4n6bexaminerThis #macOS #stealer #malware isn't immediately recognisable to me. DMG and app file masquerading as The Unarchiver, uses Swift to capture password, downloads secondary payload containing shell scripts to collect, stage, and exfil data to c2 hxxp[://]81.19.137[.]179/api/index.php
Nice feature of urlscan live browsing is having the file download available with the scan for context https://urlscan.io/result/e25eb6f1-5af1-4280-a637-cbf6330ff7f2/ … I thought this was going to be #atomicstealer or #poseidon / #rodstealer / #rodmacer (or not-amos as I'm calling it cos there are too many names lol)
Malware host/lure: tneunarchiver[.]com
First stage payload: TheUnarchiver.dmg (MD5: c720feef0092cfce7a54951beacfc02d) https://www.virustotal.com/gui/file/1162e11df8106c6fffee7ec883a137d1e982fbf4bd8b34a5fa90cd6a44c4850b/details
Second stage: cryptomac[.]dev/download/grabber.zip (MD5: 03db09912b4b7bec98410d276bd2409a) https://www.virustotal.com/gui/file/a08468098e6ab3c515366049a8f8b394d53445b60dbce2b0e4c9c7f3c3bc58de/details
https://urlscan.io/result/c12766f6-dac5-4686-8c17-225599f1a718/