdc13f86
3656aa007b5d05277ba5527a71fd09ffa41137bc
bc614964673cad434cbfedb5b47d037f99919339
96c1563aea4242b3a014a6638e1fe616e93f213f
a6e24a3e051546e16a038e02efe8f5ae3df11536
3b1b832d418c9b3645bf1cd0bf3bd634a2cb15f9
1c713fe9ef48ffb4adda26fd59a4c16333602802
85171a3cf0f663d265da94a5387e42116a828819
c104163b139d20cb3727e89934a2c7352723514c
fa8c35b469bb7dd50166d70aae93a8ba2f5721b9
fff8dace788ffa2188c61b5efe95d07ca719056b
487aab1583b1258932461b7eaba565840439d77c
4bdfeb9e9dee0decb551838ab9fb19d21ac76375
243adaa1955e4a4a57cf240c0d4773c10e5d66a5
b037982890cb4cd39771d0a19615d5fb49b0fc64
59234581da266da1257a9fe1de45c8259e22ac1c
6dffb483119f0a2f97e000830a4bfc0aa1e1f696
081dfd7795bd82d037cffca5ad714fa72db28e3d
be2add2c4a065a481a3276efc9078fe2e6a2eba3
219fb270e5f3ac942bab082f12fc45141b5a28d2
233d33a3d8d4cde33761e42c7d969c6316e14796
880f3cbfecb20b80131b689b3ae94325bdec6996
008eaa5489dc86643ef516b23258a02111544124
8523259f5b74f3405d5c3ca36b7c238a8b0db5f8
e9a450988933b11c73a0160c157f6965c111a7a5
95579871c86810a9bbf238f325d470cd7b08a94d
f2462e0daaf3b23b7ab73e695f1ae8b036273493
5cce9004ce7134e3b62b9d5d733347c048830231
f5b6b5fabad5aba545d259f1370130f5295b5692
ac168a783051f3322bb43a72518d49f67d084166
7c2455ca1eb1cd8eec91acf21a501e96c8d715ac
71c9ab91cb285e71fe144e4f0626cf9b3f7f7adb
f161b7250d79b89abed92affc764b2925ed05182
6f32bd0c8a8120b2a73a3a412a480345e464790c
5c5830f13ef7d20a60cddb6aa2ce63794574d466
622cfea78f430473478d98d33a985190402e2f0b
d5aeabcc77d11e45017341e102c4d58391a5fbb2
a3323205db565f2c6e0182853138ce7a66807ac7
fc9ff33a949ee9001f5537a1efde8dc4e2b994c8
ca35bd32d135d8513a81866836a8fe73de970266
8fb2b387c9b95f9f9a408f528462eb57a96e34f6
e85e710f12f34be87b4e0bb9fe34547e69ad6db0
4a63e937779c52d034c0d276ef46e99e1f49596a
941388e2880fe447fd958d78655264639549373e
b4395d37fb0b78422e959c4e8d3ed984f01ba518
e1271de943444766687b6d5c707fa66a5b71e8f0
7c7af95109714cfd0108536aa21c2461b5d7c451
d39f7d5a0d9923aed5d06155b1caf38c8279b916
b221b50ccec7c6f7d309f643dd2ee287f2569176
b4193cf5f0d9f07f0afe8a46b405b460293082d0
3025d8a5463dc409af8c85742924373ba7e87e11
197f700c045c43eecae02130d990a9dbba2f9802
763fb085dfe338a286302c72869deacc1ab0372d
8f5a7c48f2a4fdbd3f0d0cdaf313163034b02a88
a81ce8cdd485a265e16a374101cd3c712d651674
a248211f67ea4874418961a8c596d7183d71131f
4a534ab4dfe55e8a7da79a96cdb46b1fa0fa9e47
d3514efe6ec9b4dbe012e6a5a971004818d877e5
b2f645477fbe5d9bddbec96d267fae1518920517
66c9e7846a2263484f6b2b3653c137229e18feeb
7f8ef2c17a9347e52b9c8eab385f2a774d6a1b76
