rule AbkA
rule AdPluginA
rule AdPluginB
rule BundloreA
rule BundloreB
rule CoinThiefA
rule CoinThiefB
rule CoinThiefC
rule CrossRiderA : adware
rule DevilRobberA
rule DevilRobberB
rule EICAR
rule EleanorA
rule FileStealA
rule FileStealB
rule FkCodecA
rule FlashbackA
rule FlashbackB
rule FlashbackC
rule GenieoA
rule GenieoB
rule GenieoC
rule GenieoD
rule GenieoDropper
rule GenieoE
rule GetShellA
rule HMining
rule HMiningB
rule HMining_Binary_A
rule HellRTS
rule IServiceA
rule IWormA
rule IWormBC
rule InstallCoreA
rule InstallImitatorA
rule InstallImitatorB
rule InstallImitatorC
rule KeRangerA
rule LaoShuA
rule LeverageA
rule MDropperA
rule MaControlA
rule MacDefenderA
rule MacDefenderB
rule MachookA
rule MachookB
rule NetWeirdA
rule NetWeirdB
rule NetwireA
rule OSX_Bundlore_A
rule OSX_ExtensionsInstaller_A
rule OSX_Findzip_A {
rule OSX_HMining_C
rule OSX_Proton_A
rule OSX_XAgent_A
rule OSX_iKitten_A
rule OpinionSpyA
rule OpinionSpyB
rule PrxlA
rule QHostWBA
rule RSPlugA
rule RevirA
rule RevirB
rule RevirC
rule RevirD
rule SMSSendA
rule SMSSendB
rule TroviProxyApp
rule VSearchA
rule VindinstallerA
rule XProtect_AdLoad_A
rule XProtect_AdLoad_B_1
rule XProtect_AdLoad_B_2 ; dropper
rule XProtect_Bundlore_B
rule XProtect_Genieo_G_1
rule XProtect_HONKBOX_A ; +v2166 Honkbox (e8c0e4ad17b28e2ad20ad231704dc135031fcee9, c52d182e05615f6083a4430bf31cf8ae32485688, 507575dcccae37e97d1a5c71bf388fa5252c6f74)
rule XProtect_HONKBOX_B ; +v2166 Honkbox (e8c0e4ad17b28e2ad20ad231704dc135031fcee9, c52d182e05615f6083a4430bf31cf8ae32485688, 507575dcccae37e97d1a5c71bf388fa5252c6f74)
rule XProtect_HONKBOX_C ; +v2166 Honkbox (e8c0e4ad17b28e2ad20ad231704dc135031fcee9, c52d182e05615f6083a4430bf31cf8ae32485688, 507575dcccae37e97d1a5c71bf388fa5252c6f74)
rule XProtect_MACOS_03b5cbe ; +v2111 Genieo Safari Extension (Pitchofcase variants; 5bf86d5860b886bbce146188078a1b406ec30620, ade7e10339acbdf8518a65a802299b5f01e31af2, 8b1d4328e32db7f0a079f1f9e208c77ada76b1e1, 78084f36435ec4971d96262c04c441dfe5ecbd17)
rule XProtect_MACOS_0e32a32 ; +v2144 Bundlore Script (scripts like: 9dae8dacf4c3065db026e4197a89b776b466de3a, 00181d218f21ab5e8c9c1c5ab776846397d9ae41, 
df84c2566de17c983d037a6fe707fd2f7f9ec5c1 - payloads like: 393ce20cc73b1b03eb7a0077c8d6245d2ad7da29)
rule XProtect_MACOS_0e62876 ; +v2109 Bundlore, Koiot
rule XProtect_MACOS_11eaac1 ; +v2144 VindInstaller.B (8c3e28f6c64a812124428f8718971474fb5fb10d, c671d911c5f92709ef6c0188166ce279e27570f8, 867befac764b4e9154c706074a56d5b0027d0a38)
rule XProtect_MACOS_1373c52 ; +v2136 AdLoad, AdLoad.9
rule XProtect_MACOS_16e6816 ; +v2170 MetaStealer (cfa56e10c8185792f8a9d1e6d9a7512177044a8b, 47620d2242dfaf14b7766562e812b7778a342a48, c4d9272ef906c7bf4ccc2a11a7107d6b7071537b, 8dfeda030bd3b38592b29d633c40e041d5f3331d)
