Overview

overview

10

Static

static

GravityRAT.macho

macos_amd64

10

Analysis

  • max time network
    152s
  • platform
    macos_amd64
  • resource
    macos
  • submitted
    24-06-2021 12:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GravityRAT.macho

  • Size

    16.4MB

  • MD5

    296c1e8f4d8c997ca410a5d9b33e62ca

  • SHA1

    086b22075d464b327a2bcbf8b66736560a215347

  • SHA256

    70454f1794ee4626a9d70f58aa570bca14da1c40432a2dd1bec5f51b0efcc13f

  • SHA512

    e779f1d48f90eea1400b97ddb14364129abcd4881d84ccc807f0c8585263bd57e0b102456d3ee6d68adbea6221cc0956baabc851bd649ca35d06861f89a1f2fe

Score
10/10
gravityratbackdoor

Malware Config

Signatures

Processes

  • /bin/sh
    sh -c "sudo /Users/run/GravityRAT.macho"
    1⤵
      PID:482
    • /bin/bash
      sh -c "sudo /Users/run/GravityRAT.macho"
      1⤵
        PID:482
      • /usr/bin/sudo
        sudo /Users/run/GravityRAT.macho
        1⤵
          PID:482
          • /Users/run/GravityRAT.macho
            /Users/run/GravityRAT.macho
            2⤵
              PID:488
              • /Users/run/GravityRAT.macho
                /Users/run/GravityRAT.macho
                3⤵
                  PID:492
            • /bin/sh
              sh -c "uname -p 2> /dev/null"
              1⤵
                PID:494
              • /bin/bash
                sh -c "uname -p 2> /dev/null"
                1⤵
                  PID:494
                  • /usr/bin/uname
                    uname -p
                    2⤵
                      PID:495
                  • /bin/sh
                    sh -c "ioreg -c IOPlatformExpertDevice -d 2 | awk -F\\\" '/product-name/{print \$(NF-1)}'"
                    1⤵
                      PID:496
                    • /bin/bash
                      sh -c "ioreg -c IOPlatformExpertDevice -d 2 | awk -F\\\" '/product-name/{print \$(NF-1)}'"
                      1⤵
                        PID:496
                        • /usr/sbin/ioreg
                          ioreg -c IOPlatformExpertDevice -d 2
                          2⤵
                            PID:497
                          • /usr/bin/awk
                            awk "-F\"" "/product-name/{print \$(NF-1)}"
                            2⤵
                              PID:498
                          • /bin/sh
                            sh -c "ioreg -c IOPlatformExpertDevice -d 2 | awk -F\\\" '/board-id/{print \$(NF-1)}'"
                            1⤵
                              PID:499
                            • /bin/bash
                              sh -c "ioreg -c IOPlatformExpertDevice -d 2 | awk -F\\\" '/board-id/{print \$(NF-1)}'"
                              1⤵
                                PID:499
                                • /usr/sbin/ioreg
                                  ioreg -c IOPlatformExpertDevice -d 2
                                  2⤵
                                    PID:500
                                  • /usr/bin/awk
                                    awk "-F\"" "/board-id/{print \$(NF-1)}"
                                    2⤵
                                      PID:501
                                  • /bin/sh
                                    sh -c "ioreg -c IOPlatformExpertDevice -d 2 | awk -F\\\" '/manufacturer/{print \$(NF-1)}'"
                                    1⤵
                                      PID:502
                                    • /bin/bash
                                      sh -c "ioreg -c IOPlatformExpertDevice -d 2 | awk -F\\\" '/manufacturer/{print \$(NF-1)}'"
                                      1⤵
                                        PID:502
                                        • /usr/bin/awk
                                          awk "-F\"" "/manufacturer/{print \$(NF-1)}"
                                          2⤵
                                            PID:504
                                          • /usr/sbin/ioreg
                                            ioreg -c IOPlatformExpertDevice -d 2
                                            2⤵
                                              PID:503
                                          • /bin/sh
                                            sh -c "ioreg -c IOPlatformExpertDevice -d 2 | awk -F\\\" '/model/{print \$(NF-1)}'"
                                            1⤵
                                              PID:505
                                            • /bin/bash
                                              sh -c "ioreg -c IOPlatformExpertDevice -d 2 | awk -F\\\" '/model/{print \$(NF-1)}'"
                                              1⤵
                                                PID:505
                                                • /usr/sbin/ioreg
                                                  ioreg -c IOPlatformExpertDevice -d 2
                                                  2⤵
                                                    PID:506
                                                  • /usr/bin/awk
                                                    awk "-F\"" "/model/{print \$(NF-1)}"
                                                    2⤵
                                                      PID:507
                                                  • /bin/sh
                                                    sh -c "ls ~/Library/Safari"
                                                    1⤵
                                                      PID:508
                                                    • /bin/bash
                                                      sh -c "ls ~/Library/Safari"
                                                      1⤵
                                                        PID:508
                                                      • /bin/ls
                                                        ls /Users/run/Library/Safari
                                                        1⤵
                                                          PID:508

                                                        Network

                                                        MITRE ATT&CK Matrix

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • /private/var/enigma/tidb.sqlite3-journal
                                                          MD5

                                                          d41d8cd98f00b204e9800998ecf8427e

                                                          SHA1

                                                          da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                          SHA256

                                                          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                          SHA512

                                                          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                          Download Submit