The strange behavior of a simple Windows application caught our attention and sparked ESET's analysis of previously undocumented malware. A contact at the Norwegian HealthCERT —  following a question about this from the regional healthcare provider Sykehuspartner — reached out to us asking about DNS queries to domains with the format [0-9a-f]{60}.smoke. There is no .smoke top level domain, at least as of the time of writing.

The application responsible for that behavior is a very simple Birthday Reminder program. It actually works, but also has interesting features that are not explicitly disclosed to the user. We have seen the Birthday Reminder program download and execute additional components that hook DNS requests in order to inject ads into webpages. We have named this new threat DNSBirthday.

It is also pretty clear that the authors of this malware wrote all of the components and do not simply resell compromised machines. For example, the C&C server is for all samples and many of the artefacts in the malware point to a project called RQZTech.

Figure 1. Birthday Reminder interface

Distribution

We have only seen the Birthday Reminder installer downloaded from the following URL:

hxxp://updates.rqztech.com/download?app=BirthdayReminder&aff_id=15124

The aff_id parameter suggests distribution via an affiliate program, but we have been unable to confirm this. It could also be a decoy.

ESET’s telemetry shows this threat is distributed fairly evenly around the globe with a few spikes in some countries such as the US, Spain, Japan and Italy.

Figure 2. Worldwide distribution of DNSBirthday

Technical analysis

DNSBirthday is modular malware with multiple components. It took us some time to understand the whole scheme behind this malware’s operation and put all the pieces of the puzzle together. However, all the components have a few things in common:

  • They communicate with just one C&C server (updates.rqztech.com) using JSON formatted messages over HTTPS.
  • Most of the binaries are statically linked with OpenSSL and libcurl, as well as a JSON library.
  • Most of the component names are prefixed with rqz.
  • PDB paths in components have the form C:\Users\default.default-PC\Documents\Visual Studio 2013\Projects\rqz-[module-name]\Release\rqz-[module-name].pdb

Figure 3. RQZTech homepage as of June 2nd 2017

The authors chose to pin two certificates to prevent Man-In-The-Middle attacks. However, the server also responded to unencrypted HTTP requests, so it was possible to capture network traffic while debugging by changing the URL scheme of these requests to http.

The certificates embedded in the executables are self-signed. The Not-before field shows that they were probably generated on the 16th of April 2016.

We will go into more details of each component but first here's an overview of how they are linked together.

Figure 4. Overview of DNSBirthday’s components

 

Although all of the components are PE executables, only a few are written to disk. The others are loaded and executed in memory using a custom PE loader implementation.

BirthdayReminderSetup.exe

BirthdayReminderSetup.exe is an 18MB NSIS package. This installer first determines whether the system is a 32- or 64-bit version and extracts several files to the specified install folder accordingly.

After this, it achieves persistence by creating the value BirthdayReminder in the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run with the path to the BRController.exe application. After all, how could it remind you of birthdays if it’s not continuously running? It even has an icon in the system tray notification area.

BRController.exe — rqz-loader

The sole purpose of the component BRController.exe is to decrypt the br.dll.enc file into memory, load it and call rqz_stg1_init, one of its exported functions.

The decryption algorithm used is AES-256-CBC, implemented via a statically linked OpenSSL library.

The decryption key is generated in two steps. First, the SHA-256 hash of the logo.png file is computed. Then a simple XOR routine is applied to the hash. The first byte is XORed with the last and all other bytes are XORed with the first.

The initialization vector (IV) is the first 16 bytes of the key which is then reshuffled by the same XOR routine used for the key.

br.dll — rqz-stg1

We call br.dll the unencrypted form of br.dll.enc. This library acts as the core component of this malware.

First, br.dll creates a mutex Global\Global\RqzSingleInst and then creates a list of callable objects with explicit names such as dlExec, loader or even exfil. These callable objects, when invoked, can perform tasks like downloading executable files, optionally saving them to disk and executing them, or exfiltrating data to the C&C server.

The component retrieves a unique bot identifier hardcoded in the BRController executable by searching for the sequence of bytes, 0xB00B1355 and then reading the 16 following bytes. Then it tries to launch the Birthday Reminder application graphical user interface and enters a loop to communicate with its C&C server.

The first HTTP POST request made to the server (hxxps://updates.rqztech.com/update_check/) contains some basic information in JSON format inside the data parameter.

Here is a tidied version of the first POST made to C&C server:

{
    "compStatus": [],
    "ver": "1.1.0-x32",
    "osver": "Windows 7 HomeBasic -unknown- x32",
    "uuid": "7cbf93f588f70f6cf514666dfb8d36d34943dd924c7bb7a5372a5ae765de2009",
    "checkinCount": 0
}

This JSON contains the version of the malware (ver, 1.1.0-x32), the version of Windows (osver), the bot identifier (uuid), the number of times the malware tried to contact the server (checkinCount) and an array containing the status of the latest loaded component (compStatus).

The server replies with a JSON array containing a list of parameters to pass to the different components. Although the request looks like a software update mechanism, what we have observed is that it is used to push malicious components to the victims.

The first time the malware contacts the server, the latter replies with the following JSON (payload string is truncated for readability).

Reply from C&C server:

[
    {
        "args": {
            "exit": "0",
            "env": "RQZ_SESSIONID=58a72526b10d8e000aef05d7;",
            "sleepTime": "28800000"
        },
        "component": "callback"
    }, {
        "args": {
            "pname": "rqz_info_gatherer",
            "payload": "+j5kXRAtalG4PNEwXrhX [...] nhG0JfKbF7OzmcE7ULfiwm1Sg=="
        },
        "component": "loader",
        "exec": "1"
    }, {
        "args": {},
        "component": "rqz_info_gatherer",
        "exec": "1"
    }
]

The response from the server shows three actions to be executed in succession. The first sets some environment variables using the callback component.