rule XProtect_MACOS_1940318 ; +v2159 UNK ()
rule XProtect_MACOS_1afcb8b ; +v2160 UNK ()
rule XProtect_MACOS_1c119be ; +v2132 Generic Safari Extension Adware (2b1ae502d165a87f5cd4268f107ffd276c472768, 91c59a46bc8091c8fc5ea56a6d1383bff73720e6, 3fbfc78df992c482ea72476184f4f6d7ffb8e121, 2da3b4bc816262bdd1ea26580fc165a2cf636634, 2688a79c3bae96b71370725cf0bd2e05b58579f7, efc9c1d99a5cbb950426829be819f3ae4c77d935, 0645ec09b51c22d1b4999feaa429d48ca33ac299)
rule XProtect_MACOS_1db9cfa ; +v2142 XCSSET (DUBROBBER.D) (c9a06c124998647c85f82dcec024dd03f683559c81fe7ad125a94ed308e4236f, 546e20d7053d6031045ae44a57e20e402388f9d51278ab87cccd8cf8a8965b15)
rule XProtect_MACOS_1f26189 ; +v2133 Genieo, Pirrit.C, Adload (70ca0635fbbc438478b0e9182bf33fff9b7a3f2a, 8c7927d1c8c2477ce96bebd29623985ec2f615f4, f136908ff7b0217f33c9aa2f7c6a02459db89b3d, 3e27b3af5240cfc9f4ea2d68c6f6561319020108, 5305a3651249c0a6fc5570e9bd89d915a52ee2af)
rule XProtect_MACOS_2070d41 ; +v2126 XCSSET  (DUBROBBER.A) AppleScript
rule XProtect_MACOS_22d71e9 ; +v2108 AdLoad-AD, OSX.Cimpli (d5aa02a6dec64532b65e887440b3a1b292e6b471, 2eae433cb9851d29902ca6c14875bab7e1e828dd, de8a1c35ec39395777539a5caab98b8fadcd32e4, 884054a35808b7e79abf4ecdba23d40a8322642d)
rule XProtect_MACOS_22f03bb ; +v2158 macOS.Zuru (see https://www.sentinelone.com/blog/top-10-macos-malware-discoveries-in-2021-a-guide-to-prevention-detection/)
rule XProtect_MACOS_260ae81 ; +v2127 Lazarus WatchCat.A
rule XProtect_MACOS_275ff12 ; +2159 Adload (7eca5034295b62c2bf17b18b578dca4df34ff97c, 5447da0bb00a30b632976086855eadc99f3522c3, 3385eca7db6e634767bf50bd932a002f7e9aff77, 6e8735f365d265459575ae38bbbe9aa4d2707635, 6865b23d09421f1a1ccd0d4e13c027b680b32f31)
rule XProtect_MACOS.2afe6bd ; +v2141 Adload (638f3d6ca5180ebd3198e455b1cf4b519b4bc963, cb7462ac7647c7208243c9464d7b096dc5e85619); https://labs.sentinelone.com/how-adload-macos-malware-continues-to-adapt-evade/
rule XProtect_MACOS_2b3d4cb ; +v2124 Lazarus / NukeSped (b72850897ccb6c621431a00623cd7f3a3caa351f, e9651ba8a1de96213f4a8b4678c48d1d5ccda74c, f543491bc3c37c06b5ad6bdb16bd8aef749e1002)
rule XProtect_MACOS_2b50ea5 ; +v2145 Adload (com.WeatherNow: 3e23c5714d95006e8a8f0f83b3211990146a4cde9523671453bc5a1320343e1c, 2494d890800c753b74dc62feaa54d3d96e6497119a01d62021f8dc28dcee72de, 4227859edc8e023b762105fb959494e846dd344f65b2af0be581d4c07c9e9d53)
rule XProtect_MACOS_2fc5997 ; +v2176
rule XProtect_MACOS_30445d1 ; +v2120 Genieo, PDFConverter4u script (233171c0b8ca06c6f1592187b8246e0ea76dbbccfd110414a4491cffc752c7b2)
