MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 469fd8a280e89a6edd0d704d0be4c7e0e0d8d753e314e9ce205d7006b573865f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Kimsuky


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 469fd8a280e89a6edd0d704d0be4c7e0e0d8d753e314e9ce205d7006b573865f
SHA3-384 hash: 82361bec1538c2ea6fd5832b972d911c5c2857e7f2e1a768524808bcc0cd9ed3324d409c0d1a9087985eade328096993
SHA1 hash: 2d746dda85805c79b5f6ea376f97d9b2f547da5d
MD5 hash: 13c07ccb4117bfba9921e45c39b10339
humanhash: enemy-charlie-juliet-berlin
File name:chaotic_capybara
Download: download sample
Signature Kimsuky
Create hunting rule
File size:52'640 bytes
First seen:2025-03-24 17:00:09 UTC
Last seen:Never
File type:php macho
MIME type:application/x-mach-binary
ssdeep 48:yQOycd3x2szbprM+ctveawGOzUyJ8fyPMAPraMXrM:MzbprM+6verGOYZyHPb
TLSH T19C339A53EB0C01A5C0AC473952D74F452522F2D54BA2532B5E81D925BFCA3567E124DF
Magika macho
Reporter mauroeldritch
Tags:ContagiousInterview DevPopper Kimsuky machO VelvetChollima


Avatar
mauroeldritch
ChaoticCapybara is macOS ARM64 malware attributed to Velvet Chollima (North Korea).
Compiled in C++ with Xcode, it performs low-level system checks to fingerprint the host before payload activation.
Notable behaviours include:
- Queries System Integrity Protection (SIP) status via csrctl and undocumented sysctl calls (CTL_KERN, 143 and 145).
- Interacts with Appleā€™s MAC Framework via __mac_syscall, likely to enumerate security policies and sandbox status.
- Uses getenv to detect environment variables, suggesting conditional execution.
- Contains a hardcoded EOR (XOR) instruction at offset 0x8506, likely to decrypt embedded strings or configuration.
No AV detections at time of discovery.
Project name is gilly/Target, created by username "Artyom".
Filename stripped, Mach-O ARM64, unsigned.

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
UY UY
Vendor Threat Intelligence
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e24d6fbb84e066269ee0ad
Tags:
infosteal
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/67e18fa7de7b23ce171e8c9b/reports/3b390da0-891f-41c4-9e06-e6595de72493/overview
Verdict:
Malicious
Labled as:
Mac/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/469fd8a280e89a6edd0d704d0be4c7e0e0d8d753e314e9ce205d7006b573865f
Result
Verdict:
MALICIOUS
Score:
10%
Verdict:
Benign
File Type:
Mach-O
Link:
https://malprob.io/report/469fd8a280e89a6edd0d704d0be4c7e0e0d8d753e314e9ce205d7006b573865f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/469fd8a280e89a6edd0d704d0be4c7e0e0d8d753e314e9ce205d7006b573865f/
Threat name:
MacOS.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-03-24 17:01:13 UTC
File Type:
MachO64 Little (Exe)
AV detection:
5 of 36 (13.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i2p5riua5cng5xinobgqxzgh4dqnrv2t4mkottralvyannltqzpq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/469fd8a280e89a6edd0d704d0be4c7e0e0d8d753e314e9ce205d7006b573865f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://news.mefiltraron.com/p/edicion-especial-como-domar-un-chollima
  
Link
https://otx.alienvault.com/pulse/67dddcffeb1b8b8df8947b64
  
Delivery method
Distributed via e-mail link

Comments