The loader component is then called in order to decrypt and load the component rqz_info_gatherer in memory. The payload string is a base64-encoded and encrypted DLL (rqz_info_gatherer). The decryption routine is the same as that used to decrypt the br.dll.enc file.

Once loaded, the now-decrypted component is called.

After that, the malware sleeps for 8 hours.

rqz-info-gatherer

This module’s purpose is to collect some information about the machine and to send a report using the exfil component from br.dll.

The exfil component makes an HTTPS POST request to hxxps://updates.rqztech.com/update_report/ with the bot uuid and payload. The payload parameter is a JSON object composed of two elements: data and sha256.

The sha256 string is the hash of the data before it was base64 encoded.

The data string is a base64-encoded JSON containing information about the computer. The following snippet is an example of a decoded report sent to the server (procStat is truncated for readability).

Example report from the rqz-info-gatherer module:

{
"infoGatherer": {
    "defaultBrowser": "FIREFOX.EXE",
    "firewallEnabled": 1,
    "winBuild": "Windows 7Home Basic - unknown - x32",
    "dirStat": {
      "appData": 275865504,
      "webTemp": 109159833,
      "docu": 1679,
      "desktop": 66397544
    },
    "infoGathererVersion": "1.0.4",
    "procStat": "[System Process],System,smss.exe, [...]firefox.exe,audiodg.exe,",
    "installDate": 0,
    "dotNetVer": "3.5.30729.5420;3.0.30729.5420;2.0.50727.5420",
    "ieVer": "8.0.7601.17514",
    "oemLogo": "0",
    "uptime": 13771487,
    "permCheckSuccess": "1"
  }
}

Most of these fields are pretty self-explanatory. The dirStat object contains the size in bytes of certain folders.

Once sent, the server replies with just danke (German for "thank you") which, interestingly, matches with the country name field in the public certificate.

rqz-dnsduvel-ldr

It has been observed that after a certain period of time (one or two weeks), the br.dll component downloads the rqz-dnsduvel-ldr component. duvel is (Old) Dutch and Frisian for “devil” so this probably means “devil DNS”.

This component looks for browser processes such as iexplore.exe, chrome.exe and firefox.exe to inject malicious code inside them.

Once a process is found, the module drops and executes an embedded executable in the %TEMP% folder (GetTempPathA). The name of the file is the process identifier (PID) of the process to inject code into, with the .tmp extension. This means that for every browser process to be injected, a copy of the executable file is dropped in a .TMP file in the temporary folder.

The dropped binary uses the internal name rqz-dnsduvel-ldr-exe and both the PID of the process to be injected and a session identifier are passed to it as parameters.

rqz-dnsduvel-ldr-exe

This component is an injector that uses Reflective DLL injection in order to load a DLL into the address space of another process.

This executable also contains another executable, but unlike the rqz-dnsduvel-ldr module, the embedded binary is encrypted. Once again, the decryption routine is AES-256-CBC but this time the IV and key are hardcoded.

The injector queries the server for a configuration file. The query is done via an HTTPS POST request to:

hxxps://updates.rqztech.com/update_report/?update=fdac34d

The POST parameters are, again, uuid and payload. payload is, again, a JSON object with a data and a sha256 key. The data string is the following base64-encoded JSON where procName is the browser to inject and sessionID is the cookie set by the second command line argument.

Example report from rqz-dnsduvel-ldr-exe:

{
  "duvel": {
    "procName": "chrome.exe",
    "loaderVer": "rqz-dnsduvel-ldr-exe-1.0.4-x64",
    "duvelVer": "rqz-dnsduvel-1.0.3-68c0c5",
    "sessionId": "[...]"
  }
}

The server replies with the following JSON configuration file (blockList array is truncated for readability).

Example configuration for rqz-dnsduvel-ldr-exe:

{
  "duvelDetails": {
    "token": "be1728523f82428fc2016155f6dd65867b01997dc0b1c93097a8b7cc60cb.smoke",
    "dnsServer": "176.31.106.50",
    "blockList": [
      "redirect.viglink.com",
      ...,
      "be1728523f82428fc2016155f6dd65867b01997dc0b1c93097a8b7cc60cb.smoke"
    ]
  }
}

The full configuration with a complete “block list” is available on ESET’s Github.

The blockList array contains approximately 500 domain names that usually host advertisements. The content of this configuration is stored in a file mapping backed by memory and named rqzduvel-checkin-payload created with CreateFileMapping(INVALID_HANDLE_VALUE, …​).

The token field contains a domain name that is used by the malware to check whether the DNS server used is the one in the dnsServer field. DNSBirthday queries this domain and checks if the returned address is 127.0.0.1.

The module retrieves the export ReflectiveLoader in the decrypted binary (rqz-dnsduvel), maps the library in the browser’s address space using WriteProcessMemory and calls CreateRemoteThread with the lpStartAddress parameter set at the retrieved export address.

Once injected, the component will inform the C&C server if the injection was successful with a POST request to: hxxps://updates.rqztech.com/moduleapi/

Injection result sent to the C&C server is as follows:

{
    "password" : "74f20fc0a7274",
    "duvel" : {
        "function": "smokeFail",
        "arg" : {
            "smokeUrl" : "be1728523f82428fc2016155f6dd65867b01997dc0b1c93097a8b7cc60cb.smoke",
            "reason" : "1"
        }
    }
}

The reason string can have the following values:

  1. The binary failed to open the victim process
  2. The injection was successful (process still running after 1 minute)
  3. The process has likely crashed and the injection did not succeed

rqz-dnsduvel

rqz-dnsduvel is the final stage and its purpose is to hook DNS resolver functions.