rule XProtect_MACOS_3ea93d1 ; +v2123 Bundlore (5224624b3e52d85b194364f917b69ab3a62c234a, 50d6ce4ac90698ed2d9a1440a2b2f5caf7f248ad, 85356008de37f2954429075a018241503d6915b8, 91d066aece20a0157a08ef89a763fe579a8c390d, 11d00ea63621a166fa87e45e3a0a421f2a702ee1, 76a2e16b9570417af3844e93f0425250d4e674f1, 56262d0899e9c80a800e3f483d75484b3b7927a0; Parent like Player.dmg 347c5ce2d35e12614d827502772b6dad0dcf6d9b)
rule XProtect_MACOS_449a7ed ; +v2131 Bundlore.EJT (NOTARIZED adware with BIDs like 'com.Ethernet.bundle.installer', 'com.MousePointer.bundle.installer', 6276db3d0031b9e5c3abad745b18ba2727e519da, 2e03b4f58a0811e8358713a315196ed6ce773b10, 2015780a046a6ece142775b9e4ac89d16a5784b9, 2099fe400ec596c7682290ce7258c689949e8f4c, f3d712118caa74c053249ef28bd1904e5de723cf)
rule XProtect_MACOS_44db411 ; +v2117 AMC, Tuneupmymac, Smart Mac Care, Optimizer (rule doesn't return any matches on VT retrohunt, but searching for com.tuneupmymac leads to 150+ files: https://www.virustotal.com/gui/search/signature%253Acom.tuneupmymac/files)
rule XProtect_MACOS_489e70f ; +v2115 Pirrit (MacPerformance, MacRunnerDaemon: 904548b1c289fb4bccd9d92cf6a6e2b58ff3aafc, 80f235707c3cd9f7aa73d737bb884d2f9ff145f6)
rule XProtect_MACOS_4d60c89 ; +v2140 Notarized Shlayer (DLVPlayer d5d71a2f4f38c283825253e4fff4f26d8f007fef, MacCleanBooster 28f4d43ebbe2031d636522155cd3a8ed819df46b)
rule XProtect_MACOS_51f7dde ; +v2120 Refog Keylogger (fef1daece1c5874778a6bc19e6ddcabd925459e0, 026a2f15415a8e58e3d164d29494be2a912978e3, 8e0ebf12a26d735d7e90a144f5b824592514fd10, 86da85f7cbaffb4d3053f5117ce7ce30b5f50916, a28c0fb587a481e7c5f3d3bbf93aa6b8d55d8ac3, 446ea643e59aecdba68354596b1c7d66f484dce5, 7d0bdd0508747d12cba7440f100094ad7d0caf13)
rule XProtect_MACOS_54d6414 ; +v2149 Bundlore/Shlayer (22e976d9057154a63c282639fc40e9d24de92239, 3d536e03af34be732a309277ab8f16deab189d93, 1e224062c58d656b519e04c38308746f6fc1a7fb, 25f541d9e6045637c5130fe7b5209e654265f7a3, 5ad00d2680971fc85b573c2545bbf78bcc429d18, 3626b7a27f539fd2b8b5abd468b040ee6c7e3fe6)
rule XProtect_MACOS_580a1bc ; +v2127 Lazarus WatchCat.B
rule XProtect_MACOS_5af1486 ; +v2111 Genieo variant (a25304e572f4ecc8f216835d98e6611d5c7cd1cb, d70218de0a08fcc7cb1ee1df2a8af39ad439c5c5)
rule XProtect_MACOS_60a3d68 ; +v2112 Bundlore/Shlayer (3176535fffab2ac02986afed582aae7ec8a110a3, 73914d717dcd04979825476584e9aaee1aa5bdbf, 9d2c51a333896d2cc0911c7b9a6a4eccff7bab73, 54ac49fec09112691cbcd52c9166a1ba1dd1048b,edb67a177780f6b486a8ba6e92d712a7f9fc0c55, 7a5943fbd1c071c3f0edf44758e2f8ca2b27d585)
rule XProtect_MACOS_6175e25 ; com.techyutils.UnPack adware variants
rule XProtect_MACOS_61ee022 ; +v2122 Lazarus (Cryptoistic: c834d324f8588a837279459882dbdba436079696) https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/
rule XProtect_MACOS_6319b53 ; +v2172 Adload (6ebdb4c95e8896479a0540c51edebcb1d801ba80, 858d96b2dfa21971c40844dd419abdcacb899f2f, df181e2d5fdf55c8633bc847ff4646bdb596ca26, 5bcce4ed01f1725690c4e8f956fb22198efc07ec)