9430703cb3bc6a0454cf4da07191f10b20af3e76
b4280bd84e160b285500d944ca7f14696d2be457
61acc635fc38d785aa95abc8f9f39bb9e853ccfd
e3029f78731161c75bfd8ab53c86811b927c31a8
16cd7d7d66685689453241557106772ce6f6d21c
4a805fde7a28d3c3188c4398ce603a13d757438c
1ee378795e80a43fcb07678e8582fa6e44c605f8
14c17fac581df68923016a7a56bf39d8290e6abc
46264a0381a0399dd4fd9b30cac0b354be34e304
49ca8c02d0d67040079d5b8185fe4947e5101cf7
62c4c86734c980310e6a204657b17154f8feecc4
8e1c36a686e00a0878525eeef99d48c88f040022
1bd022f25a21f1cbcaaf1481c5d34df46f0a6b2c
4243c523775a98c8d6cc9398857e5813d4dd0842
5a715a77b274d6ab4d6d85fa025deb75a92b3b2f
ffc52b694ac6cb43b852ddbf02ef83e1d2d696f5
ee88a8865110fb4d454a211d52122e09366ab435
2530637b96d9e82a2d49a47ac846ad6737fec83d
8295fef63f90b2ef93fdba41aa0f04ca720c6d5f
034676a0fe5115e10fe256ed94bdd5941d8b7b26
8e2b172fc2846abf48c2f4fde6110d89c60d1c8c
80fa5be5953c3a199fe41469b3e11f8e26a30131
5d85b530b2bdcc30875fccbce189b650bec62366
673ab255386b1a000369ebcacd0669333a4a746f
5b40003f3b3dbb8a79bb70e1a6ac62c8bd14501c
88a9162b8887beb36e487c4e156e5bb25a129c37
a58b7e2f8e15039887d813dc51230f5a58ce964c
9d0b08c8f13402d074011e0cba6fb0b1571132bd
13b49b0dd0dc95059da81569f29d4bedbc07faab
3f0b3b6835a363c4e01401e28bde66277693e46b
11a882ea1a8c62e362725528463a95eeeb7f7103
e3c226bf3a5c6a3cd4bbedf3fd5db00dfd5e6f8b
8571ad38afe8721491c6d50631836db35c3ca701
a27d3cc014391f47b1174bfe8b2cdbf9ec23daf5
7792403a0a6400dfb79db20d6af346685b9f4774
6b133d16402015822467ea1ff4204bc40dff2e0f
163d2e6daecbc419d3e9a011b04c6b62488a9a8e
6693c6d4061fae64aac86e17b4fa72d1a7491fe7
72aec20fa4da9d8024e5aa94dd43c3ed6ce703c5
0cde09d5b18517d4e1632cff3f90fcb33d0dd225
b9bc88fa57f19a095ed00a664e671ebb2c095b2f
ec11dc98fbea6f6ba7a8e94c5aebee25815b3ba1
557d20e8c938228b6ea569fd3ab23359b174bbe1
98ffb280981218316c32624fe991d1d5cb81e319
ada45f83ed15138b7a58e55cac613d93814d6ed6
2b4526e0fe5526800ed9475161f31786380753ca
95953e735dc82564816be0178ad3aaefeff13a8e
5364effde06a4e09afb5c0a6b9179a8e75776cd1
075fcc3777a706cae6af9ac514322011ab9a4a14
17321a3e97ebd5b85be4b2f88e1f6799214a711b
807975a15e04822d5b6abfd54cfc6def4d61613b
735a97d21e91023a33575946373b0f7a7ba80d32
ae3e2a14ea5df3efc10af45755a14ed3b4c67524
a7b9ce7c5dce62258d4d4fa17bfe1273778766c3
7ef3de49716784d9d7f50fb96b9a7ad090a052f8
b47adfa20cf16871a7c18f9cdfa855765ff5eaca
10821b9bba7cca78cd118c942b73e4b2575ee4c8
652747b071b2bb4c445f994504726861933c5249
f28add9e3d21b8cfbffb60d12760dd307cfe356e
e49db30e36b1172301ef2f8b000a074e19dc1ac9
