MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 baa676b671e771bf04b245e648f49516b338e1f49cbd9b4d237cc36d57ab858d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: baa676b671e771bf04b245e648f49516b338e1f49cbd9b4d237cc36d57ab858d
SHA3-384 hash: f147733af741441234907d41d537007865384e9839449ab1201e576a253f2ce927977c072ca66f87480b3d69b46d79f7
SHA1 hash: 254aad39a432ff0df2ce35cc4ff3578afe1dc1df
MD5 hash: 701165265b73f90942b7000ba39cfe5c
humanhash: mars-colorado-jersey-angel
File name:localfile.x64
Download: download sample
File size:3'022'328 bytes
First seen:2024-09-17 08:58:57 UTC
Last seen:Never
File type:php macho
MIME type:application/x-mach-binary
ssdeep 49152:1/Fv7BmRBL3sjKRVK2Hdtl08nJPmbBDCVGXIw1NJbBN5+yg6EsHHcaYUI3Vmp3Vs:197WJoGVzQJdNDEscaYUI3Vmp3Vs
TLSH T1DCE56C1BF9A2A964D089813413CBD7A35762B8761722B70B27D467323F76DE06F89307
Magika macho
Reporter smica83
Tags:apt DPRK machO RustDoor

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
HU HU
Vendor Threat Intelligence
Detection(s):
Unix.Malware.Macos-10019937-0
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66e944e271e91b3281ba23f2
Tags:
n/a
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/66e944dcbb9fe02b41b44ce1/reports/cd4c1046-d4d8-4708-a6f5-b30e259d73b8/overview
Verdict:
Malicious
Labled as:
MAC.Stealer.L.Generic
Link:
https://www.hybrid-analysis.com/sample/baa676b671e771bf04b245e648f49516b338e1f49cbd9b4d237cc36d57ab858d
Score:
3%
Verdict:
Benign
File Type:
Mach-O
Link:
https://malprob.io/report/baa676b671e771bf04b245e648f49516b338e1f49cbd9b4d237cc36d57ab858d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/baa676b671e771bf04b245e648f49516b338e1f49cbd9b4d237cc36d57ab858d/
Threat name:
MacOS.Infostealer.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-08-26 16:43:30 UTC
File Type:
MachO64 Little (Exe)
AV detection:
9 of 38 (23.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xkthnntr45y36bfsixter5evc2ztryputs6zwtjdptbw2v5lqwgq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
APT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/baa676b671e771bf04b245e648f49516b338e1f49cbd9b4d237cc36d57ab858d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_APT29_WINELOADER_Backdoor
Create hunting rule
Author:daniyyell
Description:Detects APT29's WINELOADER backdoor variant used in phishing campaigns, this rule also detect bad pdf,shtml,htm and vbs or maybe more depends
Reference:https://cloud.google.com/blog/topics/threat-intelligence/apt29-wineloader-german-political-parties
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_CODESIGNMissing Code Signinghigh
Reviews
IDCapabilitiesEvidence
CERT_APIManipulates Certificates and Keys_SecCertificateCopyData
_SecTrustGetCertificateCount
_SecTrustSetAnchorCertificates
_SecTrustSetAnchorCertificatesOnly
_SecTrustSetPolicies
_SecPolicyCreateSSL
IOKIT_APICan Access Hardware Devices & Drivers_IOConnectCallStructMethod

Comments