Analysis
-
max time kernel
202s -
max time network
211s -
platform
macos_amd64 -
resource
macos-20220504-en -
resource tags
-
submitted
16-07-2023 03:48
General
-
Target
7edead477048b47d2ac3abdc4baef12579c3c348
-
Size
124KB
-
MD5
a17bf4533d7ec677a0d4bdae19e41ff2
-
SHA1
7edead477048b47d2ac3abdc4baef12579c3c348
-
SHA256
97d6b194da410db82d9974aec984cff8ac0a6ad59ec72b79d4b2a4672b5aa8aa
-
SHA512
7eb633c3bf9a96629f7e110bc446dc3ec74d4e247818b36ba61f5c630cfbfdce83b9decae085c2a984c58e0f5210a1ce74bd21111b0ffd7724b0d33e96c0c99c
-
SSDEEP
3072:Q8+OzCmILFHKLDWykiGmGtIm5NtrUQhPgOGGO:QBE/ILRxyn8O8NtrUU
Malware Config
Signatures
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Xloader payload 3 IoCs
Processes
-
/bin/shsh -c "sudo /bin/zsh -c \"/Users/run/7edead477048b47d2ac3abdc4baef12579c3c348\""1⤵
-
/bin/bashsh -c "sudo /bin/zsh -c \"/Users/run/7edead477048b47d2ac3abdc4baef12579c3c348\""1⤵
-
/bin/bashsh -c "sudo /bin/zsh -c \"/Users/run/7edead477048b47d2ac3abdc4baef12579c3c348\""1⤵
-
/usr/sbin/spctl/usr/sbin/spctl --status1⤵
-
/usr/bin/sudosudo /bin/zsh -c /Users/run/7edead477048b47d2ac3abdc4baef12579c3c3481⤵
-
/usr/bin/sudosudo /bin/zsh -c /Users/run/7edead477048b47d2ac3abdc4baef12579c3c3481⤵
-
/bin/zsh/bin/zsh -c /Users/run/7edead477048b47d2ac3abdc4baef12579c3c3482⤵
-
/bin/zsh/bin/zsh -c /Users/run/7edead477048b47d2ac3abdc4baef12579c3c3482⤵
-
/Users/run/7edead477048b47d2ac3abdc4baef12579c3c348/Users/run/7edead477048b47d2ac3abdc4baef12579c3c3482⤵
-
/Users/run/7edead477048b47d2ac3abdc4baef12579c3c348/Users/run/7edead477048b47d2ac3abdc4baef12579c3c3482⤵
-
/usr/sbin/spctl/usr/sbin/spctl --test-devid-status1⤵
-
/bin/shsh -c /var/root/.gFehd4BhchMx/Tn8d0l.app/Contents/MacOS/Tn8d0l1⤵
-
/bin/bashsh -c /var/root/.gFehd4BhchMx/Tn8d0l.app/Contents/MacOS/Tn8d0l1⤵
-
/bin/bashsh -c /var/root/.gFehd4BhchMx/Tn8d0l.app/Contents/MacOS/Tn8d0l1⤵
-
/var/root/.gFehd4BhchMx/Tn8d0l.app/Contents/MacOS/Tn8d0l/var/root/.gFehd4BhchMx/Tn8d0l.app/Contents/MacOS/Tn8d0l1⤵
-
/var/root/.gFehd4BhchMx/Tn8d0l.app/Contents/MacOS/Tn8d0l/var/root/.gFehd4BhchMx/Tn8d0l.app/Contents/MacOS/Tn8d0l1⤵
-
/usr/bin/syslog/usr/bin/syslog -s -k com.apple.message.domain com.apple.security.assessment.current_state com.apple.message.signature "assessments enabled" com.apple.message.signature2 "devid enabled" Message "Gatekeeper state assessments enabled/devid enabled"1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.tailspind1⤵
-
/usr/libexec/tailspind/usr/libexec/tailspind1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.gkreport1⤵
-
/usr/libexec/gkreport/usr/libexec/gkreport1⤵
-
/usr/sbin/spctl/usr/sbin/spctl --status2⤵
-
/usr/sbin/spctl/usr/sbin/spctl --test-devid-status2⤵
-