The authors have likely borrowed some code in order to achieve the reflective DLL injection. They have also statically linked the NTHooklib project, which includes the udis86 library. NTHooklib is a library that provides a hooking engine.

The component hooks the following DNS functions:

  • getaddrinfo
  • GetAddrInfoW
  • gethostbyname
  • GetAddrInfoEx

The goal of the hook is to query an alternate DNS server when the query is for a domain name present in the "block list" of the configuration file.

Every time the injected browser needs to resolve one of these domain names, the server set in dnsServer is used (176.31.106.50 here). Regardless of the queried domain name, while monitoring this, the IP address returned from that rogue DNS server was always either 188.214.30.97 or 188.214.30.98.

The following code snippet is a loop replacing all the responses from the real getaddrinfo function with the IP address resolved by the rogue server.

Figure 5. getaddrinfo hook function replacing results

Ad injection

As mentioned previously, the domain names in the "block list" are related to advertisements, which leads us to think that the main purpose of this malware is to replace or inject advertisements in webpages.

When queried for any files ending in .js, the server at 188.214.30.97 would always return the same file. The script adds a div element with id greenteainthesahara. Then it makes an HTTP POST request to the URL hxxp://ads.greenteamedia.net/ads and simply evaluates (eval) the response.

The JavaScript we have observed from ads.greenteamedia.net contains code for different browsers and platforms and, interestingly, even for mobile phones. The main purpose of this script is to add an event listener on the page that opens a new browser window with an ad when a click is made.

Figure 6. Malicious div added inside a web page

Here is an example redirection chain we have observed.

  1. hxxp://ads.greenteamedia.net/tracker?id=58b87f2a2a61cf000a11f651&type=Popunder
  2. hxxp://go.oclaserver.com/afu.php?zoneid=788473
  3. hxxp://onclkds.com/afu.php?zoneid=788473
  4. hxxp://onclkds.com/?r=/mb/han&zoneid=788473&pbk2=fd0ac8ee88f5760db27385dc91765d976393347937513284046&auction_id=b322d474-a5bc-4757-bb28-6613427bd3e8&uuid=fffa3dff-f018-412b-95a9-1a9e915fa972&ad_scheme=1&ab=148&rotation_type=2&adparams=bm9qcz0w&x=1698&y=822&sw=1716&sh=927&wx=0&wy=0&ww=1716&wh=887&wiw=1698&wih=822&wfc=0&pl=http://onclkds.com/afu.php?zoneid=788473&drf=&np=0&pt=undefined&nb=1&ng=1&dm

The rest of the chain changes and probably depends on the result of the ad bidding. It sometimes redirects to a drive-by download that could result in even more malware being installed.

Conclusion

Authors of this malware have gone to great lengths, just to push unsolicited advertisements.

As shown here, the authors have put a lot of effort into avoiding being detected, by including a PE loader, loading and decrypting components in memory, creating a modular architecture that allows updates and addition of more components, and using a pinned public key to secure their communications.

However, some choices are hard to understand:

  • Newer versions of some components contain the .pdb path, which was not present in older versions
  • Most of the components are not written to disk, but the final stage rqz-dnsduvel-ldr-exe is
  • The component rqz-dnsduvel-ldr-exe uses a hardcoded key and IV instead of deriving them from the hash of the logo.png file.

The modularity of this malware allows for more features that perhaps we haven’t witnessed as yet. It is possible that the operators of this malware send other types of malware such as spyware to chosen victims. Some components could also be in development as we speak.

We have reached out to OVH regarding the C&C server and the rogue DNS server and both have been taken down.

Thanks to Romain Dumont for his help on the analysis and write-up.

Appendixes

Samples analyzed

Filename Internal name Versions analyzed Debug Timestamp Main purpose
BRController.exe rqz-loader 1.1.0 x32 & x64 Sun 02 Oct 2016 16:11:40 Loader:

Decrypts and loads br.dll.enc in memory

BRController.exe (debug) unknown unknown x32 & x64 unknown Loader:

Decrypt and loads br.dll.enc in memory

br.dll(.enc) rqz-stg1 1.0.4 x32 & x64

1.1.0 x32 & x64

unknown

Sun 02 Oct 2016 16:12:07

Core component:

C&C communication

Data exfiltration

Update/Download other components

Download/Exec other modules in memory

rqz-info-gatherer 1.0.4 x32 & x64 Tue 13 Sep 2016 23:25:43 Module:

Gather information about the computer

rqz-dnsduvel-ldr 1.0.4 x32 & x64 Sat 17 Sep 2016 19:55:10 Module:

Drop and execute rqz-dnsduvel-ldr-exe for each browser process

%d.tmp rqz-dnsduvel-ldr-exe 1.0.3 x32 & x64

1.0.4 x32 & x64

Sat, 03 Sep 2016 19:02:11

Sat 17 Sep 2016 19:54:36

Injector:

Inject a given process with its embedded dll (rqz-dnsduvel)

rqz-dnsduvel 1.0.2-30fa39 x32 & x64

1.0.3-68c0c5 x32 & x64

Sat 03 Sep 2016 19:01:51

Sat 17 Sep 2016 19:53:50

DNS hooker:

Hook DNS functions inside a process

Replace IP addresses for some domain names

IoCs

Registry

  • "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BirthdayReminder"