rule XProtect_MACOS_644e18d ; +v2161 Adload payload (09fb15aabaadda780c18f7d9a496d1e872086900, be1fcbb3ef35c00a73c894e4b52cb9e82da64952, 48a2d37ed064b58ee2a0c5bb5c270b7a007b0c69, 465a1fe1e3322286d18c347bff5380bb0ddd6b12)
rule XProtect_MACOS_6cb9746 ; +v2125 EvilQuest/ThiefQuest (ksfetch variants: 804251b229130fad49be7eacaf92d749e49c8424, 255a646078d317652df371343c622bd6ee93c29e, 46dae95e75897d7a4611efef0c9388e50009177e, d5cbff5ec92619057c50aa34f6fff561038f0255, d60cb8621cc2b129bcede68592f41f44d941917f)
rule XProtect_MACOS_6e6bed7 ; +v2160 (com.vpn.vast, 35ca9983807ba9a03ad0fbd5dd7ac92d015f6e52, 9f5af92f2fb8a11d3de4f0ecabe449ce71234e0b, bb74351195df68e933b584006792b75ad340e9f5, 2b6048fb87d398a25b0275e31051679c9d7c1b44)
rule XProtect_MACOS_6eaea4b ; +v2144 XCSSET (DUBROBBER.E) hashes (rule specifices list of SHA1s) 
rule XProtect_MACOS_6e7d4c2 ; +v2134 MacSearch (com.tinstaller.macsearch: 00f38923cceaf5c912578ab39a7acb1d1934c682, 8cf1e20ca12e61fe4b042d1b5c628416f3bbae7f, d0131547e20c1ccc78d1c66242d642b5c25f0555, ebf1912da61c1b7ad1eb1a854b375d95b6b345d0, 6684b4236fad9da735b5ca7882726ed91f844ec4) 
rule XProtect_MACOS_71915a8 ; +v2128 ZShlayer (713df263d539a6dae725dafb1acae5e6bb0178ab, c4971f6a9100034434b71b9621e5b67cc50de306, e85c5e2a7644ba57e2e26ac98f1d09286c1bc96b)
rule XProtect_MACOS_74416b0 ; +v2140 WizardUpdate (77c247afdbdf3c254fb56f066bf95c0800c00226, 92b9bba886056bc6a8c3df9c0f6c687f5a774247, 3cd4835c84d51daf57e1fad860fc9022af4d77fb, ad7a328749afa78a207232dba60d0bdba030bca1)
rule XProtect_MACOS_7c241b4 ; +v2150, AdLoad variant (84bebd83d649254d057899b1429c8fc2319452c6, b87fa95363843c72bab66a01f969500179205327, db462b80dd9aaa2db229f442842ac5a66875c2c9, ba41db111f638100ad16471e6463ada902a1e39b, c4d5933ce69081028b800cda7a60ce1c5dc9a3af)
rule XProtect_MACOS_7ef4bab ; +v2140, -v2141 AdLoad variants (1172ca7b53c21ead825f759adf95e575690eb608, bf1a5982760305c48ce692c4a114c5182ad01713, 7fa689bba03d33403646f43843369d10998fb176, a8399681394c0e5773fe4939508b9dcf7077bf04, 26341b518d7cbb6e5a6d96ab357ca278e1f2d23d, 7d3cc10b998597855d6866a89dddf03e26be6411, 17a279322693102bfc0477484c57e6a56dc05e25)
rule XProtect_MACOS_7f5b902 ; +v2120 Genieo, PDFConverter4u Mach-O (a9f0135ba8ad120ba713cbad41b7b32972eebe7a)
rule XProtect_MACOS_8032420 ; +v2123 Genieo, MaxOfferDeal (variants like: com.company.InstallerShell, com.moods.happymoods, com.newscaster.forecast 3ebb809b282c845d2d786756c1b704413e3c18df, 3cfd68fbdfc5063a3dd5b7a83ffc318b5e1075e9, 9837c83a10be757408dab9a8a9a16aa15eb27a3f, 167ecb893eea006cab977a2983790779b66f784c, 7ed38f6c3e22ecbb06b049c38ca32b587c1b7d65, af80bf3985bbb3ccf1ed0c274059daa538303766, e5d286cdc91c9427e00fa7bf6be21dd6d375cf20)
