PureLand — A Fake Project Related to the Sandbox Malspam
On February 27, 2023, a “The Sandbox” employee was compromised, resulting in sending malspam which introduced them to “PureLand”. It leads to a RedLine Stealer and an unknown stealer for macOS.
Let’s take a closer look at this “PureLand”…
A Gitbook version can be read here: https://iamdeadlyz.gitbook.io/malware-research/march-2023/pureland-a-fake-project-related-to-the-sandbox-malspam
Details of “PureLand”
Twitter: https://twitter.com/PureMetaLand (1431291438248210441)
Linktree: https://linktr[.]ee/purelandmetaverse
Gitbook: https://pure-land.gitbook.io/pureland/
OpenSea collection: https://opensea.io/collection/pureland
Discord: https://discord[.]gg/pureland
Medium: https://www.medium.com/@pure-land
PULA ERC20 token: 0xf4FB0e69B3f1322971C813C18B1ffF4dD4872ca3
Domain: thepureland[.]io
Similar to the Cthulhu World findings, the fake project has several alt accounts to show support and lure other users
Also, the real game is called Rune Teller (https://store.steampowered.com/app/1944360/Rune_Teller/). As confirmed by these two users.
The OpenSea collection has several sales, which was a wash trading to mislead people
0xef8BBd4FC8Aea9CBb990FA02D78b559Cdb5ef592
0x83b78bC37c298BBBbC7310E359b88AFbb1445068
0x7AB0Fb860Ae7F1249Db8BAb9bfcd9ba9F7d2ca2e
0x70FD79F3F71165Cc393883b106dDf0C60f901eDd
0x2523b8051Aba96198193C0dF8526589Ff9EBA460
0xd5cb1e1bF1EDE348a4b97213C200AE164854BB20
0xD3c21fD477FC8ba3656b2ed009F28eedfF3aF7c4
0x19b01139C43584EDc11d308252c974441BBEB892
0x9Ad48Aae84203780F9563766095c7aFea6B3a966
0xC8E32dEf96F0B844e5492Ab919Ec326B0dadb55E
0x3F888ff390C3A2A668A6F94d3a87E23b4ccD5503
0x68a3b9c45eD85D32cB7560fB2dBeD1c0d445Cc8a
0xc1FEcEB0459103f373DA97DcBeb1a062ec706124
0xCa6D179981a0488769BF9b56F3D2E3D1858f5746
0x3e75671CE13168fcfd9d7892e98621c7C1567CBD
0xFB3B7e1862960Ef32FCCF5BfFEF5cd49A7375048
0x839f82EBEB9eA7716eeBFB1a4c259823DC4575Dc
0x3Bc9Aa7a90B23E36738464558B5C43ABa6079cC0
0x739ad7B0DF6BC0E7C62cBcbA99bA561eBF34B2E1
0x9E7e7F4FF7069e3963F9e1ed30BC82a0301Cb105
0x34e251004AeD75E5De37dcc3806a852578413f9C
0x54c31c60b21955fe3A41E08fB678F755Ceed1F1A
0xaC3A7c4929be12a5D3A75B1D8f6f3970aa8f95ab
0xfedbeeb8a46c525fdcaf2e9190577f3350236d89
0x972f7038533d912449a173110dbb8cee231e38f5
0xf605c590f27b6491335f9ed67cc8e21a7eb8058a
0xd92dbbf625021863f9d3ee2451f00514f9fd83db
0x6c8d31716de9a037874cb558f78b853b28881326
0xdf0eafa69abc586fbdcdae1a6bbc62410c1cf644
0xde5398338f74ca46e83dd0ec8f2e3f42a3dbc50c
0xb21af359f2df7be192c8cd12bbb56ffae6e7917c
0xfe3830ac5d45169a4ad043488db9c1e03472fa0bThe website
Visiting https://thepureland[.]io/ auto-redirects you to https://thepureland[.]io/metaverse/ and with this landing page
To make it look more realistic with a feeling of game testing, an access code is required to download the file.
There are several access codes with the respective worker and file type.