Mutex

  • Global\Global\RqzSingleInst
  • Global\downloadExec

Hashes

Component SHA-1 ESET Detection name
BirthdayReminderSetup.exe 6a07de60da0962ee952e63ac89ce86d2581f3926 Win32/Adware.DNSBirthday.A
rqz-loader 1.1.0 x32 19041323a4ecd92eb888664e1d2c0b2893419f78 Win32/Adware.DNSBirthday.A
rqz-loader 1.1.0 x64 94c6f2bbad0ce47957d18b53ef1938d846d7576f Win64/Adware.DNSBirthday.B
rqz-stg1 1.1.0 x32 59eb5b5d3171069761a13389a1a7cce12a95e0bd Win32/Adware.DNSBirthday.A
rqz-stg1 1.1.0 x64 f02e0012aedf02f898f1558c827491d7099c1d62 Win64/Adware.DNSBirthday.A
rqz-info-gatherer 1.0.4 x32 8cfbd1f7e4d8c4357766f0f4b84bb08cf2e78c17 Win32/Adware.DNSBirthday.B
rqz-info-gatherer 1.0.4 x64 0f4aeee1a0878eb510229b871e02eb1e1939107e Win64/Adware.DNSBirthday.B
rqz-dnsduvel-ldr 1.0.4 x32 892785875fcdfe4cc672ba1c3fc59bfbf37c7efe Win32/Adware.DNSBirthday.A
rqz-dnsduvel-ldr 1.0.4 x64 5a5174739bbb7881c46112704cbf039f39d98fec Win64/Adware.DNSBirthday.B
rqz-dnsduvel-ldr-exe 1.0.4 x32 cc291be6cbc7b0dc3aa09973d0ed98e363f9083f Win32/Adware.DNSBirthday.A
rqz-dnsduvel-ldr-exe 1.0.4 x64 ce84d96a974e95499fadd3320f851c0b728cd438 Win64/Adware.DNSBirthday.B
rqz-dnsduvel 1.0.3-68c0c5 x32 e6b6fe919cf6c3af0d40594e86da4cf776dbcf9a Win32/Adware.DNSBirthday.B
rqz-dnsduvel 1.0.3-68c0c5 x64 d1085fb7f2c4d1add9244cb8af6d0e25b50d7b14 Win64/Adware.DNSBirthday.B

Because BirthdayReminderSetup.exe and BRController.exe contain a unique bot id, here are ssdeep fuzzy hashes:

Component ssdeep
BirthdayReminderSetup.exe 393216:ZD4b8Ev/xl3OB4fcUx6uj55/Q7COLc1cm+DkC1GWF2jazuIYRCxEfFCqgY9iHtKZ:ZD5EhFOmcUs85/OCOLecm+14OzzY9Fdl
BRController.exe (x86) 24576:0+KpP0PYnsKdFCH6BMKHiBMikwMbSyM52it6YTekcys4e6faNe0M4RzRPxM4TuZR:cfs4F6KHiy7kM4CjlpRPx1TuZ+tgP8K
BRController.exe (x64) 49152:l4+VwASOwGtlqKPb8KHh+3ulMrqkvTiV3ML3OsQXIU6inTe2mEPEB:jCTiVGV+q2mHB

Network

  • Rogue DNS server: 176.31.106.50
  • C&C server: updates.rqztech.com (188.165.205.99)
  • Ad server IP addresses: 188.214.30.97 and 188.214.30.98
  • DNS query to domain matching [0-9a-f]{60}.smoke

