Try VMRay Platform
Malicious
Classifications

Spyware

Threat Names

AtomicStealer Mal/HTMLGen-A

Dynamic Analysis Report

Created on 2025-02-02T16:42:28+00:00

MacSoftware_v3.46_1738507697837.dmg

Shell Script
...

Remarks (1/1)

(0x02000050): This analysis has been updated with the latest reputation and static analysis results from the original analysis with the ID #24278253.

Filters:
File Name Category Type Verdict Actions
/Volumes/MacSoftware/MacSoftware Sample File Shell Script
Malicious
...
»
Parent File /Users/user/Downloads/MacSoftware_v3.46_1738507697837.dmg
MIME Type text/x-shellscript
File Size 3.10 KB
MD5 58b0e3a9564b2d0042509b1150874929 Copy to Clipboard
SHA1 7e8852865a3bf7a54e55443da15d5abafacaf296 Copy to Clipboard
SHA256 ab8978523fec7af5ca9c01880344e8c69a4d317847f7f044ffcbe6bfca5a0887 Copy to Clipboard
SSDeep 48:nmFTiBUV/b/VA41R8taMau0Y1+c2JyJJo2lJyJJGZnmpyJMG5QsBryJa6yR+dwZO:dBUZb/i4H8ttaG1cxGD2Ees9L5nIxiM Copy to Clipboard
ImpHash -
/tmp/Launcher Dropped File Binary
Malicious
...
»
Also Known As Launcher (Miscellaneous File, Archive File)
Parent File /tmp/Launcher.zip
MIME Type application/x-mach-binary
File Size 262.81 KB
MD5 7470a7b727d644fa2e9374123c23ab18 Copy to Clipboard
SHA1 58c30fb5ff3ce9858c4d370e454c9af023b8fac0 Copy to Clipboard
SHA256 78f06aab7186708d767ea121a02a46307944ef9df82c649d4d2635e26328d469 Copy to Clipboard
SSDeep 1536:eHOF6XKvBR9t31GbJrHNDqjYueH/QAnMre6ZograBR9t31GbJrHNDqjYueHPQW:eHkH4DjQAnMre62v4DrQW Copy to Clipboard
ImpHash -
Memory Dumps (1)
»
Name Process ID Start VA End VA Dump Reason Mach-O Rebuild Bitness Entry Point YARA Actions
launcher 28 0x10B24E000 0x10B267FFF Relevant Image False 64-bit 0x10B252FE8 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
AtomicStealer_Script_Launcher macOS Atomic Stealer script launcher Spyware
5/5
...
/tmp/Launcher.zip Dropped File ZIP
Malicious
Raised based on a child artifact.
...
»
MIME Type application/zip
File Size 180.19 KB
MD5 2037a986ab7952961d3366814168ae74 Copy to Clipboard
SHA1 08aa52bfb328cadbe8d4f4a6a5aceae1f8966d4b Copy to Clipboard
SHA256 2372290a2bfeaef5e33ea78b316a42aa3fb2ea4e732130d2e944c031d759cac3 Copy to Clipboard
SSDeep 3072:B5XQIe0U9yXYlvg1gR9QNcZA5uGRzHIx/wd0GOqf/oM3yl+k0OQNbS:7BhYlgWXG9IGd8qXoM35OWbS Copy to Clipboard
ImpHash -
Archive Information
»
Number of Files 2
Number of Folders 1
Size of Packed Archive Contents 179.81 KB
Size of Unpacked Archive Contents 426.01 KB
File Format zip
Contents (2)
»
File Name Packed Size Unpacked Size Compression Is Encrypted Modify Time Verdict Recursively Submitted Actions
__MACOSX/._Launcher 129.38 KB 163.20 KB Deflate False 2025-02-02 12:02 (UTC+1)
Clean
-
...
Launcher 50.42 KB 262.81 KB Deflate False 2025-02-02 12:02 (UTC+1)
Malicious
-
...
