rule AbkA
rule AdPluginA
rule AdPluginB
rule BundloreA
rule BundloreB
rule CoinThiefA
rule CoinThiefB
rule CoinThiefC
rule CrossRiderA : adware
rule DevilRobberA
rule DevilRobberB
rule EICAR
rule EleanorA
rule FileStealA
rule FileStealB
rule FkCodecA
rule FlashbackA
rule FlashbackB
rule FlashbackC
rule GenieoA
rule GenieoB
rule GenieoC
rule GenieoD
rule GenieoDropper
rule GenieoE
rule GetShellA
rule HMining
rule HMiningB
rule HMining_Binary_A
rule HellRTS
rule IServiceA
rule IWormA
rule IWormBC
rule InstallCoreA
rule InstallImitatorA
rule InstallImitatorB
rule InstallImitatorC
rule KeRangerA
rule LaoShuA
rule LeverageA
rule MDropperA
rule MaControlA
rule MacDefenderA
rule MacDefenderB
rule MachookA
rule MachookB
rule NetWeirdA
rule NetWeirdB
rule NetwireA
rule OSX_Bundlore_A
rule OSX_ExtensionsInstaller_A
rule OSX_Findzip_A {
rule OSX_HMining_C
rule OSX_Proton_A
rule OSX_XAgent_A
rule OSX_iKitten_A
rule OpinionSpyA
rule OpinionSpyB
rule PrxlA
rule QHostWBA
rule RSPlugA
rule RevirA
rule RevirB
rule RevirC
rule RevirD
rule SMSSendA
rule SMSSendB
rule TroviProxyApp
rule VSearchA
rule VindinstallerA
rule XProtect_AdLoad_A
rule XProtect_AdLoad_B_1
rule XProtect_AdLoad_B_2 ; dropper
rule XProtect_Bundlore_B
rule XProtect_Genieo_G_1
rule XProtect_HONKBOX_A ; +v2166 Honkbox (e8c0e4ad17b28e2ad20ad231704dc135031fcee9, c52d182e05615f6083a4430bf31cf8ae32485688, 507575dcccae37e97d1a5c71bf388fa5252c6f74)
rule XProtect_HONKBOX_B ; +v2166 Honkbox (e8c0e4ad17b28e2ad20ad231704dc135031fcee9, c52d182e05615f6083a4430bf31cf8ae32485688, 507575dcccae37e97d1a5c71bf388fa5252c6f74)
rule XProtect_HONKBOX_C ; +v2166 Honkbox (e8c0e4ad17b28e2ad20ad231704dc135031fcee9, c52d182e05615f6083a4430bf31cf8ae32485688, 507575dcccae37e97d1a5c71bf388fa5252c6f74)
rule XProtect_MACOS_03b5cbe ; Genieo Safari Extension (Pitchofcase variants; 5bf86d5860b886bbce146188078a1b406ec30620, ade7e10339acbdf8518a65a802299b5f01e31af2, 8b1d4328e32db7f0a079f1f9e208c77ada76b1e1, 78084f36435ec4971d96262c04c441dfe5ecbd17)
rule XProtect_MACOS_0e32a32 ; +v2144 Bundlore Script (scripts like: 9dae8dacf4c3065db026e4197a89b776b466de3a, 00181d218f21ab5e8c9c1c5ab776846397d9ae41, 
df84c2566de17c983d037a6fe707fd2f7f9ec5c1 - payloads like: 393ce20cc73b1b03eb7a0077c8d6245d2ad7da29)
rule XProtect_MACOS_0e62876 ; Bundlore, Koiot
rule XProtect_MACOS_11eaac1 ; +v2144 VindInstaller.B (8c3e28f6c64a812124428f8718971474fb5fb10d, c671d911c5f92709ef6c0188166ce279e27570f8, 867befac764b4e9154c706074a56d5b0027d0a38)
rule XProtect_MACOS_1373c52 ; AdLoad, AdLoad.9
rule XProtect_MACOS_1940318 ; +v2159 UNK ()
rule XProtect_MACOS_1afcb8b ; +v2160 UNK ()
rule XProtect_MACOS_1c119be ; Generic Safari Extension Adware (2b1ae502d165a87f5cd4268f107ffd276c472768, 91c59a46bc8091c8fc5ea56a6d1383bff73720e6, 3fbfc78df992c482ea72476184f4f6d7ffb8e121, 2da3b4bc816262bdd1ea26580fc165a2cf636634, 2688a79c3bae96b71370725cf0bd2e05b58579f7, efc9c1d99a5cbb950426829be819f3ae4c77d935, 0645ec09b51c22d1b4999feaa429d48ca33ac299)
rule XProtect_MACOS_1db9cfa (DUBROBBER.D) ; +v2142 XCSSET (c9a06c124998647c85f82dcec024dd03f683559c81fe7ad125a94ed308e4236f, 546e20d7053d6031045ae44a57e20e402388f9d51278ab87cccd8cf8a8965b15)