SSL certificates

358bb04f6a0bf8ce88d23b2e620ac01b28d307ab80286f6ee2dcc484a6b1a5d0

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            d7:f9:78:6e:63:d2:7f:f4
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=DE, ST=Berlin, CN=rqztech.com
        Validity
            Not Before: Apr 16 11:38:38 2016 GMT
            Not After : Apr 14 11:38:38 2026 GMT
        Subject: C=DE, ST=Berlin, CN=rqztech.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (4096 bit)
                Modulus (4096 bit):
                    00:c3:11:ec:01:27:60:d1:d3:92:53:c3:06:31:ca:
                    f9:82:7a:57:7b:17:d3:a6:61:8e:57:ad:e9:d2:9d:
                    cb:40:1e:32:de:e7:3c:79:eb:c5:cc:f7:78:af:d3:
                    a0:43:54:28:e1:0d:ba:69:56:ea:d9:03:dd:c8:41:
                    5f:8d:12:3e:23:85:94:73:d9:83:db:90:83:35:60:
                    6a:c5:96:77:7c:3c:04:9d:05:5b:4d:15:9e:5c:54:
                    ea:dd:1a:03:4d:db:8a:56:b3:f9:ee:12:89:01:b0:
                    d0:79:bb:c1:5d:55:9b:e4:3d:a5:91:0e:fc:36:2f:
                    91:51:0c:d1:6f:47:5f:18:76:fd:01:71:df:55:60:
                    f9:ba:82:66:6d:08:51:81:4e:02:67:74:ba:6c:37:
                    b4:02:bf:cf:3d:07:16:c8:2d:9f:77:85:9a:b9:21:
                    e7:06:d2:de:4d:40:18:2b:60:3a:83:7f:d4:a8:2b:
                    6f:4f:ee:ab:db:27:93:02:10:62:74:58:6a:82:71:
                    d6:4c:89:3d:03:19:4a:5b:b4:c9:15:11:21:ea:ce:
                    99:5a:bf:ee:d6:53:cc:31:ee:06:42:96:38:5f:98:
                    0a:27:c5:e1:a0:86:47:3b:d1:ec:e2:99:28:b4:4e:
                    45:88:b4:20:4d:67:2b:40:94:43:08:8c:ca:96:a2:
                    ec:08:c0:79:ef:e0:52:21:d4:44:03:c1:b5:bd:09:
                    b7:ee:a7:4b:7b:8a:0d:12:4c:84:05:31:66:08:03:
                    b2:cc:d0:42:13:7a:a5:24:fe:0d:aa:4f:aa:5d:d2:
                    f1:4a:55:87:72:31:7e:74:db:b0:cb:a2:5f:88:80:
                    56:40:33:49:6e:e8:cf:56:99:57:41:54:12:19:71:
                    b3:3d:bd:66:f3:b1:61:15:f9:81:de:a5:6b:8d:c5:
                    4b:e5:8d:62:e5:bf:7d:f0:98:c8:24:bd:c7:fa:55:
                    b2:ac:09:e7:fb:83:f4:87:25:f3:04:07:f8:de:23:
                    b9:8e:68:09:e7:5c:9e:51:66:d6:c7:36:55:0c:1f:
                    e0:7c:ed:62:a5:47:fd:dd:c0:8d:ad:46:66:b1:80:
                    2f:03:0e:06:25:2d:98:58:37:fc:48:70:8b:67:83:
                    69:7f:39:03:36:79:e3:d0:db:83:d1:ad:fd:ba:8d:
                    9c:7a:81:67:5e:af:97:37:58:e1:a4:9e:31:65:ab:
                    47:b7:a0:eb:c6:70:de:7f:40:18:42:d9:06:d3:30:
                    17:87:a8:84:c5:9a:9e:48:41:b9:11:0f:94:27:c9:
                    5e:a1:26:47:5c:c7:42:d7:c3:0f:08:ae:7a:ba:32:
                    76:22:f0:14:5d:03:9f:f0:4f:63:3f:a1:4c:d7:e0:
                    44:0a:31
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                1B:4C:10:58:D0:62:AD:4E:A2:43:C2:9A:81:F3:59:F6:B3:2F:B1:C1
            X509v3 Authority Key Identifier:
                keyid:1B:4C:10:58:D0:62:AD:4E:A2:43:C2:9A:81:F3:59:F6:B3:2F:B1:C1