rule XProtect_MACOS_8283b86 ; +v2112 AMC, techyutils (MacMechanic Pro f1a38916362ba48058f7b0aa0b89e9fdadc6251f)
rule XProtect_MACOS_8340d93 ; +v2124 Lazarus/NukeSped variant (890a0a0a751cf0f44c3e9eebf4c4d93aa76e09bdc8ffe29988ac4410ea60bf7d)
rule XProtect_MACOS_889c9e6 ; +v2140 XCSSET  (DUBROBBER.C) (xcassets variants: no matches on VT)
rule XProtect_MACOS_8a20735 ; +v2150 Bundlore (7f79800951160875b94df94bb834c30ad11a9021, 20ac95c44549710a434902267394525333e96c0b)
rule XProtect_MACOS_8d038b3 ; +v2124 Lazarus (UnionCrypto: e8f29f1e3f35a4f2c18be424551e280ed66b1dd7)
rule XProtect_MACOS_8f20223 ; +v2132 MacSearch (org.Safari.SearchAppExtension 006721efc9c44b32365070bed6c2b9a38cdf2ec3, 8a95602902e7a7466f270255b95725d0428c263c, dcbac1da2c13b35761d871b25900d85d9ab952f9, 013ae376f0b6957a6023ebb3eb55cb6824a89c4e, 9a0b46bcc997ccd6cb48ee6d3e465eb930e550f1)
rule XProtect_MACOS_9bdf6ec ; +v2109 AdLoad variants (00ba9ae62e3dc079f3d8b6ad436db7e4716a764f, eb7a9481f8a1b63f0d8d7314d077b035ba76137e, aa6dba06ee9299ac8c8e44607b1955a4bbdf0593, ba3ff57c51da31ebaff312108b58631682ee8801, 2ce3caf32cc5085f137c6d84962edc624f16699f, f167910f5c6e6686cec87d500b3fac7ba66d464a, 8c0d4b883932f454c7ae79523fccca7316870c1c) https://labs.sentinelone.com/how-adload-macos-malware-continues-to-adapt-evade/
rule XProtect_MACOS_9a3e9ed ; +v2153, changed v2154 FireSearch (e5cc62a162c6f8d02234be64eb51f7d1b2fdf84c3a037a590d65979404ba16da); MMInstall, MMUpdater, MyShopCoupon, SurfBuyer (05041dbb236108ea2dcb3c4ead1151b2de26929b, 54289f73f5843c4729bc1fdfa50cee1247ba5b31, 276f1274b9e655c6beb7c9c66c3a991d8af97a6c)
rule XProtect_MACOS_9e2bab9 ; +v2140 macOS.OSAMiner (DUBROBBER.B) (1f68005ec2461b571744bebb8570f14ece546d1e, 800ef18045c4d0a448ad4f7bfe543308a3ef035a, f3c9ecc8484ce602493652a923e9afdbb5b1058, 93b2653a4259d9c04e5b780762dc4abc40c49d35, 0f44f24aa2e5a05134041fe54893865b9ede636e, fef7101396e50f300680abda7e464e5275f7daaf, cbea422e321131ef972e330f867edf9d1b5fc09c); https://labs.sentinelone.com/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/
rule XProtect_MACOS_a291b70 ; +v2120 Genieo, PDFConverter4u (a9f0135ba8ad120ba713cbad41b7b32972eebe7a, a9231d016ffdb224ad972a1a4ce84f28e7f4318f)
rule XProtect_MACOS_a6d7810 ; +v2176 Pirrit (3120f12ce34d19a28bb3d547e4757336be97dc75, 3120f12ce34d19a28bb3d547e4757336be97dc75)
rule XProtect_MACOS_a9ea9b4 ; +v2130 Bundlore (f3e546886993e6c3ad3a0455c85ca181dd9cd0f7, 8f036f78de578090207efc8c067dd63c3568e315)
rule XProtect_MACOS_b17a97e ; +v2124 Lazarus OSX.Cassoo/OSXAri (af42ff72986f73e983619440318c561ad2ad5c3e, 40d24649471551a5787d8b4404cdfcfe2d45d5c3, bf8dd8729325944224b7576cd8dce0ecc670603f, e6f3ff554f003752a21ede0ca0bfcce059afcc16, 9bbdc8b0b20e14bca949e82e12c66db4921b6d37); https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/
