Malware Analysis Report

2025-03-15 06:40

Sample ID 250111-x43v1swrhz
Target 32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.zip
SHA256 de405e80d59503bf1ac724e65aea61f0c6849311338fa120c9a01354228d0ef9
Tags
paydaytry remcos evasion execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de405e80d59503bf1ac724e65aea61f0c6849311338fa120c9a01354228d0ef9

Threat Level: Known bad

The file 32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.zip was found to be: Known bad.

Malicious Activity Summary

paydaytry remcos evasion execution

Remcos family

JavaScript

Resource Forking

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-11 19:25

Signatures

Remcos family

remcos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-11 19:25

Reported

2025-01-11 19:27

Platform

macos-20241106-en

Max time kernel

92s

Max time network

88s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe"]

Signatures

JavaScript

execution
Description Indicator Process Target
N/A "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java" -jar /Users/run/tmp/hello.jar N/A N/A

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper N/A N/A
N/A /System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe]

/bin/zsh

[/bin/zsh -c /Users/run/32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe]

/Users/run/32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe

[/Users/run/32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe]

/usr/libexec/xpcproxy

[xpcproxy com.apple.quicklook.ui.helper]

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper

[/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.JarLauncher.2128]

/System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher

[/System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher]

/usr/libexec/xpcproxy

[xpcproxy com.apple.metadata.mdwrite]

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java

[/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java -jar /Users/run/tmp/hello.jar]

/usr/libexec/xpcproxy

[xpcproxy com.apple.PerformanceAnalysis.animationperfd]

/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd

[/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.2028]

/Applications/Safari.app/Contents/MacOS/Safari

[/Applications/Safari.app/Contents/MacOS/Safari]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.History]

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History

[/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.4709AF76-6CE6-46D2-A32A-F943EE928724 509]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.SafariLaunchAgent]

/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent

[/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.A26C9200-2E37-4DCA-A657-F832D7921F88 509]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.SearchHelper 509]

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper

[/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.SafeBrowsing.Service]

/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service

[/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.41A69C53-F8C9-4037-AE24-0B730E1422DD 509]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.D74ABA28-78B1-4B07-8AAD-975396DCFEA3 509]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.B9F8B33D-D99B-440A-8791-2DE294B96F80 509]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.FF6D06C4-1C37-48A7-842C-7B2B0BD15ACF 509]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.speech.speechsynthesisd]

/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd

[/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.85573A37-B2FD-418B-A243-76AC95857100 509]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

Network

Country Destination Domain Proto
US 8.8.8.8:53 b._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 db._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 b._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 db._dns-sd._udp.0.0.127.10.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 itunes.apple.com udp
US 8.8.8.8:53 api-glb-aeun1b.smoot.apple.com udp
SE 16.16.163.191:443 api-glb-aeun1b.smoot.apple.com tcp
US 8.8.8.8:53 clients1.google.com udp
GB 142.250.187.238:443 clients1.google.com tcp
GB 142.250.187.238:443 clients1.google.com tcp
US 8.8.8.8:53 cdn2.smoot.apple.com udp
US 8.8.8.8:53 cdn.smoot.apple.com udp
GB 17.253.77.201:443 cdn.smoot.apple.com tcp
US 8.8.8.8:53 safebrowsing.googleapis.com udp
US 8.8.8.8:53 www.google.com udp
GB 172.217.169.74:443 safebrowsing.googleapis.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.238:443 clients1.google.com tcp
US 8.8.8.8:53 bit.ly udp
US 8.8.8.8:53 docrdsfx76ssb.cloudfront.net udp
US 8.8.8.8:53 cdn.optimizely.com udp
US 8.8.8.8:53 app-ab01.marketo.com udp
US 8.8.8.8:53 bitly.com udp
US 8.8.8.8:53 munchkin.marketo.net udp
US 8.8.8.8:53 public.profitwell.com udp
US 8.8.8.8:53 zippyfrog.co udp
US 67.199.248.11:80 bit.ly tcp
FR 3.165.112.63:443 docrdsfx76ssb.cloudfront.net tcp
US 104.18.66.57:443 cdn.optimizely.com tcp
US 67.199.248.15:443 bitly.com tcp
DE 88.221.60.75:443 munchkin.marketo.net tcp
US 23.253.207.75:443 zippyfrog.co tcp
FR 18.155.129.96:443 public.profitwell.com tcp
US 104.16.96.80:443 app-ab01.marketo.com tcp
DE 88.221.60.75:443 munchkin.marketo.net tcp
FR 23.192.237.209:443 www.bing.com tcp
FR 23.192.237.209:443 www.bing.com tcp
US 8.8.8.8:53 r.bing.com udp
FR 23.192.237.206:443 r.bing.com tcp
FR 23.192.237.206:443 r.bing.com tcp
US 8.8.8.8:53 assets.msn.com udp
GB 184.50.112.19:443 assets.msn.com tcp
US 8.8.8.8:53 login.microsoftonline.com udp
NL 40.126.32.133:443 login.microsoftonline.com tcp
US 8.8.8.8:53 platform.bing.com udp
US 204.79.197.237:443 www2.bing.com tcp
US 204.79.197.237:443 www2.bing.com tcp
FR 23.192.237.206:443 r.bing.com tcp
US 8.8.8.8:53 e6858.dscx.akamaiedge.net udp
US 8.8.8.8:53 th.bing.com udp
FR 23.192.237.200:443 th.bing.com tcp
FR 23.192.237.216:443 th.bing.com tcp
US 8.8.8.8:53 www.clarity.ms udp
US 13.107.246.64:443 www.clarity.ms tcp
US 8.8.8.8:53 c.clarity.ms udp
IE 13.74.129.1:443 c.clarity.ms tcp
US 8.8.8.8:53 u.clarity.ms udp
US 8.8.8.8:53 c.bing.com udp
US 4.227.249.197:443 u.clarity.ms tcp
US 13.107.21.237:443 c.bing.com tcp
US 4.227.249.197:443 u.clarity.ms tcp
US 8.8.8.8:53 mylocation.org udp
DE 23.88.65.58:443 mylocation.org tcp
US 8.8.8.8:53 stats.monohost.com udp
DE 5.9.83.149:443 stats.monohost.com tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 142.250.200.34:443 googleads.g.doubleclick.net tcp
DE 5.9.83.149:443 stats.monohost.com tcp
US 8.8.8.8:53 fundingchoicesmessages.google.com udp
GB 142.250.178.14:443 fundingchoicesmessages.google.com tcp
GB 142.250.178.14:443 fundingchoicesmessages.google.com tcp
DE 23.88.65.58:443 mylocation.org tcp
US 8.8.8.8:53 ep1.adtrafficquality.google udp
GB 142.250.180.2:443 ep1.adtrafficquality.google tcp
US 8.8.8.8:53 ep2.adtrafficquality.google udp
GB 216.58.201.97:443 ep2.adtrafficquality.google tcp
US 8.8.8.8:53 tpc.googlesyndication.com udp
GB 142.250.180.1:443 tpc.googlesyndication.com tcp
GB 142.250.180.2:443 ep1.adtrafficquality.google tcp
GB 142.250.187.238:443 clients1.google.com tcp
FR 23.192.237.211:443 th.bing.com tcp
US 8.8.8.8:53 www.weather.com udp
FR 23.217.186.82:443 www.weather.com tcp
US 8.8.8.8:53 weather.com udp
US 8.8.8.8:53 eum.instana.io udp
US 8.8.8.8:53 cdn.privacy-mgmt.com udp
US 8.8.8.8:53 cdn.confiant-integrations.net udp
US 8.8.8.8:53 s.w-x.co udp
US 8.8.8.8:53 assets.adobedtm.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 websdk.appsflyer.com udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
FR 23.72.248.208:443 eum.instana.io tcp
FR 18.245.199.15:443 cdn.privacy-mgmt.com tcp
US 151.101.2.133:443 s.w-x.co tcp
US 172.64.144.166:443 cdn.confiant-integrations.net tcp
GB 184.26.57.29:443 assets.adobedtm.com tcp
BE 142.251.173.84:443 accounts.google.com tcp
FR 52.84.174.66:443 websdk.appsflyer.com tcp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
US 8.8.8.8:53 s.go-mpulse.net udp