rule XProtect_MACOS_1f26189 ; Genieo, Pirrit.C, Adload (70ca0635fbbc438478b0e9182bf33fff9b7a3f2a, 8c7927d1c8c2477ce96bebd29623985ec2f615f4, f136908ff7b0217f33c9aa2f7c6a02459db89b3d, 3e27b3af5240cfc9f4ea2d68c6f6561319020108, 5305a3651249c0a6fc5570e9bd89d915a52ee2af)
rule XProtect_MACOS_2070d41 (DUBROBBER.A) ; XCSSET AppleScript
rule XProtect_MACOS_22d71e9 ; AdLoad-AD, OSX.Cimpli (d5aa02a6dec64532b65e887440b3a1b292e6b471, 2eae433cb9851d29902ca6c14875bab7e1e828dd, de8a1c35ec39395777539a5caab98b8fadcd32e4, 884054a35808b7e79abf4ecdba23d40a8322642d)
rule XProtect_MACOS_22f03bb ; +v2158 macOS.Zuru (see https://www.sentinelone.com/blog/top-10-macos-malware-discoveries-in-2021-a-guide-to-prevention-detection/)
rule XProtect_MACOS_260ae81 ; Lazarus WatchCat.A
rule XProtect_MACOS_275ff12 ; +2159 Adload (7eca5034295b62c2bf17b18b578dca4df34ff97c, 5447da0bb00a30b632976086855eadc99f3522c3, 3385eca7db6e634767bf50bd932a002f7e9aff77, 6e8735f365d265459575ae38bbbe9aa4d2707635, 6865b23d09421f1a1ccd0d4e13c027b680b32f31)
rule XProtect_MACOS.2afe6bd ; +v2141 Adload (638f3d6ca5180ebd3198e455b1cf4b519b4bc963, cb7462ac7647c7208243c9464d7b096dc5e85619); https://labs.sentinelone.com/how-adload-macos-malware-continues-to-adapt-evade/
rule XProtect_MACOS_2b3d4cb ; Lazarus / NukeSped (b72850897ccb6c621431a00623cd7f3a3caa351f, e9651ba8a1de96213f4a8b4678c48d1d5ccda74c, f543491bc3c37c06b5ad6bdb16bd8aef749e1002)
rule XProtect_MACOS_2b50ea5 ; +v2145 Adload (com.WeatherNow: 3e23c5714d95006e8a8f0f83b3211990146a4cde9523671453bc5a1320343e1c, 2494d890800c753b74dc62feaa54d3d96e6497119a01d62021f8dc28dcee72de, 4227859edc8e023b762105fb959494e846dd344f65b2af0be581d4c07c9e9d53)
rule XProtect_MACOS_30445d1 ; Genieo, PDFConverter4u script (233171c0b8ca06c6f1592187b8246e0ea76dbbccfd110414a4491cffc752c7b2)
rule XProtect_MACOS_3ea93d1 ; Bundlore (5224624b3e52d85b194364f917b69ab3a62c234a, 50d6ce4ac90698ed2d9a1440a2b2f5caf7f248ad, 85356008de37f2954429075a018241503d6915b8, 91d066aece20a0157a08ef89a763fe579a8c390d, 11d00ea63621a166fa87e45e3a0a421f2a702ee1, 76a2e16b9570417af3844e93f0425250d4e674f1, 56262d0899e9c80a800e3f483d75484b3b7927a0; Parent like Player.dmg 347c5ce2d35e12614d827502772b6dad0dcf6d9b)
rule XProtect_MACOS_449a7ed ; Bundlore.EJT (NOTARIZED adware with BIDs like 'com.Ethernet.bundle.installer', 'com.MousePointer.bundle.installer', 6276db3d0031b9e5c3abad745b18ba2727e519da, 2e03b4f58a0811e8358713a315196ed6ce773b10, 2015780a046a6ece142775b9e4ac89d16a5784b9, 2099fe400ec596c7682290ce7258c689949e8f4c, f3d712118caa74c053249ef28bd1904e5de723cf)
rule XProtect_MACOS_44db411 ; AMC, Tuneupmymac, Smart Mac Care, Optimizer (rule doesn't return any matches on VT retrohunt, but searching for com.tuneupmymac leads to 150+ files: https://www.virustotal.com/gui/search/signature%253Acom.tuneupmymac/files)
rule XProtect_MACOS_489e70f ; Pirrit (MacPerformance, MacRunnerDaemon: 904548b1c289fb4bccd9d92cf6a6e2b58ff3aafc, 80f235707c3cd9f7aa73d737bb884d2f9ff145f6)
rule XProtect_MACOS_4d60c89 ; +v2140 Notarized Shlayer (DLVPlayer d5d71a2f4f38c283825253e4fff4f26d8f007fef, MacCleanBooster 28f4d43ebbe2031d636522155cd3a8ed819df46b)