d52300b73611b55c10b05c97834f34715673551158388bde3ec69269d12893b3 Extracted File Binary
Malicious
...
»
Parent File /tmp/Launcher
MIME Type application/x-mach-binary
File Size 102.57 KB
MD5 9fc8119b826d51ddfe3cf86279eadadd Copy to Clipboard
SHA1 ab7d555464ba77f1ce00dbb7267dc12c5f687665 Copy to Clipboard
SHA256 d52300b73611b55c10b05c97834f34715673551158388bde3ec69269d12893b3 Copy to Clipboard
SSDeep 768:FIMDiK0Muo5PTRTTyXK7HPfLBD4y9tnYo1GbJM/8tHkBA8k4ViTTY/8PFkQOH+d3:yHOF6XKvBR9t31GbJrHNDqjYueH/QAn Copy to Clipboard
ImpHash -
Mach-O Information
»
Arch Type x86_64
Arch Subtype x86_64_all
Type Executable
Flags noundefs, dyldlink, twolevel, binds_to_weak, pie
UUID ba4b37eb-4420-3a3a-8a6e-5961c1264067
Entry Point 0x100000D67
Segments (5)
»
Segment: __PAGEZERO
»
Virtual Address 0x00000000
Virtual Size 0x100000000
Raw Data Offset 0x00000000
Raw Data Size 0x00000000
Initial Protection -
Maximum Protection -
Flags -
Entropy 0.0
Segment: __TEXT
»
Virtual Address 0x100000000
Virtual Size 0x00012000
Raw Data Offset 0x00000000
Raw Data Size 0x00012000
Initial Protection read, execute
Maximum Protection read, execute
Flags -
Entropy 5.04
Sections (6)
»
Name Type Virtual Address Raw Data Offset Size Attributes
__text regular 0x1000009A8 0x000009A8 0x00004852 pure_instructions, some_instructions
__stubs symbol_stubs 0x1000051FA 0x000051FA 0x000000C0 pure_instructions, some_instructions
__stub_helper regular 0x1000052BA 0x000052BA 0x0000013C pure_instructions, some_instructions
__gcc_except_tab regular 0x1000053F8 0x000053F8 0x000003D4 -
__cstring cstring_literals 0x1000057CC 0x000057CC 0x0000C744 -
__unwind_info regular 0x100011F10 0x00011F10 0x000000F0 -
Segment: __DATA_CONST
»
Virtual Address 0x100012000
Virtual Size 0x00001000
Raw Data Offset 0x00012000
Raw Data Size 0x00001000
Initial Protection read, write
Maximum Protection read, write
Flags -
Entropy 0.0
Sections (1)
»
Name Type Virtual Address Raw Data Offset Size Attributes
__got non_lazy_symbol_pointers 0x100012000 0x00012000 0x00000058 -
Segment: __DATA
»
Virtual Address 0x100013000
Virtual Size 0x00001000
Raw Data Offset 0x00013000
Raw Data Size 0x00001000
Initial Protection read, write
Maximum Protection read, write
Flags -
Entropy 0.23
Sections (2)
»
Name Type Virtual Address Raw Data Offset Size Attributes
__la_symbol_ptr lazy_symbol_pointers 0x100013000 0x00013000 0x000000F0 -
__data regular 0x1000130F0 0x000130F0 0x00000008 -
Segment: __LINKEDIT
»
Virtual Address 0x100014000
Virtual Size 0x00008000
Raw Data Offset 0x00014000
Raw Data Size 0x00005A50
Initial Protection read
Maximum Protection read
Flags -
Entropy 1.76
Imported Libraries (2)
»
Name Version Compatibility Version
/usr/lib/libc++.1.dylib 1800.105.0 1.0.0
/usr/lib/libSystem.B.dylib 1351.0.0 1.0.0