Files

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/malware,osx,url_expression

MD5 24e88ed9a00987c2ab4dd494588daee2
SHA1 c49fb5719365551cbb1d2f8b4b8107dab79c0713
SHA256 399f71fd9592ea8935e3c84c36085c8fb791b6f6e02895bdb67d29abd269ca9d
SHA512 775832e29251e8b7786a0f416e2c565f1bd19cae376c9ae057552b4e2807d4a030d43e68abf2aaca3c5a5caf975a776ecdcd081f6c3a17239c58cb23766d0a20

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/social_engineering,osx,url_expression

MD5 16d2a210564cc2b113f58d6a639c0434
SHA1 a22072b91eaa391993583365a7e677be655a613d
SHA256 d4c4fba396fd80ccf0dfd34861448f06e55d9985f6eb5c7fcf63ecd858f77187
SHA512 bece807f3141f2cf0f6658ef038ecb5b147c8716bec46067194d82feaaa38d63c99b484cb2666335f803ab1038f52d19a377aabc94df64b95c45bfd0505cb543

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/unwanted_software,osx,url_expression

MD5 400263614b7258f72cc2ec563f74f7e5
SHA1 e3fa8f2548390a8f246ccb58034407f5ffbd4c42
SHA256 1bcb6074c146ae79247045a89bedb0e15b3feb02ddd308a83564ddea6a091d96
SHA512 b8319f525d238d7c78e9ddf609329622f691bb652b57159285b3eaeae3cd9c21b191650c5bfa6d9f4cb1794cf6f26ce152f78b93f0631718082bfb24100e699d

/Users/run/Library/Safari/Favicon Cache/favicons/6950D9EFC03B8A4F37B6F5FB7B694716

MD5 0b038a7a7498d6c62f4256cd5ea649f6
SHA1 efdbd7999d20108c44de32a661eb504b9d6cfdf1
SHA256 1013ffd709cd7e1922ad2b1058d65efc9bcbd603e327aa7ea7cdb512b253768f
SHA512 9ddc9527752d8fe1ed06345e96f7e346f78ae4870a2d760212d59676b964bf30faf491fde7517ec6e69a9e76fde58ea1a58948051a8b88f845ab355dc7657126

/Users/run/Library/Safari/Favicon Cache/favicons/C24061FC89C3E7772447F7E5E42C765E

MD5 9c06c9ce51e994786a3d6e5f6a754aec
SHA1 ae0ab8050b676a9f8ea905582f547538a866c50e
SHA256 3be07b8d96589e989f9a7aa18f08d9add4936a25c6aab9b4b5c9d7e8e951e1d1
SHA512 1569dc06acb5afe1a076c5276674f0c088f61b248c7912bb9a282db56a81fa3d6a956c3230b85e2c1d6e5c14c1c3f9cc0fd94d92aee74a0405563b8eeeea1b3c