MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85bed283ba95d40d99e79437e6a3161336c94ec0acbc0cd38599d0fc9b2e393c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85bed283ba95d40d99e79437e6a3161336c94ec0acbc0cd38599d0fc9b2e393c
SHA3-384 hash: def71eee75ce0f04877579eafb564bb8c3d5df63653e3f747410445d5190ff24fa49b4cd7f23d242bec5445c4303bf51
SHA1 hash: 8cd45ae9b53a2e9d3f24cfea654c6d6e9716d544
MD5 hash: af2aeb81a5680c936b6211d4065ee39f
humanhash: nineteen-nitrogen-sad-magnesium
File name:macrasv2
Download: download sample
File size:6'522'672 bytes
First seen:2026-04-21 18:06:26 UTC
Last seen:2026-04-23 08:13:55 UTC
File type:php macho
MIME type:application/x-mach-binary
ssdeep 98304:/FKiB7AFqPxy7HaHB+UhZfjGpHlwEHyTVExsfqn:/9B7AFaWWxZfIFJEVE
TLSH T1BF668C46BC1D6562D6C9B5752F6653857239FC448F82C3232A18BB3EFDF23588B23261
Magika macho
Reporter mauroeldritch
Tags:DPRK Mach-O Man machO macOS


Avatar
mauroeldritch
Lazarus' Mach-O Man Stage 5 - Exfiltration

Intelligence

File Origin
# of uploads :
3
# of downloads :
268
Origin country :
UY UY
Vendor Threat Intelligence
No detections
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69e7bceb4aed15d0792edd79
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
base64 expand lolbin
Link:
https://www.filescan.io/uploads/69e7bcbc81aa9ec3bc1c6d6b/reports/d8e8a7e4-f257-4317-80b3-14b3062f6205/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/85bed283ba95d40d99e79437e6a3161336c94ec0acbc0cd38599d0fc9b2e393c
Verdict:
Malicious
File Type:
macho x64 le
First seen:
2026-04-22T04:27:00Z UTC
Last seen:
2026-04-22T04:39:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/85bed283ba95d40d99e79437e6a3161336c94ec0acbc0cd38599d0fc9b2e393c/results?tab=lookup
Score:
100%
Verdict:
Malware
File Type:
Mach-O
Link:
https://malprob.io/report/85bed283ba95d40d99e79437e6a3161336c94ec0acbc0cd38599d0fc9b2e393c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85bed283ba95d40d99e79437e6a3161336c94ec0acbc0cd38599d0fc9b2e393c/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/85bed283ba95d40d99e79437e6a3161336c94ec0acbc0cd38599d0fc9b2e393c
Threat name:
MacOS.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2026-04-21 18:07:08 UTC
File Type:
MachO64 Little (Exe)
AV detection:
7 of 38 (18.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qw7nfa52sxka3gphsq36niywcm3mstwavs6azu4fthipzgzohe6a._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/85bed283ba95d40d99e79437e6a3161336c94ec0acbc0cd38599d0fc9b2e393c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:Golang_Find_CSC846
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:Golang_Find_CSC846_Simple
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/
  
Dropped by
Mach-O Man
  
Delivery method
Other

Comments