6ccedd0e86de1419011a956de435a46243378c0e
211d1b64b0e8ee4087198318b40e1be6204a9f93
8e0509d8e59edef9e582e725bd67c7e553832a34
63755111ca179fb1cd10173677742e529884befb
2b42863c1f9a7228e6a71f8dbaf3b149bc19b3b7
c33322c363a1ef6a34f2e21d850f0c31dea960e9
e504942c5b3200c6e455bc7bdb0e0a6786dceb42
b0aa5e49cfebcc16d3a3e4763fa2ff142c4d3ce4
cccdbdf2b14d12e0ae0d963ba6b396650f88b4a1
7a8f664bef819a79c343fc8b40442f212c18372d
285233cbfbdd4e7435a228ef831005f07b125e0d
4ee3307291731974f0f250faea384c43333d8484
5f32868dfde684b2d174bdb3f58adc832a24128e
14fb3f59923f7697ad0997172d6a876415f12724
b1a24f9f1eaa736e2245eef2136855a88e9a0f32
5787aabb6e5bda139378975d549351f14a2f8ce3
137aa5bdc677dab56eaa46ef65eb55c93b25a354
c63117e28473abc05f731873c79c040f27e7ac4d
8c1d298e43e38dd1c82c6d00887afe6bee645c3d
0b39498bb7200e9319602f83592fb9a3b6dd8b1c
dd747d6e5260e5d827b09bab408871dcbd2172b6
1d62a90e8af50299f577dd07609c43434116b84e
e0b32dae2c8e3862409edde944de2c00921c2d3c
2891bc69ae942535fb84233a83bf9db6ec67eef6
1da62c6d928eebfe2f7d272a06454ed279935fee
86acf5dd10a2129b0117d71a69a4f8588f8c4c99
0903d51c1114c3e8b7f2f3fab9e23ab5e1339d7d
3d51ea5e39f8fd73f9d8aa7fbd81f898faa4740b
4cc82fa159cf7849a2dc979e428178b6c6150f54
d4676d7c771053e6fabc44e220008c6a07b3627e
cacd8927569cbb10b40d754e653f5f9b4671a55c
70b8097a648a85e37e87cf3af7a13fb8fbb65fb0
1f0c7b7b002e5c03f2ad9103a75ab48c7059ccc1
886f717a09ecb136321586e2346d03b127503732
770a507c815bb766b7de2b1bf3a2a6e92cf129fd
6b3d50c76d9afe36498d4a40b9812c970a7c8531
3601e9c8015bad2c6ec5e26ca79a6b899d8f91fe
147abbc8b7670fde1932b3dbcf35e7ae17dd6f8a
dc52d813154178cdf958fc191042110ae5f398e9
c4482500b968d6b823eee5ee85f66ac93acbd1fa
26dc443b3d9559b217f36bb848d7183b68d70232
3b69a85db6219c89733df82e4f1f71597cc0d71d
bf4068e707b19f0134e76a9b6371d97741a96cc2
e4055f8a3fc06327c28e1b22b532a4eba7793860
f56f7036e92cb7c905f919c9a4429ad5e90a201f
9da84dcdd43aed44707d9db08eb92ceca232c055
3e31041a7e84ec1f4214badb2b15d79e06ef3a28
8e7c2197804f624b87f7cd625f9037ec2b2e53b1
24dcb22fc3e98f0e4eb810d506f73b0596275a72
2e1ec6842815573fd7f814151b4a10b9810cd569
1fc6b2880a925efdeaff7064e1c0de5a503615b6
3d38673a1bed5e6b428a55137a3defb5d8e26938
36d36def21ff145bc966277e2fc99043b10e2b00
7d5aaeb40759b66edea2133cb8f3a0f7037ff982
5883fdea86088bb624e8eabe2a2d615628c4f244
4c7fbec5627642402e3dd3f50ea0abe902f82c96
9ec49c45214680826e1f9957fb64a3693f67af2f
69f0e43232ade2fe225889c08454357f52ad7893
a190fde31a51b43f1ba2010fe786d435e783c6a1
c0bbc47aff669d7fec54ad43f5a6bb3bb1351d93