Load Commands: (11)
»
DYLD_INFO_ONLY
»
bind_off 81928
bind_size 256
export_off 83368
export_size 32
lazy_bind_off 82240
lazy_bind_size 1128
rebase_off 81920
rebase_size 8
weak_bind_off 82184
weak_bind_size 56
SYMTAB
»
nsyms 43
stroff 84416
strsize 1192
symoff 83432
DYSYMTAB
»
extrefsymoff 0
extreloff 0
iextdefsym 1
ilocalsym 0
indirectsymoff 84120
iundefsym 2
locreloff 0
modtaboff 0
nextdefsym 1
nextrefsyms 0
nextrel 0
nindirectsyms 73
nlocalsym 1
nlocrel 0
nmodtab 0
ntoc 0
nundefsym 41
tocoff 0
LOAD_DYLINKER
»
name /usr/lib/dyld
UUID
»
uuid ba4b37eb-4420-3a3a-8a6e-5961c1264067
BUILD_VERSION
»
minos 10.15.0
platform PLATFORM_MACOS
sdk 15.2.0
tools [{'tool': 'TOOL_LD', 'version': '1115.7.3'}]
SOURCE_VERSION
»
version 0.0.0.0.0
MAIN
»
entryoff 3431
stacksize 0
FUNCTION_STARTS
»
dataoff 83400
datasize 32
DATA_IN_CODE
»
dataoff 83432
datasize 0
CODE_SIGNATURE
»
dataoff 85616
datasize 19424
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
AtomicStealer_Script_Launcher macOS Atomic Stealer script launcher Spyware
5/5
...
/tmp/__MACOSX/._Launcher Dropped File Stream
Clean
...
»
Also Known As ._Launcher (Miscellaneous File)
__MACOSX/._Launcher (Archive File)
Parent File /tmp/Launcher.zip
MIME Type application/octet-stream
File Size 163.20 KB
MD5 2068baed53a076c32cbfa2f1548c79d2 Copy to Clipboard
SHA1 6e1b70f7a9db685574ef40afd48d936f2ef05556 Copy to Clipboard
SHA256 66572a2cf7a9685bc49d6b1476c80da085cfb6dd4cb1c0bb39efb8cfa1c153f9 Copy to Clipboard
SSDeep 3072:9iDV98ojK6jNERghAc8CDXTeaCqUPtiDV98ojK6jNERghAc8CDXTeaCqUP+:9IV9VW6jagN8iy5BIV9VW6jagN8iy5y Copy to Clipboard
ImpHash -
/users/user/library/saved application state/com.apple.osascript.savedstate/windows.plist Dropped File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 4.20 KB
MD5 ec2597084d520f13b13fc34d06f603df Copy to Clipboard
SHA1 bd9bc17b228c02aa7dcbeac35ade5c7e027d031c Copy to Clipboard
SHA256 86fbc3e30f2e102e35a63f976384ec5969496f3159208ca0b8a3d8ddc88556fb Copy to Clipboard
SSDeep 48:/rE/DVb+gtvHHFflsXlf/lulel4wlwx+6MjnNsvIYWiR5QkyTJbZPHXZ9u6gbVwe:w/9+4/lN26MT0D5MdtbZPAVwzVRwOm Copy to Clipboard
ImpHash -
/users/user/library/saved application state/com.apple.osascript.savedstate/data.data Dropped File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 3.37 KB
MD5 b465c9540c34ee0db4b5fd19fe5e01e6 Copy to Clipboard
SHA1 ca5aeacf0a8ad74967311963d6d6d5201b415cff Copy to Clipboard
SHA256 d7951e22ceb8eca06164f8a7c3346c1ebde681b838799ade3d38a813c61835e0 Copy to Clipboard
SSDeep 48:T6OP8GZWsw6aynwLpkVcUm2HuFkB3007NaxMQGlnINSstJBAchPPPAiLxZAhN2hS:jP8UWL6OdkC2HKW3Vojd4iLx+khPMtj Copy to Clipboard
ImpHash -
/private/tmp/5229/info Dropped File Text
Clean
...
»
MIME Type text/plain
File Size 1.37 KB
MD5 64bc6189125b2ac9aba8b8eaa4ab31e5 Copy to Clipboard