-2/2/2023 & 2/21/2023- (based on a URLscan result)
100001 - Coder 😎 - Launcher (exe)
220022 - Coder 😎 - Archive (rar)
AWEHKQ - Benji 👑 - Launcher (exe)
ERTHKB - Benji 👑 - Archive (rar)
AOPHKQ - Aizik (сучка) ✨ - Launcher (exe)
ERTHOP - Aizik (сучка) ✨ - Archive (rar)
TUHKQF - Bevads 🧠 - Launcher (exe)
FEKPSD - Bevads 🧠 - Archive (rar)
FSEKQF - H4⚡️ - Launcher (exe)
PDFIDA - H4⚡️ - Archive (rar)
HKEKQF - John 📈 - Launcher (exe)
PDFIHK - John 📈 - Archive (rar)
AFHHKQ - Rio 🏝 - Launcher (exe)
PDTHKB - Rio 🏝 - Archive (rar)
ANMHKQ - Rob 🍀 - Launcher (exe)
PDTHMN - Rob 🍀 - Archive (rar)
WYEKQF - Nongreyd 🤙🏻 - Launcher (exe)
NYFPHU - Nongreyd 🤙🏻 - Archive (rar)
FTDKQF - Amiri 🐼 - Launcher (exe)
YDFIDO - Amiri 🐼 - Archive (rar)
RNTHKQ - Soul 🫡 - Launcher (exe)
ZDJHMN - Soul 🫡 - Archive (rar)
RNTRKZ - Jaiden 🥷 - Launcher (exe)
ZULHMC - Jaiden 🥷 - Archive (rar)
PWCHKA - Asian King🍾 - Launcher (exe)
CQJHMN - Asian King🍾 - Archive (rar)
PNDXKZ - Babbl 🛹 - Launcher (exe)
CUXHMC - Babbl 🛹 - Archive (rar)
ASPHCQ - Kofi 🎲 - Launcher (exe)
EXTHQP - Kofi 🎲 - Archive (rar)
HQPXKZ - Tvizi 🧸 - Launcher (exe)
CUXXKZ - Tvizi 🧸 - Archive (rar)
-3/1/2023- (based on a URLscan result)
Same access codes as above, but the following were added:
SQPXKZ - Flaherty 🦍 - Launcher (exe)
CPXXSZ - Flaherty 🦍 - Archive (rar)
SLPXKZ - Ionbib 🐬 - Launcher (exe)
CKXXSZ - Ionbib 🐬 - Archive (rar)
MUXXKZ - На дознании 🔎 - Билд для мака (pkg)
-3/4/2023 till 3/5/2023-
Same access codes as above with the added workers
-3/6/2023 and as of 3/7/2023-
На дознании 🔎 was removed and inserted to the current workers with new access codes:
1A00A1 - Coder 😎 - Launcher (exe)
2Q0Q22 - Coder 😎 - Archive (rar)
2Q0Q21 - Coder 😎 - Билд для мака (pkg)
AWEHKQ - Benji 👑 - Launcher (exe)
ERTHKB - Benji 👑 - Archive (rar)
ERTHK1 - Benji 👑 - Билд для мака (pkg)
AOPHKQ - Aizik (сучка) ✨ - Launcher (exe)
ERTHOP - Aizik (сучка) ✨ - Archive (rar)
ERTHO1 - Aizik (сучка) ✨ - Билд для мака (pkg)
TUHKQF - Bevads 🧠 - Launcher (exe)
FEKPSD - Bevads 🧠 - Archive (rar)
FEKPS1 - Bevads 🧠 - Билд для мака (pkg)
FSEKQF - H4⚡️ - Launcher (exe)
PDFIDA - H4⚡️ - Archive (rar)
PDFIDA - H4⚡️ - Билд для мака (pkg)
HKEKQF - John 📈 - Launcher (exe)
PDFIHK - John 📈 - Archive (rar)
PDFIH1 - John 📈 - Билд для мака (pkg)
AFHHKQ - Rio 🏝 - Launcher (exe)
PDTHKB - Rio 🏝 - Archive (rar)
PDTHK1 - Rio 🏝 - Билд для мака (pkg)
ANMHKQ - Rob 🍀 - Launcher (exe)
PDTHMN - Rob 🍀 - Archive (rar)
PDTHM1 - Rob 🍀 - Билд для мака (pkg)
WYEKQF - Nongreyd 🤙🏻 - Launcher (exe)
NYFPHU - Nongreyd 🤙🏻 - Archive (rar)
NYFPH1 - Nongreyd 🤙🏻 - Билд для мака (pkg)
FTDKQF - Amiri 🐼 - Launcher (exe)
YDFIDO - Amiri 🐼 - Archive (rar)
YDFID1 - Amiri 🐼 - Билд для мака (pkg)
RNTHKQ - Soul 🫡 - Launcher (exe)
ZDJHMN - Soul 🫡 - Archive (rar)