rule XProtect_MACOS_b264ff6 ; AMC, AMCleaner (Mactonic, hlprnwamc: 9e72a3bdd0a4f80bfe43d32f7287bd4ae684c957, eae98132a7eea865c8a8667e1270ad84a72b9b6c, 6f2d4820a5ddcd7db9f7470f770379e202d617b8, 37d65439a1697613797d6336edd60de8e2a99c4e, ec97139be85513c20b6646d64bd0bb57c7f1e77d)
rule XProtect_MACOS_b5bd028 ; +v2141 Bundlore (bf015894e6542d114c28ca5f5d8065ce27d9dae6, dceb36588f62652a1d28cddff595fa465c9eec0d, 76953668e7cf59507636673c504a40a44ce209c7)
rule XProtect_MACOS_b70290c ; +v2108 AdLoad-AD, OSX.Cimpli (d5aa02a6dec64532b65e887440b3a1b292e6b471, 2eae433cb9851d29902ca6c14875bab7e1e828dd, de8a1c35ec39395777539a5caab98b8fadcd32e4, 884054a35808b7e79abf4ecdba23d40a8322642d, 0c9bea512187c796d1a76addab58b7df05ac325f)
rule XProtect_MACOS_bb90861 ; +v2122 Lazarus / NukeSped (iContact.pkg: 9e3682c626d786cbfa2e33bc64c60397d2b057f4)
rule XProtect_MACOS_bd64115 ; +v2124 Lazarus / NukeSped (CoinGoTrade: c1ab302a314a29a42ccf5e226bc43f0c7722e079, 80923c208c2c821ed99e1ed8f50bd549598a210c)
rule XProtect_MACOS_c592675 ; +v2116 Pirrit (CallUtilDaemon, AppAssistDaemon: 1cfd91a89abf05faeea5bb785a2b289fc6969587)
rule XProtect_MACOS_c723519 ; +v2124 Lazarus / NukeSped (prtspool: 58b0516d28bd7218b1908fb266b8fe7582e22a5f)
rule XProtect_MACOS_cb4abc2 ; +v2122 Lazarus / DaclsRAT (SubMenu.nib: fa3deb60b8a2eaa29a7dccf14bee6adae81f442f)
rule XProtect_MACOS_cbb1424 ; +v2161 WizardUpdate variant (e54c9bcc2601f5b4c1665003560cfcd4c3502cc4, f1e3bd6273748133f46140778aeeb1dc3ebe94c0, 35ca9983807ba9a03ad0fbd5dd7ac92d015f6e52, 9f5af92f2fb8a11d3de4f0ecabe449ce71234e0b)
rule XProtect_MACOS_ce3281e ; +v2111 Genieo, PDFConverter4u (no exact matches on VT) 
rule XProtect_MACOS_d1e06b8 ; InstallCapital.www (b5331a80185f5391190f87cc00c072880f2b54c6,167efa1918a21f096f249c39b9af5b6aad287afa,984dd19f627d7b11d31b122a129135d4241a937b)
rule XProtect_MACOS_d444820 ; +v2131 Bundlore, Convuster (com.invisibilitys.kingliest: 817f729329283692755d4a57dd1963dff752f443)
rule XProtect_MACOS_d4735e3 ; +v2134 (no matches on VT for this rule)
rule XProtect_MACOS_d92d83c ; +v2109 MMInstall, com.mm-install-macos.www (no exact matches on VT for this rule)
rule XProtect_MACOS_d98ded3 ; +v2141 Genieo, MaxOfferDeal (f1b092c1a49a70d552153cce9bfed90842e4c0a8, 202381794e8f01ef8b01ad38ead3bedbb7d7b79b, 6157ba9a7a7762a155a70eb0aa82a4bbff7d13f7, c6d22101b079695158fb0828338c517702fef5b3)
rule XProtect_MACOS_da36796 ; +v2165 Meta Installer (c3ee8bfbf6cb3567b9caff44bcfb19fa86ba4939)
rule XProtect_MACOS_de444f2 ; +v2108 AdLoad-AD, OSX.Cimpli (d5aa02a6dec64532b65e887440b3a1b292e6b471, 2eae433cb9851d29902ca6c14875bab7e1e828dd, de8a1c35ec39395777539a5caab98b8fadcd32e4, 884054a35808b7e79abf4ecdba23d40a8322642d, 0c9bea512187c796d1a76addab58b7df05ac325f)
