MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a900ec81363358ef26bcdf7827f6091af44c3f1001bc8f52b766c9569b56faa5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a900ec81363358ef26bcdf7827f6091af44c3f1001bc8f52b766c9569b56faa5
SHA3-384 hash: f4f85c716f9b997c5cb83c8292ab6890bc8628f3c120c7226e302cff66d4199acca44df00dcc34389c2244fb06d133ad
SHA1 hash: 5ec7497107478f08ca5018bf659f9340880c059c
MD5 hash: d2da2dc24f73f66f3fbe62784262378b
humanhash: lamp-zulu-winter-tennis
File name:zsh_env
Download: download sample
File size:5'636'672 bytes
First seen:2024-09-17 08:58:33 UTC
Last seen:Never
File type:php macho
MIME type:application/x-mach-binary
ssdeep 98304:K97WJoGVzQJdNDEscaYUI3Vmp3VoCitL9BaqUV3VJ3VN:nDR2EsL5itp45
TLSH T17546BF0BF8996E22D1C991784BCB87B36336F4740721A30B37945336BF52AE12E99357
TrID 69.8% (.DYLIB) Mac OS X Mach-O universal Dynamically linked shared Library (32500/1/5)
15.0% (.O/DYLIB/BUNDLE) Mac OS X Universal Binary (generic) (7002/2)
15.0% (.CLASS) Java bytecode (7001/2/1)
Magika macho
Reporter smica83
Tags:apt DPRK machO

Intelligence

File Origin
# of uploads :
1
# of downloads :
136
Origin country :
HU HU
Vendor Threat Intelligence
Detection(s):
Unix.Malware.Macos-10019937-0
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66e944dc71e91b3281ba23b1
Tags:
n/a
Verdict:
Malicious
Labled as:
MAC.Stealer.L.284F4B4C;Generic.MAC.Stealer.L.Generic
Link:
https://www.hybrid-analysis.com/sample/a900ec81363358ef26bcdf7827f6091af44c3f1001bc8f52b766c9569b56faa5
Result
Verdict:
MALICIOUS
Score:
13%
Verdict:
Benign
File Type:
Mach-O universal binary
Link:
https://malprob.io/report/a900ec81363358ef26bcdf7827f6091af44c3f1001bc8f52b766c9569b56faa5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a900ec81363358ef26bcdf7827f6091af44c3f1001bc8f52b766c9569b56faa5/
Threat name:
MacOS.Infostealer.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-08-26 16:43:30 UTC
File Type:
Binary (Archive)
Extracted files:
2
AV detection:
7 of 38 (18.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=veaozajwgnmo6jv4354cp5qjdl2eypyqag6i6uvxm3evng2w7ksq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
APT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a900ec81363358ef26bcdf7827f6091af44c3f1001bc8f52b766c9569b56faa5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_APT29_WINELOADER_Backdoor
Create hunting rule
Author:daniyyell
Description:Detects APT29's WINELOADER backdoor variant used in phishing campaigns, this rule also detect bad pdf,shtml,htm and vbs or maybe more depends
Reference:https://cloud.google.com/blog/topics/threat-intelligence/apt29-wineloader-german-political-parties
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Reviews
IDCapabilitiesEvidence
CERT_APIManipulates Certificates and Keys_SecCertificateCopyData
_SecTrustGetCertificateCount
_SecTrustSetAnchorCertificates
_SecTrustSetAnchorCertificatesOnly
_SecTrustSetPolicies
_SecPolicyCreateSSL
IOKIT_APICan Access Hardware Devices & Drivers_IOConnectCallStructMethod

Comments