/usr/bin/syslog/usr/bin/syslog -s -k com.apple.message.domain com.apple.security.assessment.current_state com.apple.message.signature "assessments enabled" com.apple.message.signature2 "devid enabled" Message "Gatekeeper state assessments enabled/devid enabled"2⤵
-
/bin/shsh -c "security find-generic-password -wa 'Chrome'"1⤵
-
/bin/bashsh -c "security find-generic-password -wa 'Chrome'"1⤵
-
/bin/bashsh -c "security find-generic-password -wa 'Chrome'"1⤵
-
/usr/bin/securitysecurity find-generic-password -wa Chrome1⤵
-
/usr/bin/securitysecurity find-generic-password -wa Chrome1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.security.agent1⤵
-
/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/private/var/root/.gFehd4BhchMx/Tn8d0l.app/Contents/Info.plistFilesize
783B
MD5c6c7e7daa145a99afed60ca1cc359e97
SHA100aa93c62e72da76408850d242015f71e95cdf96
SHA256a070fc8a998c6aa52bc2258b32f4241f8d9a3e22f03fe730179292c8cc38f2f7
SHA51276942411ddbf7b53cbd525218facec6aae5213225215b838ec5c2a72ff61fd127b2dc4416fc3b38d2eff27f1f00315dbc4a580786d2e91113f766a4a79c67e74
-
/private/var/root/.gFehd4BhchMx/Tn8d0l.app/Contents/Info.plistFilesize
783B
MD5c6c7e7daa145a99afed60ca1cc359e97
SHA100aa93c62e72da76408850d242015f71e95cdf96
SHA256a070fc8a998c6aa52bc2258b32f4241f8d9a3e22f03fe730179292c8cc38f2f7
SHA51276942411ddbf7b53cbd525218facec6aae5213225215b838ec5c2a72ff61fd127b2dc4416fc3b38d2eff27f1f00315dbc4a580786d2e91113f766a4a79c67e74
-
/private/var/root/.gFehd4BhchMx/Tn8d0l.app/Contents/Info.plistFilesize
783B
MD5c6c7e7daa145a99afed60ca1cc359e97
SHA100aa93c62e72da76408850d242015f71e95cdf96
SHA256a070fc8a998c6aa52bc2258b32f4241f8d9a3e22f03fe730179292c8cc38f2f7
SHA51276942411ddbf7b53cbd525218facec6aae5213225215b838ec5c2a72ff61fd127b2dc4416fc3b38d2eff27f1f00315dbc4a580786d2e91113f766a4a79c67e74
-
/private/var/root/.gFehd4BhchMx/Tn8d0l.app/Contents/MacOS/Tn8d0lFilesize
124KB
MD5a17bf4533d7ec677a0d4bdae19e41ff2
SHA17edead477048b47d2ac3abdc4baef12579c3c348
SHA25697d6b194da410db82d9974aec984cff8ac0a6ad59ec72b79d4b2a4672b5aa8aa
SHA5127eb633c3bf9a96629f7e110bc446dc3ec74d4e247818b36ba61f5c630cfbfdce83b9decae085c2a984c58e0f5210a1ce74bd21111b0ffd7724b0d33e96c0c99c
-
/private/var/root/.gFehd4BhchMx/Tn8d0l.app/Contents/MacOS/Tn8d0lFilesize
124KB
MD5a17bf4533d7ec677a0d4bdae19e41ff2
SHA17edead477048b47d2ac3abdc4baef12579c3c348
SHA25697d6b194da410db82d9974aec984cff8ac0a6ad59ec72b79d4b2a4672b5aa8aa
SHA5127eb633c3bf9a96629f7e110bc446dc3ec74d4e247818b36ba61f5c630cfbfdce83b9decae085c2a984c58e0f5210a1ce74bd21111b0ffd7724b0d33e96c0c99c
-
/private/var/root/.gFehd4BhchMx/Tn8d0l.app/Contents/MacOS/Tn8d0lFilesize
124KB
MD5a17bf4533d7ec677a0d4bdae19e41ff2
SHA17edead477048b47d2ac3abdc4baef12579c3c348
SHA25697d6b194da410db82d9974aec984cff8ac0a6ad59ec72b79d4b2a4672b5aa8aa
SHA5127eb633c3bf9a96629f7e110bc446dc3ec74d4e247818b36ba61f5c630cfbfdce83b9decae085c2a984c58e0f5210a1ce74bd21111b0ffd7724b0d33e96c0c99c