3fb84a98a262bdcb53f90dc5732be20185b0c727
f64bf92e075c5801cc5f82c8924d81142d17d0b3
9e41cf57199a88a9175350017942740774597110
7452f9e2d340505d54e49af597007e71d40a6f2a
dbe13ffd66888d7fc60e413c2c062c3d9c4b25d3
ffd0ec88308f44232503d3cf799d0f3dcd76b1dd
18ae7e19c81041d55219da0d6e4e6da66b22097c
6a559c7c0ac7a1070a1f836d95bc12de9cdbf0d6
8622fcb820e9f40366bcd48930a8b457df8d8671
17c35d1c4e1d7f9d44963c545911d836a356d5b5
24f58e48826f4845d7ad60e403e4fbab822320f0
fb47279af84bc57c66bec19685cc9cccfaf3589e
33b99d8c575a1300c18015d2ce2a04d86ddefe84
e096471893719c6c9ac8371cc5580c0a8be7b808
dfab92cc8b5df4a48e1f1081916b3c08f540b677
e539ad135010c9c82b9a6138c11ea2a9b3f902e8
9238d6fafc93349e07d41d4a6ad560a91bb0c37a
7e735235f47ab2bdf3de99b493e7d7957dde1164
be2703217ff767b91519871a4482f160247118b9
b0784710e17ffd9a8a53e35cc83bb15baa8213bb
1172ca7b53c21ead825f759adf95e575690eb608
5767626d89277bf4e846bf9f9bb12b680bb5b54a
399f3000653ded1be02090ac640b005adcd0439a
809e48190c2514e93cb8c97be7833ba35ffb41d9
3fc8932eca10b30c3ee17755449a87519e4fbfce
c9da6247a009a62ce1f3886a885721801e868be6
209bb5141bf075c2e554e7194158f3d7c7417365
6249467e90ace912a94560406489a0fcd69f8b08
433780d6189c18e5344cba31cf27a5608320f732
2483d24c0dbe6151ddeca1284395883fa184a08c
a8399681394c0e5773fe4939508b9dcf7077bf04
12d3771cef25ba1e8001edba703d167a294c9002
3f075a43c5738faea54fe86c79c7312250cce734
70341c310aead1c1d63068bd05fda85ae2604c41
beddbfe3871782089fbc8747d235ae53f3177fad
3332e7db5787064b2ad6dc57412fd269ff440006
ee887cd39026b57f73db319c3ec35a2fa2f3b47d
7d3cc10b998597855d6866a89dddf03e26be6411
58e9b2734e8de7760701d7652f043242d22e27c2
9eaf3939e5071fcf3d28ea025b4ce7ff558efc08
af405057579725f98a572178820018715109fc6e
13eeceafcff834ffed27ce81005ca29b320e59ce
17a279322693102bfc0477484c57e6a56dc05e25
d3cf31bbdcb622ebdd07caba4e934d75afa56d7c
a967d560e330553a30ea64023ed3f930a9684570
01e48a7f74a72f8566907a603b02a9210b808771
0cf615d17346ff0845f4be6b68f8be096573936a
8124dd6ea9d18e770b4633da14b8116c9e2b1dbf
029772752d87de1e7804756b433ae35abd458235
77831651f9d56b4203f16ef5661288a059bcfbe5
0353cf221863edb056d5b45bef1c070c1fb80994
b9ddefaa48833b7a59db846d9e46c9fa547f4bad
2a634221a9d0ca4a965008d8dcf4bbb1702a47e5

Droppers
8bf1defb2fea1880fdfb98e863276dc4cbb7a3e5
9912549c3a86e2224a5684a3c04d76bdfd2cc0a4
400138e08e0ffa1220ee19a82e5f24dd1b20868d
and
similar-to:1724942eeec7c367238409d06d6c9d39a3477998c124a2a9f6f78c425533af17

Note: Some of these droppers may deliver different payloads.