rule XProtect_MACOS_e150543 ; +v2157 OSX.Agent (c3ce7814f652d84f30e55b247b2a7dd520155b24, 45b08b7ccdeae23227bf1654e1813f21eb839d21, ae2b3d4c65988250aded3f99974ef5c3e79be29b, 991a32af2855fdc9604aeaddecbc6939212d30d5, 24815752d5f9b17f69a3b2d03badde8f8b3f48d6)
rule XProtect_MACOS_e16be2c ; +v2137 Pirrit (GSearch/QSearch Extension: 23d2daad85f94a06f635422f8ae349e58b26429e, 8f3f08522eea5a4eda218e1991b9b4e6a8c62e88, 9decd25aa0f61aee54c9e36570683f1d69b029dd, 420f54698fb41c607daa8448599bb0c12f76fda7, a3022a03937be25e301f6d92f9a2bc9efb55f1aa)
rule XProtect_MACOS_e3548bb ; +v2132 AdLoad (c4708467b25176c02b16fb1d3eead8be0adc2d05)
rule XProtect_MACOS_e4644f7 ; +v2124 com.xyz.xyInstaller (0/60 VT: 650c6349fadd52c87d9f32d13bca221dc681a3fd)
rule XProtect_MACOS_e71e847 ; +v2159 SearchProxy, Synataeb (eea093d24823291edf4b24f561590fd5fe5d738d, f0a3ca0d2bc098705c8bb1fd6b853353a54d1443, b9e7d02cfef26becb0c800a48b3a1e9e2c54afeb, 7c31ad3f4e3b8b02449fc5d185810519307ca8f5, 3cdffca2c8815f59816deabc3333a6f624e04364)
rule XProtect_MACOS_e79dc35 ; +v2109 AdLoad (com.extrabrowser: 493aaed3779ce233b572a8206f1cbddf100c60ad)
rule XProtect_MACOS.ef3df25 : +v2144 Bundlore Script (scripts: 085a136c03f8b024a173068768c67b1a5ad928c1, 30ee4e65933106e7bc0baf4e56449e2683dedaae - payloads like: 20ac95c44549710a434902267394525333e96c0b, 04bed04e347f6889c140c4fe6cb137a54b9fc047)
rule XProtect_MACOS_efb903b ; +v2158 OSX.Gimmick (macOS Macma variant; fe3a3e65b86d2b07654f9a6104c8cb392c88b7e8)
rule XProtect_MACOS_f3edc61 ; +v2112 AMC, AMCleaner (MacMechanic: 9e72a3bdd0a4f80bfe43d32f7287bd4ae684c957, d6d636ea2ddf02c8db1b68d9ed1828bea627a68e)
rule XProtect_MACOS_f4a3a92 ; +v2124 Lazarus / NukeSped (.CrashReporter: cf5eaafb00b535af209fb95ed987d0964730cf17)
rule XProtect_MACOS_f5d33c9 ; +v2150 Shlayer Dropper (e605ae3b2c530973e9132d9232056bd52de345d0,92e2d00427858b7ada910e73888cab7ca0dfc678, cf63d82f26f5383993146f86c6d421dab23d5198)
rule XProtect_MACOS_fa6a259 ; +v2122 Lazarus / NukeSped (TinkaOTP: a909cdb57132b9a928467540e2031b0d25fed39d, dfdcde21871beeb3e0fab040e6c51046b4cfd0ee)
rule XProtect_macos_adload_common_data ; +v2176 Adload
rule XProtect_MACOS_ADLOAD_FMT ; +v2177 Adload
rule XProtect_MACOS_ADLOAD_GEN ; +v2177 Adload
rule XProtect_MACOS_ADLOAD_SMC ; +v2178 Adload
rule XProtect_MACOS_ADLOAD_WSS ; +v2173 Adload (5e75539a7e95ddf5f7579a88a13f17bd877de94d, c356fa85a65cfed3c7a7baaf13e0e9ee241c403c, 83ad9ee03c346c950a354b5095e7d19df75e9c06)
rule XProtect_MACOS_BUNDLORE_E ; +v2174 Bundlore_E (fb58f01d5669ec4b20ef0c6c9e96c2bb52c1d8c8,c60294f6db5e4cda63bae609d6f2736d6da1506c,e050113f48ced876658743bf8422df88e81a5c4a,08527a3cd298720aa3565e0b8b90a5c6a4bb5a2f,f82c916552285920fcffb7cdb5685a6d7e6807b5)
