82b79384462dcb99be25284fd88a55a69f83b029e0854fc6f04bae5a6262d4cb

Analysis

max time kernel
120s
max time network
120s
platform
macos-10.15_amd64
resource
macos-20240410-en
resource tags

arch:amd64arch:i386image:macos-20240410-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
23/05/2024, 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ProntoInstaller/ProntoInstaller.app/Contents/Resources/ProntoApp.app/Contents/Resources/PRTPLG1.bundle/Contents/Resources/unrar
Size

429KB
MD5

f81f991af0573feb57ce426f934178ca
SHA1

d2225575cda170aa3bea9ceec44cf7f74329e37d
SHA256

c64cac9318db65d129772f2f422046d06d6d61fc4c6f3a6326e9a8bea32e8aa7
SHA512

1a49a7a16891d2b4a5c060a785733743f56b84bbda3c137ed69bb03237bd842077867d40bd99fd1b92a87fead580c76f102c75b3be94c212540a4408a915cdb8
SSDEEP

6144:HtSkE65w2iLuabZ1jeBZjyc6XkWhSLbOExpL22Nz3D81u6aTV90c6G/ZkM+:H1Ef2iTbZZeBJyRhubOmpLzD0NsHCGb+

Score

4^/10

evasion

Malware Config

Signatures

Resource Forking 1 TTPs 4 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

ioc	Process
sh -c "sudo /bin/zsh -c \"/Users/run/ProntoInstaller/ProntoInstaller.app/Contents/Resources/ProntoApp.app/Contents/Resources/PRTPLG1.bundle/Contents/Resources/unrar\""	Process not Found
sudo /bin/zsh -c /Users/run/ProntoInstaller/ProntoInstaller.app/Contents/Resources/ProntoApp.app/Contents/Resources/PRTPLG1.bundle/Contents/Resources/unrar	Process not Found
/bin/zsh -c /Users/run/ProntoInstaller/ProntoInstaller.app/Contents/Resources/ProntoApp.app/Contents/Resources/PRTPLG1.bundle/Contents/Resources/unrar	Process not Found
/Users/run/ProntoInstaller/ProntoInstaller.app/Contents/Resources/ProntoApp.app/Contents/Resources/PRTPLG1.bundle/Contents/Resources/unrar	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/ProntoInstaller/ProntoInstaller.app/Contents/Resources/ProntoApp.app/Contents/Resources/PRTPLG1.bundle/Contents/Resources/unrar\""
1⤵
PID:487

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/ProntoInstaller/ProntoInstaller.app/Contents/Resources/ProntoApp.app/Contents/Resources/PRTPLG1.bundle/Contents/Resources/unrar\""
1⤵
PID:487

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/ProntoInstaller/ProntoInstaller.app/Contents/Resources/ProntoApp.app/Contents/Resources/PRTPLG1.bundle/Contents/Resources/unrar
1⤵
PID:487
- /bin/zsh
  /bin/zsh -c /Users/run/ProntoInstaller/ProntoInstaller.app/Contents/Resources/ProntoApp.app/Contents/Resources/PRTPLG1.bundle/Contents/Resources/unrar
  2⤵
  PID:488
- /Users/run/ProntoInstaller/ProntoInstaller.app/Contents/Resources/ProntoApp.app/Contents/Resources/PRTPLG1.bundle/Contents/Resources/unrar
  /Users/run/ProntoInstaller/ProntoInstaller.app/Contents/Resources/ProntoApp.app/Contents/Resources/PRTPLG1.bundle/Contents/Resources/unrar
  2⤵
  PID:488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...