SHA1 9ef7dd7b35d7ef8f3c4ff7a7fdc5d35332978bcc Copy to Clipboard
SHA256 d8b2c9f40e6b754fee69c66a9fcae6e652adc6650a4cefa1e8b1bca20dbe1f9b Copy to Clipboard
SSDeep 24:MBj8uBan4RP1S27c1f1gMeMLt26AAft7BYIQoELnoEkMdQaW6dIZgtfoWTC1cWv4:wNBRRPEaoveMLt28fJ2ItELoEkMV9dmo Copy to Clipboard
ImpHash -
844039272231e9527c3c4d3dbb664651fb3ffd01c426ea9631db5ae9c381429b Extracted File Binary
Clean
...
»
Parent File /tmp/Launcher
MIME Type application/x-mach-binary
File Size 134.81 KB
MD5 eaae571ed759da087775002353abc26e Copy to Clipboard
SHA1 1fdd605105848a911a923da311bf64be9a319c40 Copy to Clipboard
SHA256 844039272231e9527c3c4d3dbb664651fb3ffd01c426ea9631db5ae9c381429b Copy to Clipboard
SSDeep 768:jhaBK3XTeh1MHZ+gAfRUV5K4f4fLBD4y9tnYo1GbJM/8tHkBA8k4ViTTY/8PFkQ3:9re6ZograBR9t31GbJrHNDqjYueHPQW Copy to Clipboard
ImpHash -
Mach-O Information
»
Arch Type ARM64
Arch Subtype ARM64_all
Type Executable
Flags noundefs, dyldlink, twolevel, binds_to_weak, pie
UUID 48886806-4b72-3d0d-b7d6-d2092f4d3e99
Entry Point 0x100003D84
Segments (5)
»
Segment: __PAGEZERO
»
Virtual Address 0x00000000
Virtual Size 0x100000000
Raw Data Offset 0x00000000
Raw Data Size 0x00000000
Initial Protection -
Maximum Protection -
Flags -
Entropy 0.0
Segment: __TEXT
»
Virtual Address 0x100000000
Virtual Size 0x00014000
Raw Data Offset 0x00000000
Raw Data Size 0x00014000
Initial Protection read, execute
Maximum Protection read, execute
Flags -
Entropy 4.64
Sections (7)
»
Name Type Virtual Address Raw Data Offset Size Attributes
__text regular 0x10000398C 0x0000398C 0x00003670 pure_instructions, some_instructions
__stubs symbol_stubs 0x100006FFC 0x00006FFC 0x00000180 pure_instructions, some_instructions
__stub_helper regular 0x10000717C 0x0000717C 0x00000180 pure_instructions, some_instructions
__gcc_except_tab regular 0x1000072FC 0x000072FC 0x000003CC -
__const regular 0x1000076C8 0x000076C8 0x00000104 -
__cstring cstring_literals 0x1000077CC 0x000077CC 0x0000C744 -
__unwind_info regular 0x100013F10 0x00013F10 0x000000F0 -
Segment: __DATA_CONST
»
Virtual Address 0x100014000
Virtual Size 0x00004000
Raw Data Offset 0x00014000
Raw Data Size 0x00004000
Initial Protection read, write
Maximum Protection read, write
Flags -
Entropy 0.0
Sections (1)
»
Name Type Virtual Address Raw Data Offset Size Attributes
__got non_lazy_symbol_pointers 0x100014000 0x00014000 0x00000058 -
Segment: __DATA
»
Virtual Address 0x100018000
Virtual Size 0x00004000
Raw Data Offset 0x00018000
Raw Data Size 0x00004000
Initial Protection read, write
Maximum Protection read, write
Flags -
Entropy 0.07
Sections (2)
»
Name Type Virtual Address Raw Data Offset Size Attributes
__la_symbol_ptr lazy_symbol_pointers 0x100018000 0x00018000 0x000000F0 -
__data regular 0x1000180F0 0x000180F0 0x00000008 -
Segment: __LINKEDIT