ZDJHM1 - Soul 🫡 - Билд для мака (pkg)
RNTRKZ - Jaiden 🥷 - Launcher (exe)
ZULHMC - Jaiden 🥷 - Archive (rar)
ZULHM1 - Jaiden 🥷 - Билд для мака (pkg)
PWCHKA - Asian King🍾 - Launcher (exe)
CQJHMN - Asian King🍾 - Archive (rar)
CQJHM1 - Asian King🍾 - Билд для мака (pkg)
PNDXKZ - Babbl 🛹 - Launcher (exe)
CUXHMC - Babbl 🛹 - Archive (rar)
CUXHM1 - Babbl 🛹 - Билд для мака (pkg)
ASPHCQ - Kofi 🎲 - Launcher (exe)
EXTHQP - Kofi 🎲 - Archive (rar)
EXTHQ1 - Kofi 🎲 - Билд для мака (pkg)
HQPXKZ - Tvizi 🧸 - Launcher (exe)
CUXXKZ - Tvizi 🧸 - Archive (rar)
CUXXK1 - Tvizi 🧸 - Билд для мака (pkg)
SQPXKZ - Flaherty 🦍 - Launcher (exe)
CPXXSZ - Flaherty 🦍 - Archive (rar)
CPXXS1 - Flaherty 🦍 - Билд для мака (pkg)
SLPXKZ - Ionbib 🐬 - Launcher (exe)
CKXXSZ - Ionbib 🐬 - Archive (rar)
CKXXS1 - Ionbib 🐬 - Билд для мака (pkg)To notify the malicious actors that an access code was entered, a POST request is sent to https://thepureland[.]io/js/send[.]PHP with the following details:
- ip
- country_name
- worker
- file
- deviceInfo
- browser
- version
- platformThe files
There are three Dropbox links that give you:
- an executable (.exe)
- an archive (.rar)
- and an installer package for macOS (.pkg) [worth mentioning that this was not added before March 1, 2023; based on public scans via URLscan]
-2/2/2023- (based on a URLscan result)
https://www.dropbox[.]com/s/mm19o7njoz6hnof/Pure%20Land%20Launcher%20v1.2.exe?dl=1
https://www.dropbox[.]com/s/uoo1asrasxisvcl/Pure%20Land%20Metaverse%20Alpha.rar?dl=1
-2/21/2023- (based on a URLscan result)
Same exe since 2/2/2023
https://www.dropbox[.]com/s/lykqsmwaa1fiyyq/Pure%20Land%20Metaverse%20Alpha.rar?dl=1
-3/1/2023- (based on a URLscan result)
Same exe since 2/2/2023
https://www.dropbox[.]com/s/o72q3itfi18zway/Pure%20Land%20Metaverse%20Alpha.rar?dl=1
https://www.dropbox[.]com/s/3yivn8j36ramnvg/Pure%20Land%20Launcher.pkg?dl=1
-3/3/2023-
Same exe since 2/2/2023
Same rar since 3/1/2023
https://www.dropbox[.]com/s/tmfj1iemicvu6t0/PureLand%20Launcher.pkg?dl=1
-3/4/2023-
https://www.dropbox[.]com/s/6k2o43warkry407/Pure%20Land%20Launcher%20v1.2.exe?dl=1
https://www.dropbox[.]com/s/jyzj2wqlbnbozy3/PureLand%20Metaverse.rar?dl=1
https://www.dropbox[.]com/s/1qo9cozv8srnx2x/PureLand%20Launcher.pkg?dl=1
-3/5/2023-
https://www.dropbox[.]com/s/gjr4w5x6g9m02r1/Pure%20Land%20Launcher%20v1[.]2[.]exe?dl=1
https://www.dropbox[.]com/s/37vvqyjx6qi43ex/PureLand%20Launcher[.]pkg?dl=1
-3/6/2023-
Same exe since 3/5/2023
https://www.dropbox[.]com/s/er04c2iqhnhdgq8/Pure%20Land%20Metaverse%20Alpha[.]rar?dl=1
Same pkg since 3/5/2023
-3/7/2023-
Same exe since 3/5/2023
Same rar since 3/6/2023
Same pkg since 3/5/2023.exe
Pure Land Launcher v1.2.exe is packed using NSIS (Nullsoft Scriptable Install System).