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
        3f:b4:9b:47:b2:99:a0:90:d5:75:34:c7:a2:87:1d:90:4e:6c:
        a5:ce:59:76:68:8f:a1:17:9f:2e:0e:45:31:a6:0e:92:66:03:
        61:b9:61:e7:20:1e:d0:aa:97:ce:bf:1e:d7:d4:9c:f2:78:a0:
        99:62:1e:97:65:1c:d3:f8:b7:fb:a1:a7:23:62:32:ad:f2:72:
        1c:85:08:ab:71:60:2b:44:91:9a:bd:82:42:1f:8f:1f:fe:b9:
        39:2b:45:9d:11:7b:53:73:8f:2c:16:f6:95:f1:25:58:6d:8b:
        01:61:67:17:b6:02:b1:6a:00:48:8c:a7:59:d4:d5:3c:d1:57:
        7a:9a:4b:dd:8e:db:05:a0:f7:c0:19:10:87:b7:3a:55:34:5f:
        b4:c8:15:ec:17:5f:c1:c1:7b:5c:cb:53:ef:c3:bf:0c:1b:f6:
        a3:8d:3a:5e:72:e5:49:7f:6a:37:0c:fc:7c:f6:54:4f:9f:b9:
        37:f5:57:73:25:ed:62:9b:41:38:e8:a6:08:11:ad:c1:1a:af:
        65:94:6c:0b:cc:5b:27:1a:cd:80:bd:ea:f9:a0:a2:c0:e5:bc:
        cb:fd:3a:8c:82:85:0e:5a:0a:04:88:86:f7:10:38:2d:65:30:
        18:c2:3c:a6:07:90:6c:d6:21:78:68:28:5a:b8:ca:44:c1:2c:
        15:53:92:0b:a7:b8:bb:e3:d8:27:85:d4:c1:5f:a9:e8:32:95:
        d7:a7:98:4b:b5:db:48:e0:e8:5c:28:94:5d:d9:b3:af:74:48:
        e2:45:72:c1:34:8a:95:6e:a3:81:1e:8b:ad:47:fb:01:70:18:
        c1:25:77:da:97:27:b5:90:76:7d:3f:3e:78:2d:a9:31:f9:c3:
        85:6f:ae:a1:5d:e3:34:a2:c4:2d:25:6e:45:ba:2b:fb:ad:0d:
        d2:e5:d2:fe:6a:13:3c:64:c0:ce:fd:72:e5:83:11:88:84:c0:
        5f:c3:6a:b1:e9:a0:aa:8b:a1:29:de:c6:3d:5e:36:78:bc:4b:
        94:e7:91:49:30:2f:83:c3:34:38:e9:3b:9d:2e:cb:51:da:75:
        93:7f:78:1e:00:89:d8:bf:d8:ca:69:9d:45:92:b0:57:ed:cc:
        c1:13:ab:07:a3:23:ee:39:65:a1:b5:74:e9:6a:3b:77:22:0d:
        13:83:ea:b5:cc:51:d0:d3:fa:ce:2a:e5:0e:37:61:e1:a6:fb:
        1f:b6:de:c6:84:f6:77:8b:69:98:64:af:42:e5:88:63:68:55:
        41:98:39:e9:20:eb:2e:f8:57:b0:8e:aa:e4:45:90:88:8d:8f:
        c4:a1:f2:29:99:58:62:53:8e:64:88:ed:2b:5b:23:55:14:0d:
        4a:4a:5f:9a:b2:b1:64:59
-----BEGIN CERTIFICATE-----
MIIFOzCCAyOgAwIBAgIJANf5eG5j0n/0MA0GCSqGSIb3DQEBCwUAMDQxCzAJBgNV
BAYTAkRFMQ8wDQYDVQQIDAZCZXJsaW4xFDASBgNVBAMMC3JxenRlY2guY29tMB4X
DTE2MDQxNjExMzgzOFoXDTI2MDQxNDExMzgzOFowNDELMAkGA1UEBhMCREUxDzAN
BgNVBAgMBkJlcmxpbjEUMBIGA1UEAwwLcnF6dGVjaC5jb20wggIiMA0GCSqGSIb3
DQEBAQUAA4ICDwAwggIKAoICAQDDEewBJ2DR05JTwwYxyvmCeld7F9OmYY5XrenS
nctAHjLe5zx568XM93iv06BDVCjhDbppVurZA93IQV+NEj4jhZRz2YPbkIM1YGrF
lnd8PASdBVtNFZ5cVOrdGgNN24pWs/nuEokBsNB5u8FdVZvkPaWRDvw2L5FRDNFv
R18Ydv0Bcd9VYPm6gmZtCFGBTgJndLpsN7QCv889BxbILZ93hZq5IecG0t5NQBgr
YDqDf9SoK29P7qvbJ5MCEGJ0WGqCcdZMiT0DGUpbtMkVESHqzplav+7WU8wx7gZC
ljhfmAonxeGghkc70ezimSi0TkWItCBNZytAlEMIjMqWouwIwHnv4FIh1EQDwbW9
Cbfup0t7ig0STIQFMWYIA7LM0EITeqUk/g2qT6pd0vFKVYdyMX5027DLol+IgFZA
M0lu6M9WmVdBVBIZcbM9vWbzsWEV+YHepWuNxUvljWLlv33wmMgkvcf6VbKsCef7
g/SHJfMEB/jeI7mOaAnnXJ5RZtbHNlUMH+B87WKlR/3dwI2tRmaxgC8DDgYlLZhY
N/xIcItng2l/OQM2eePQ24PRrf26jZx6gWder5c3WOGknjFlq0e3oOvGcN5/QBhC
2QbTMBeHqITFmp5IQbkRD5QnyV6hJkdcx0LXww8Irnq6MnYi8BRdA5/wT2M/oUzX
4EQKMQIDAQABo1AwTjAdBgNVHQ4EFgQUG0wQWNBirU6iQ8KagfNZ9rMvscEwHwYD
VR0jBBgwFoAUG0wQWNBirU6iQ8KagfNZ9rMvscEwDAYDVR0TBAUwAwEB/zANBgkq
hkiG9w0BAQsFAAOCAgEAP7SbR7KZoJDVdTTHoocdkE5spc5ZdmiPoRefLg5FMaYO
kmYDYblh5yAe0KqXzr8e19Sc8nigmWIel2Uc0/i3+6GnI2IyrfJyHIUIq3FgK0SR
mr2CQh+PH/65OStFnRF7U3OPLBb2lfElWG2LAWFnF7YCsWoASIynWdTVPNFXeppL
3Y7bBaD3wBkQh7c6VTRftMgV7BdfwcF7XMtT78O/DBv2o406XnLlSX9qNwz8fPZU
T5+5N/VXcyXtYptBOOimCBGtwRqvZZRsC8xbJxrNgL3q+aCiwOW8y/06jIKFDloK
BIiG9xA4LWUwGMI8pgeQbNYheGgoWrjKRMEsFVOSC6e4u+PYJ4XUwV+p6DKV16eY
S7XbSODoXCiUXdmzr3RI4kVywTSKlW6jgR6LrUf7AXAYwSV32pcntZB2fT8+eC2p
MfnDhW+uoV3jNKLELSVuRbor+60N0uXS/moTPGTAzv1y5YMRiITAX8Nqsemgqouh
Kd7GPV42eLxLlOeRSTAvg8M0OOk7nS7LUdp1k394HgCJ2L/YymmdRZKwV+3MwROr
B6Mj7jllobV06Wo7dyINE4PqtcxR0NP6zirlDjdh4ab7H7bexoT2d4tpmGSvQuWI
Y2hVQZg56SDrLvhXsI6q5EWQiI2PxKHyKZlYYlOOZIjtK1sjVRQNSkpfmrKxZFk=
-----END CERTIFICATE-----