rule XProtect_MACOS_CHERRYPIE_A ; +v2176 GarryStealer (see https://s1.ai/MacStealers, 04cbfa61f2cb8daffd0b2fa58fd980b868f0f951)
rule XProtect_MACOS_CRAPYRATOR_A1 ; +v2184 macOS.BkDr.Activator (iocs: https://s1.ai/Bkdr-Mac)
rule XProtect_MACOS_CRAPYRATOR_A2 ; +v2184 macOS.BkDr.Activator (iocs: https://s1.ai/Bkdr-Mac)
rule XProtect_MACOS_DOLITTLE_HJK ; +v2179 Genieo (1486162e407c4419e06b63f13703a6116a3b9708,715d2eef68c92dc39c60e6df32cf4e56e79464dc, 4192daf9cfe2b3ba7df5638189cd8fd68e946c3a)
rule XProtect_MACOS_FRISKYHORSE_COMMON ; +v2184 Lazarus (iocs: https://s1.ai/Interception)
rule XProtect_MACOS_KEYSTEAL_A ; +v2166 KeySteal (ca985f4395e47f1bf9274013b36a0901343fc5a5, 5a8a7e665fdd7a422798d5c055c290fa8b7356d9, d85b6531843d5c29cc3bbb86e59d47249db89b9a)rule XProtect_MACOS_SOMA_A ; +v2173 AtomicStealer (see https://s1.ai/amos)
rule XProtect_MACOS_PIRRIT_A ; +v2178 Pirrit
rule XProtect_MACOS_PIRRIT_GEN ; +v2177 Pirrit
rule XProtect_MACOS_REALSTAR ; +v2183 RealSt(ealer) (see: https://www.sentinelone.com/blog/apple-crimeware-massive-rust-infostealer-campaign-aiming-for-macos-sonoma-ahead-of-public-release/)
rule XProtect_MACOS_SHEEPSWAP_ALLBIDCOMMON ; +v2178
rule XProtect_MACOS_SHEEPSWAP_OBFCOMMON ; +v2176
rule XProtect_MULTI_SNOWCAR ; +v2175 Lazarus (detects PE files:89a662c290f793ef5d22230178e5cf0ed6acb090, 129d17f10529c7de72d86d5c8d2eda3d77b9c48f
721ba19465d9758becad3c62676364c8ca18a269, 241531a971e41dee5023798b736e2e2151b405d7,e24971146715b402ca33ec7c146ec16b256f8f07)
rule XProtect_macos_snowdock_crypt ; +v2176
rule XProtect_MACOS_SOMA_C ; +v2173 AtomicStealer (see https://s1.ai/amos)
rule XProtect_MACOS_SOMA_D ; +v2177 AtomicStealer
rule XProtect_MACOS_SOMA_E ; +v2178 AtomicStealer
rule XProtect_MACOS_SOMA_F ; +v2189 AtomicStealer
rule macos_sourpigeon ; +v2189 (no matches)
rule XProtect_OSX_28a9883 ; OSX.Agent (63d4726936b8d503c026472b2679222c0686413c, 36278457b37721e0798a35b6b9bae831ca0628b4, e4dacc2b8cc9673bd3a623eb1c27aabf617dcc6c, 470f43ede2fc3a2d553db94afb88fc3b5a68b962)
rule XProtect_OSX_ATG15_B ; OceanLotus (0c16ba49cf87b42ff85dc87a045950fdefbffcae; https://labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/)
rule XProtect_OSX_AceInstaller_B
rule XProtect_OSX_Bundlore_D
rule XProtect_OSX_Dok_A
rule XProtect_OSX_Dok_B
rule XProtect_OSX_Genieo_G
rule XProtect_OSX_HMining_D
rule XProtect_OSX_HiddenLotus_A
rule XProtect_OSX_Leverage_A
rule XProtect_OSX_Mughthesec_A
rule XProtect_OSX_Mughthesec_B
rule XProtect_OSX_Particle_Smasher_A
rule XProtect_OSX_Proton_B
rule XProtect_snowdrift ; +v2162 CloudMensis/InkySquid (c3e48c2a2d43c752121e55b909fc705fe4fdaef6, 9c13aaf9ab344d3904b02cd81bf73fc7f03b3bb3) https://www.sentinelone.com/labs/labscon-replay-inkysquid-the-missing-arsenal/
rule XcodeGhost