Running the executable file displays the following window
It is a dropper; once the “JOIN GAME” button is clicked, it invokes checkUpdate()
What happens here is that it retrieves a paste
https://pastebin[.]com/raw/kVdwKAw1That has only a value of
hxxps[://]github[.]com/PURELANDMETAVERSE/PureLand/raw/main/pureland.7zOnce pureland.7z is downloaded, it uses 7zr.exe and the password “pureland” to extract and get another executable file called pureland.exe.
The final executable file is pumped, 688.145872 MB, and packed using Smart Assembly. It is a RedLine Stealer malware that connects to a C&C: 162.55.188[.]117:48958 with a botnet ID: 5pur
-3/7/2023 change-
The paste was edited on March 7, 2023, 09:02:48 AM CDT. It now points to
https://www.dropbox[.]com/s/o4qz90bszeogxx0/pureland[.]7z?dl=1The extracted pumped executable file is the same as the commit f973a65a46e8cb0f7b491d5aca81f459eb5b7a12 on the GitHub repo. It is still a RedLine Stealer with the same configuration as above
.rar
Pure Land Metaverse Alpha.rar can be extracted using the password “pureland2023”. It contains a folder that has several files to deceive the user into thinking that it contains the game files. And also, an executable file: Pure Land Launcher v1.4.exe
The same pumped file was used on the dropper. And yes, it is still RedLine Stealer with the same configuration.
For the 3/7/2023 rar download link, the extracted pumped executable file is the same with the latest change on the paste as well.
.pkg
This one surprised me; I was not expecting to encounter malware designed for macOS.
PureLand Launcher.pkg is a straightforward unknown stealer. The Mach-O binary’s name is “Installer”.
After installing and running the application, it asked for a password to access the “Chrome Safe Storage”. That alone should be a red flag for the user when trying to run it.
Based on the network requests, it sends a POST request to the following:
- http://193.168.141[.]107:8888/serialinfo
- http://193.168.141[.]107:8888/
- http://193.168.141[.]107:8888/lastroute
http://193.168.141[.]107:8888/serialinfo is for the exfiltration of the user’s hardware details. The header has “Expect: 100-continue” to determine whether to send the request body or not. The response is an MD5 hash of the text file name.
http://193.168.141[.]107:8888/ is used to send other files that contain the target data. The hexid is now replaced with the MD5 hash which was a response from the /serialinfo request.
For some reason, this part where it exfiltrates the Chrome password doesn’t have the ‘Expect’ header
Then afterward, it has the ‘Expect’ header again
After all of the available target data is exfiltrated, http://193.168.141[.]107:8888/lastroute is used to send the stealer’s configuration, the MD5 hash (which was returned earlier by /serialinfo), and the username of the device. And for some reason again, it doesn’t have the ‘Expect’ header.
The notable details in the traffic are the following:
Expect: 100-continue
papka
hexid
username
userbot = ixcozlabraham
buildname = BigSurApplicationWhat’s papka? Let’s ask ChatGPT…
Oh, that makes sense. The list that I shared earlier started with only one “worker” for this file, which is “На дознании 🔎” (On inquiry 🔎).
Let’s take a look at the strings to get an idea of what the “Installer” MachO does
These are the notable function names
demo_exists
postFile
randomString
getTxtsDesktop
getChromeSSPass
createAndSentInfoTxt
searchAtomic
searchZoom
searchExodus
searchPhantom
searchElectrum
searchMetamask
searchTronLink
searchMartianAptosAnd targets
/Library/Application Support/Exodus/exodus.wallet/
/Library/Application Support/Google/Chrome/Default/Local Extension Settings/nkbihfbeogaeaoehlefnkodbefgpgknn/
/Library/Application Support/Google/Chrome/Default/Local Extension Settings/bfnaelmomeimhlpmgjnjophhpkkoljpa/
/Library/Application Support/Google/Chrome/Default/Local Extension Settings/ibnejdfjmmkpcnlpebklmnkoeoihofec/
/Library/Application Support/Google/Chrome/Default/Local Extension Settings/efbglgofoippbgcjepnhiblaibcnclgk/
/Library/Application Support/Google/Chrome/Default/Login Data
/Library/Application Support/Google/Chrome/Default/Cookies
/Library/Application Support/atomic/Session Storage/
/Library/Application Support/zoom.us/data/zoomus.enc.dbWith no attribution to already named info stealers out there, I noticed something which got me wondering
/.dkdbsqtl/vakkdsrPerhaps, we can name this as Vakksdr Stealer…
As I’ve already uploaded the sample to MalwareBazaar, Daniel Stinson (shellcromancer) took a look at the sample and created a YARA rule. It is interesting to see that:
- “/.dkdbsqtl/vakkdsr” is an Electrum path of the malware author
- The code used to steal Zoom and document files is unused
The PureLand GitHub repository
Since the dropper earlier retrieves the final payload in a GitHub repository, I decided to check it as well.