45cbc80fe0cac8004f862b9eb90b53b57b06299f98e20923185eb08c363d1ec4

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ba:e6:b6:c8:31:b3:b9:e4
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=DE, ST=Berlin, CN=rqztech.com
        Validity
            Not Before: Apr 16 11:38:38 2016 GMT
            Not After : Apr 11 11:38:38 2036 GMT
        Subject: C=DE, ST=Berlin, CN=rqztech.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (4096 bit)
                Modulus (4096 bit):
                    00:d3:02:ec:b7:43:e3:b7:1f:3c:ef:be:1d:38:05:
                    f5:6d:d8:a7:fb:f2:35:f7:50:f6:3b:e7:d1:bf:f1:
                    ee:a9:b7:e9:2c:d8:54:d0:a2:86:58:db:c9:4e:42:
                    56:28:f8:87:18:a6:3d:1b:80:89:04:91:c6:66:2c:
                    60:30:96:fd:a4:04:a5:1e:06:a1:93:27:5a:28:f9:
                    8b:b0:61:03:18:cd:0c:d7:01:97:02:99:84:96:ae:
                    5a:26:ac:c5:dc:0b:dc:9a:9b:be:8b:b9:db:f2:03:
                    52:25:78:9d:03:34:ea:3f:c6:58:d3:cd:f2:cf:5f:
                    bc:70:bb:b3:07:21:bf:14:c7:6a:b2:29:f7:93:e2:
                    08:ff:b8:45:cf:7c:9d:5c:26:48:6b:10:20:b0:cb:
                    ff:d2:7c:ca:96:5a:bd:6b:56:ab:53:44:82:e9:12:
                    fe:2b:b7:88:ad:ca:38:f7:14:32:95:7e:46:c8:24:
                    da:fa:62:fc:3d:b6:ac:8e:8b:2d:f0:b2:4d:8d:08:
                    d0:2f:ee:e2:78:bb:5e:57:71:b4:39:57:27:48:00:
                    cc:71:e7:bf:d4:8a:c5:2d:f0:f6:93:3a:39:d5:f8:
                    da:eb:6a:18:25:b6:5d:f9:4e:00:c3:51:34:18:d5:
                    76:82:81:0a:78:1c:ce:cf:fa:ed:6d:af:0b:22:99:
                    8c:4c:2d:6e:af:ae:4e:47:6d:10:77:70:9f:95:a0:
                    a1:52:5d:77:b9:26:82:73:90:13:cb:7d:2f:9c:c2:
                    f8:54:45:80:1d:be:8f:f6:a6:b2:6d:95:3c:88:6a:
                    19:3d:94:7f:69:61:73:7b:69:4b:76:ee:7a:59:5c:
                    11:14:15:5d:91:11:14:a7:9c:62:82:18:c7:a8:32:
                    f5:ba:9b:15:69:91:e6:de:35:bb:a0:45:b7:fb:f5:
                    0c:a4:25:8e:83:c4:39:74:3b:ad:b7:75:ec:c0:c5:
                    a9:c9:49:fa:88:95:96:a4:3b:66:6d:13:44:b6:d0:
                    97:52:87:64:12:26:7c:a6:2a:d4:a8:a4:7b:d2:f6:
                    75:2b:ed:94:1f:75:f2:8c:2d:68:c5:f4:9d:57:d1:
                    95:68:44:2c:fa:1a:c7:ce:8e:07:b1:27:e1:41:1b:
                    99:a8:94:70:60:7e:d0:b3:ad:f9:dd:87:bd:12:1a:
                    15:cf:03:94:65:43:8c:d2:d1:0a:14:00:b5:30:54:
                    26:42:b4:a3:19:2b:7a:03:41:cf:4d:76:1e:8b:d0:
                    9a:66:20:b3:ad:29:db:76:9f:be:11:ea:b9:f7:7f:
                    18:c4:07:a4:85:9f:8b:5c:2a:3a:28:4d:a4:d2:16:
                    03:d9:6a:42:f4:ab:b3:2f:c8:d4:3a:d1:bd:f4:21:
                    5c:08:c9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                51:2E:D2:C3:93:10:DB:98:C0:D9:7D:9B:51:63:85:2D:B2:68:1F:62
            X509v3 Authority Key Identifier:
                keyid:51:2E:D2:C3:9310:DB:98:C0:D9:7D:9B:51:63:85:2D:B2:68:1F:62