»
Virtual Address 0x10001C000
Virtual Size 0x00008000
Raw Data Offset 0x0001C000
Raw Data Size 0x00005B40
Initial Protection read
Maximum Protection read
Flags -
Entropy 1.87
Imported Libraries (2)
»
Name Version Compatibility Version
/usr/lib/libc++.1.dylib 1800.105.0 1.0.0
/usr/lib/libSystem.B.dylib 1351.0.0 1.0.0
Load Commands: (11)
»
DYLD_INFO_ONLY
»
bind_off 114696
bind_size 256
export_off 116128
export_size 32
lazy_bind_off 115008
lazy_bind_size 1120
rebase_off 114688
rebase_size 8
weak_bind_off 114952
weak_bind_size 56
SYMTAB
»
nsyms 43
stroff 117176
strsize 1192
symoff 116192
DYSYMTAB
»
extrefsymoff 0
extreloff 0
iextdefsym 1
ilocalsym 0
indirectsymoff 116880
iundefsym 2
locreloff 0
modtaboff 0
nextdefsym 1
nextrefsyms 0
nextrel 0
nindirectsyms 73
nlocalsym 1
nlocrel 0
nmodtab 0
ntoc 0
nundefsym 41
tocoff 0
LOAD_DYLINKER
»
name /usr/lib/dyld
UUID
»
uuid 48886806-4b72-3d0d-b7d6-d2092f4d3e99
BUILD_VERSION
»
minos 11.0.0
platform PLATFORM_MACOS
sdk 15.2.0
tools [{'tool': 'TOOL_LD', 'version': '1115.7.3'}]
SOURCE_VERSION
»
version 0.0.0.0.0
MAIN
»
entryoff 15748
stacksize 0
FUNCTION_STARTS
»
dataoff 116160
datasize 32
DATA_IN_CODE
»
dataoff 116192
datasize 0
CODE_SIGNATURE
»
dataoff 118368
datasize 19680
/Volumes/MacSoftware/.background/fnjeruCgdWB.png Extracted File Image
Clean
...
»
Also Known As /Volumes/MacSoftware/fnjeruCgdWB.png (Miscellaneous File)
Parent File /Users/user/Downloads/MacSoftware_v3.46_1738507697837.dmg
MIME Type image/png
File Size 309.79 KB
MD5 81705ea1954f259e4aa6d674815d4c8a Copy to Clipboard
SHA1 0f0939dcf272be6de8d2753a90cc1b599a4730be Copy to Clipboard
SHA256 3f160aabf77f2f8f921ac145c973a9b20dfaf83dc03053178a048e63a3d9a6ac Copy to Clipboard
SSDeep 6144:kYZyNs9KCsIOh4dc+KJrRiXebLLvOaQA2at2R9lHG6Jb5oy:CNWsIOh4dc+IoObBQPG6x5/ Copy to Clipboard
ImpHash -
/Volumes/MacSoftware/.VolumeIcon.icns Extracted File Image
Clean
...
»
Parent File /Users/user/Downloads/MacSoftware_v3.46_1738507697837.dmg
MIME Type image/x-icns
File Size 67.93 KB
MD5 e1e76ce5ddd702a38fd2bcdffdc2503b Copy to Clipboard
SHA1 5241a6534edef837f77d85e58470e64a70e9a698 Copy to Clipboard
SHA256 8fc29d86c767c2417ca3c7212a27c050f0c43929c09555b905cb93ba03dde8de Copy to Clipboard
SSDeep 1536:f2CN7rehFWKqzYAMJxn2j1U0kDeTPT2s1nz3uget2n2AglfZFV8:fThrKZqUA02ZvLTPTvyxgVeRFV8 Copy to Clipboard
ImpHash -
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    

     Exit-Icon
    

    

     

      WHOIS Domain Information
     

     

      

       
        Domain Name
       
       
       
      

      

       
        WHOIS Response
       
       
        

       		
      

     

    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image