The “PURELANDMETAVERSE” GitHub account has only one repository, which is named “PureLand”.
Based on the commits, the first was on Jan 26, 2023, 12:03 PM EST
The past commits have the same C&C for the RedLine Stealer with different botnet IDs, except for a few…
Notable commits
- b1b9450984be000006f0970c9fe4bf8d439d1dc7 on Jan 26, 2023, 12:06 PM EST
- 3852dfa400842b440e5700436f2a3eb25dfbee8e on Jan 26, 2023, 3:24 PM EST
Both:
- have the same file name and type, which is pureland.7z
- can be accessed using the password “pureland”
- contains the same pumped executable
- the same RedLine Stealer configuration (C&C: 167.235.233[.]35:16621 | botnet ID: 5hr)
- and lastly, both have the icon that says “HEROBOTS OMENS OF HERO”. It is a copycat of a legitimate game called Exobots: Omens Of Steel. A similar malware campaign where I shared the samples here: https://bazaar.abuse.ch/browse/tag/Herobots/
A victim’s experience
One user who goes by the handle “Pineconebob” fell to this scheme on February 20, 2023.
Pineconebob was approached by “Satomi See” (2392847329) on Twitter via DM on the original account “bob461” (compromised and changed to “unknown22572294” — 159434882).
Satomi promised rewards such as “an NFT worth 0.5 ETH, a token, and special roles in the Discord server” in exchange for testing the game.
Based on the access code list that was given earlier, the worker behind this is “Aizik (сучка) ✨”. Pineconebob was given an archive (rar) file; hence the password “pureland2023” was mentioned.
After Pineconebob ran the file, the Twitter account was immediately taken along with the ~3.95326666906377 ETH (~$6,127.05) worth of assets.
It was then laundered on an exchange after a few days. The wallet responsible for laundering has been doing this since January 25, 2023, with another exchange.
IOCs
Samples related to “PureLand” can be retrieved here: https://bazaar.abuse.ch/browse/tag/PureLand/
d1f207efb0f7c011938994d47e8c4b40bc38a112f002281ff08510a6d35d3f59 | Pure Land Launcher v1.2.exe | dropper
30e7e8b04fbdd2e6a0abb502d6308c67fc0c42549f05e89198bd2ac0c719334b | pureland.7z |
6cc3f1d076d8c44fb55dfa11c94936fba23153c72402d0ff83733258e7c425c2 | pureland.7z |
de57a7a49d78ccab0c875e193e5e4949a87e394bda3bb1fe950c724ef78f6f73 | pureland.exe / Pure Land Launcher v1.4.exe |
b9fc13ce9933a6b09f4d458d876b1dffc29d9f07a6d3c986d29c772207043c05 | pureland.exe / Pure Land Launcher v1.4.exe | depumped
48680a6a919a53dfb5eb47a798a9d8135601179630e6308023f30e1f9b13301d | pureland.exe / Pure Land Launcher v1.4.exe | 3-7-2023
08ed972fb6d88ef000b2825e2818810b282507ec90dcc406fa5999f507a71fc8 | pureland.exe / Pure Land Launcher v1.4.exe | depumped 3-7-2023
b933051320a7749c3ca109ecdf4a93e3376e2ba916e0ec9fc9b99e5ce9762669 | Pure Land Metaverse Alpha.rar |
54e7f557a38a4e034e32b36f1311fe0288fa2ad2e1b2434af23a5e0ec4f86e7f | Pure Land Metaverse Alpha.rar | 3-7-2023
92df7deea6b7d758f0c0a60a87c68de90e40fa07b3e261bebe7a5a48541656e5 | PureLand Metaverse.rar |
f2a55c47f500efa4bb1b41487cf512c38b0f7438ed955656cceb51a2c11c2d6a | pureland.7z | has the Herobots logo | commit b1b9450984be000006f0970c9fe4bf8d439d1dc7
28fd5ed9fb22c273cecc6c79f009d8ecf2358dfc472cde89f8d169b3e1c55a93 | pureland.7z | has the Herobots logo | commit 3852dfa400842b440e5700436f2a3eb25dfbee8e