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
        d2:ae:94:9b:47:35:21:28:72:c7:77:01:02:05:b2:e6:ff:4d:
        27:95:08:d7:10:94:ab:1e:c4:1e:e0:4c:d0:e3:48:c0:f7:73:
        30:ed:06:bf:32:2c:ff:9a:bc:91:3e:43:b6:5e:6c:c9:ae:b1:
        6f:84:11:ae:35:d4:fb:43:2a:13:fd:6c:01:f7:fa:13:ea:87:
        1d:f0:b1:63:81:3d:0b:e6:c5:40:f0:69:81:df:d0:ca:f8:53:
        de:92:3b:8c:64:a5:7c:19:68:eb:09:e1:1b:06:ec:45:fc:22:
        f9:c8:a6:74:31:27:88:a9:c7:d0:8b:8c:91:bb:08:f1:b6:71:
        9e:a1:d4:88:4f:2e:5c:9f:c5:bd:9e:63:74:43:ce:2a:1f:59:
        05:72:c9:88:ba:d9:f2:e4:ed:b1:b6:bb:e1:35:1f:41:01:ee:
        44:51:a9:3a:4b:a7:3e:e9:ef:41:11:54:33:a3:a8:0e:a8:e9:
        ed:06:89:60:0e:37:15:39:82:d7:a3:15:6f:d9:ec:5e:68:47:
        d4:33:62:9a:68:52:41:38:63:ac:fd:14:ed:57:d6:2b:4e:61:
        d6:f1:d8:a2:39:1a:f7:0c:bf:16:27:3c:d0:4a:86:c6:4d:91:
        b2:c7:96:ce:ed:cd:4b:1f:a4:e0:a9:fa:ba:a0:7c:e6:96:a2:
        19:a4:73:6b:fd:5b:62:27:dc:24:95:31:f8:35:9b:8e:6c:ea:
        2c:4e:be:15:08:12:51:01:96:34:63:78:02:ca:31:25:61:f8:
        13:3f:3d:02:ab:a9:4c:9a:d4:5e:b0:c8:3a:d9:21:da:cf:b8:
        98:91:49:fc:9d:7b:e0:c1:55:87:37:c9:ad:6e:e7:d9:92:6d:
        6d:79:db:cd:a9:c4:f3:c6:0e:28:dc:0e:b4:79:77:5e:8e:86:
        24:e5:56:b6:40:3c:02:b8:c7:49:e6:62:c7:8d:f1:b9:06:b6:
        9b:17:28:2b:b2:ca:06:6d:17:bf:79:8b:98:49:ed:dc:2b:eb:
        a1:7c:bc:01:1b:bb:49:a8:ff:63:1c:a4:d2:b8:75:cc:be:34:
        22:cf:ef:fb:17:f0:79:08:96:2b:4a:e9:41:03:de:f5:11:dd:
        e7:36:b2:11:d3:0c:18:81:9d:98:d1:a7:9b:12:0f:62:ed:1b:
        f4:5e:56:c3:b6:6f:9f:58:99:18:93:3e:e7:ca:b7:25:de:3d:
        68:6a:fd:60:a5:de:32:fc:9b:55:ca:d2:44:ab:31:65:f0:d6:
        1e:6b:32:ed:08:c3:9d:6e:e7:27:3f:b6:a9:19:8e:8e:46:f1:
        f3:a7:8f:40:37:38:e8:fa:49:49:18:db:48:2d:d8:d3:9a:c2:
        69:4f:6e:00:b6:ee:c3:9e
-----BEGIN CERTIFICATE-----
MIIFOzCCAyOgAwIBAgIJALrmtsgxs7nkMA0GCSqGSIb3DQEBCwUAMDQxCzAJBgNV
BAYTAkRFMQ8wDQYDVQQIDAZCZXJsaW4xFDASBgNVBAMMC3JxenRlY2guY29tMB4X
DTE2MDQxNjExMzgzOFoXDTM2MDQxMTExMzgzOFowNDELMAkGA1UEBhMCREUxDzAN
BgNVBAgMBkJlcmxpbjEUMBIGA1UEAwwLcnF6dGVjaC5jb20wggIiMA0GCSqGSIb3
DQEBAQUAA4ICDwAwggIKAoICAQDTAuy3Q+O3Hzzvvh04BfVt2Kf78jX3UPY759G/
8e6pt+ks2FTQooZY28lOQlYo+IcYpj0bgIkEkcZmLGAwlv2kBKUeBqGTJ1oo+Yuw
YQMYzQzXAZcCmYSWrlomrMXcC9yam76LudvyA1IleJ0DNOo/xljTzfLPX7xwu7MH
Ib8Ux2qyKfeT4gj/uEXPfJ1cJkhrECCwy//SfMqWWr1rVqtTRILpEv4rt4ityjj3
FDKVfkbIJNr6Yvw9tqyOiy3wsk2NCNAv7uJ4u15XcbQ5VydIAMxx57/UisUt8PaT
OjnV+Nrrahgltl35TgDDUTQY1XaCgQp4HM7P+u1trwsimYxMLW6vrk5HbRB3cJ+V
oKFSXXe5JoJzkBPLfS+cwvhURYAdvo/2prJtlTyIahk9lH9pYXN7aUt27npZXBEU
FV2RERSnnGKCGMeoMvW6mxVpkebeNbugRbf79QykJY6DxDl0O623dezAxanJSfqI
lZakO2ZtE0S20JdSh2QSJnymKtSopHvS9nUr7ZQfdfKMLWjF9J1X0ZVoRCz6GsfO
jgexJ+FBG5molHBgftCzrfndh70SGhXPA5RlQ4zS0QoUALUwVCZCtKMZK3oDQc9N
dh6L0JpmILOtKdt2n74R6rn3fxjEB6SFn4tcKjooTaTSFgPZakL0q7MvyNQ60b30
IVwIyQIDAQABo1AwTjAdBgNVHQ4EFgQUUS7Sw5MQ25jA2X2bUWOFLbJoH2IwHwYD
VR0jBBgwFoAUUS7Sw5MQ25jA2X2bUWOFLbJoH2IwDAYDVR0TBAUwAwEB/zANBgkq
hkiG9w0BAQsFAAOCAgEA0q6Um0c1IShyx3cBAgWy5v9NJ5UI1xCUqx7EHuBM0ONI
wPdzMO0GvzIs/5q8kT5Dtl5sya6xb4QRrjXU+0MqE/1sAff6E+qHHfCxY4E9C+bF
QPBpgd/QyvhT3pI7jGSlfBlo6wnhGwbsRfwi+cimdDEniKnH0IuMkbsI8bZxnqHU
iE8uXJ/FvZ5jdEPOKh9ZBXLJiLrZ8uTtsba74TUfQQHuRFGpOkunPunvQRFUM6Oo
Dqjp7QaJYA43FTmC16MVb9nsXmhH1DNimmhSQThjrP0U7VfWK05h1vHYojka9wy/
Fic80EqGxk2RsseWzu3NSx+k4Kn6uqB85paiGaRza/1bYifcJJUx+DWbjmzqLE6+
FQgSUQGWNGN4AsoxJWH4Ez89AqupTJrUXrDIOtkh2s+4mJFJ/J174MFVhzfJrW7n
2ZJtbXnbzanE88YOKNwOtHl3Xo6GJOVWtkA8ArjHSeZix43xuQa2mxcoK7LKBm0X
v3mLmEnt3CvroXy8ARu7Saj/Yxyk0rh1zL40Is/v+xfweQiWK0rpQQPe9RHd5zay
EdMMGIGdmNGnmxIPYu0b9F5Ww7Zvn1iZGJM+58q3Jd49aGr9YKXeMvybVcrSRKsx
ZfDWHmsy7QjDnW7nJz+2qRmOjkbx86ePQDc46PpJSRjbSC3Y05rCaU9uALbuw54=
-----END CERTIFICATE-----