7ce78fb87ca8d2691f753907b64147f0de94b236b0e0fbaccf40f2ecbe15cb23 | pureland.exe | has the Herobots logo
f4ae47d0f97a500401a1e5a068dbab57dfbd9cdf0ffebae6e730e5cc3226fc2e | pureland.exe | has the Herobots logo - depumped
845ef90acc34abfce89e3e630265f23c03581918d30256c9e3c3d65250464933 | PureLand Launcher.pkg |
82633f6fec78560d657f6eda76d11a57c5747030847b3bc14766cec7d33d42be | Installer - MachO |
24ace87331051d7d2d83bb9a89781847f47b4c00789c19b5385fce94705c3c40 | X86_64-3 MachO |
0b9a3b00302faf3297b60fff0714f2db87245a613dcd9849645bffa7c4a3df9b | ARM64 MachO |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
thepureland[.]io | PureLand's domain |
162.55.188[.]117:48958 | C&C of the RedLine Stealer |
167.235.233[.]5:16621 | C&C of the RedLine Stealer |
http://193.168.141[.]107:8888/ | C&C of the unknown stealer for macOS |
http://193.168.141[.]107:8888/serialinfo | C&C of the unknown stealer for macOS |
http://193.168.141[.]107:8888/lastroute | C&C of the unknown stealer for macOS |
https://pastebin[.]com/raw/kVdwKAw1 | Used by the dropper |
https://github[.]com/PURELANDMETAVERSE/PureLand/raw/main/pureland.7z | Used by the dropper |
https://www[.]dropbox[.]com/s/o4qz90bszeogxx0/pureland[.]7z?dl=1 | Used by the dropper |
https://www.dropbox[.]com/s/mm19o7njoz6hnof/Pure%20Land%20Launcher%20v1.2.exe?dl=1 | Used on PureLand's domain |
https://www.dropbox[.]com/s/uoo1asrasxisvcl/Pure%20Land%20Metaverse%20Alpha.rar?dl=1 | Used on PureLand's domain |
https://www.dropbox[.]com/s/lykqsmwaa1fiyyq/Pure%20Land%20Metaverse%20Alpha.rar?dl=1 | Used on PureLand's domain |
https://www.dropbox[.]com/s/o72q3itfi18zway/Pure%20Land%20Metaverse%20Alpha.rar?dl=1 | Used on PureLand's domain |
https://www.dropbox[.]com/s/3yivn8j36ramnvg/Pure%20Land%20Launcher.pkg?dl=1 | Used on PureLand's domain |
https://www.dropbox[.]com/s/tmfj1iemicvu6t0/PureLand%20Launcher.pkg?dl=1 | Used on PureLand's domain |
https://www.dropbox[.]com/s/6k2o43warkry407/Pure%20Land%20Launcher%20v1.2.exe?dl=1 | Used on PureLand's domain |
https://www.dropbox[.]com/s/jyzj2wqlbnbozy3/PureLand%20Metaverse.rar?dl=1 | Used on PureLand's domain |
https://www.dropbox[.]com/s/1qo9cozv8srnx2x/PureLand%20Launcher.pkg?dl=1 | Used on PureLand's domain |
https://www[.]dropbox[.]com/s/gjr4w5x6g9m02r1/Pure%20Land%20Launcher%20v1[.]2[.]exe?dl=1 | Used on PureLand's domain |
https://www[.]dropbox[.]com/s/37vvqyjx6qi43ex/PureLand%20Launcher[.]pkg?dl=1 | Used on PureLand's domain |
https://www[.]dropbox[.]com/s/er04c2iqhnhdgq8/Pure%20Land%20Metaverse%20Alpha[.]rar?dl=1 | Used on PureLand's domain |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
0xf306b067d9134564834b462155a5aafeb92e31db | related to Pineconebob's stolen assets
0x865ad78e7ef4193620946e0f23f2d63e3de80c22 | related to Pineconebob's stolen assets
0xb06cfd307e722aef7f6b7fff2e55d84f83631e34 | related to Pineconebob's stolen assets
0xc545efe5ef145ccddfba81a7accacf163e405aa4 | related to Pineconebob's stolen assets
0x9ce0daa2e8ef74c229f93362557ff2b922f45104 | related to Pineconebob's stolen assetsThe end.
Chainabuse report: https://www.chainabuse.com/report/dc70be63-ff32-47f2-946f-0d4bf3b7b18f
Twitter: https://twitter.com/Iamdeadlyz