rule XProtect_MACOS_51f7dde ; Refog Keylogger (fef1daece1c5874778a6bc19e6ddcabd925459e0, 026a2f15415a8e58e3d164d29494be2a912978e3, 8e0ebf12a26d735d7e90a144f5b824592514fd10, 86da85f7cbaffb4d3053f5117ce7ce30b5f50916, a28c0fb587a481e7c5f3d3bbf93aa6b8d55d8ac3, 446ea643e59aecdba68354596b1c7d66f484dce5, 7d0bdd0508747d12cba7440f100094ad7d0caf13)
rule XProtect_MACOS_54d6414 ; +v2149 Bundlore/Shlayer (22e976d9057154a63c282639fc40e9d24de92239, 3d536e03af34be732a309277ab8f16deab189d93, 1e224062c58d656b519e04c38308746f6fc1a7fb, 25f541d9e6045637c5130fe7b5209e654265f7a3, 5ad00d2680971fc85b573c2545bbf78bcc429d18, 3626b7a27f539fd2b8b5abd468b040ee6c7e3fe6)
rule XProtect_MACOS_580a1bc ; Lazarus WatchCat.B
rule XProtect_MACOS_5af1486 ; Genieo variant (a25304e572f4ecc8f216835d98e6611d5c7cd1cb, d70218de0a08fcc7cb1ee1df2a8af39ad439c5c5)
rule XProtect_MACOS_60a3d68 ; Bundlore/Shlayer (3176535fffab2ac02986afed582aae7ec8a110a3, 73914d717dcd04979825476584e9aaee1aa5bdbf, 9d2c51a333896d2cc0911c7b9a6a4eccff7bab73, 54ac49fec09112691cbcd52c9166a1ba1dd1048b,edb67a177780f6b486a8ba6e92d712a7f9fc0c55, 7a5943fbd1c071c3f0edf44758e2f8ca2b27d585)
rule XProtect_MACOS_6175e25 ; com.techyutils.UnPack adware variants
rule XProtect_MACOS_61ee022 ; Lazarus (Cryptoistic: c834d324f8588a837279459882dbdba436079696) https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/
rule XProtect_MACOS_644e18d ; +v2161 Adload payload (09fb15aabaadda780c18f7d9a496d1e872086900, be1fcbb3ef35c00a73c894e4b52cb9e82da64952, 48a2d37ed064b58ee2a0c5bb5c270b7a007b0c69, 465a1fe1e3322286d18c347bff5380bb0ddd6b12)
rule XProtect_MACOS_6cb9746 ; EvilQuest/ThiefQuest (ksfetch variants: 804251b229130fad49be7eacaf92d749e49c8424, 255a646078d317652df371343c622bd6ee93c29e, 46dae95e75897d7a4611efef0c9388e50009177e, d5cbff5ec92619057c50aa34f6fff561038f0255, d60cb8621cc2b129bcede68592f41f44d941917f)
rule XProtect_MACOS_6e6bed7 ; +v2160 (35ca9983807ba9a03ad0fbd5dd7ac92d015f6e52, 9f5af92f2fb8a11d3de4f0ecabe449ce71234e0b, bb74351195df68e933b584006792b75ad340e9f5, 2b6048fb87d398a25b0275e31051679c9d7c1b44)
rule XProtect_MACOS_6eaea4b (DUBROBBER.E) ; +v2144 XCSSET hashes (rule specifices list of SHA1s) 
rule XProtect_MACOS_6e7d4c2 ; MacSearch (com.tinstaller.macsearch: 00f38923cceaf5c912578ab39a7acb1d1934c682, 8cf1e20ca12e61fe4b042d1b5c628416f3bbae7f, d0131547e20c1ccc78d1c66242d642b5c25f0555, ebf1912da61c1b7ad1eb1a854b375d95b6b345d0, 6684b4236fad9da735b5ca7882726ed91f844ec4) 
rule XProtect_MACOS_71915a8 ; ZShlayer (713df263d539a6dae725dafb1acae5e6bb0178ab, c4971f6a9100034434b71b9621e5b67cc50de306, e85c5e2a7644ba57e2e26ac98f1d09286c1bc96b)
rule XProtect_MACOS_74416b0 ; +v2140 WizardUpdate (77c247afdbdf3c254fb56f066bf95c0800c00226, 92b9bba886056bc6a8c3df9c0f6c687f5a774247, 3cd4835c84d51daf57e1fad860fc9022af4d77fb, ad7a328749afa78a207232dba60d0bdba030bca1)
rule XProtect_MACOS_7c241b4 ; +v2150, AdLoad variant (84bebd83d649254d057899b1429c8fc2319452c6, b87fa95363843c72bab66a01f969500179205327, db462b80dd9aaa2db229f442842ac5a66875c2c9, ba41db111f638100ad16471e6463ada902a1e39b, c4d5933ce69081028b800cda7a60ce1c5dc9a3af)
rule XProtect_MACOS_7ef4bab ; -v2141, +v2140 AdLoad variants (1172ca7b53c21ead825f759adf95e575690eb608, bf1a5982760305c48ce692c4a114c5182ad01713, 7fa689bba03d33403646f43843369d10998fb176, a8399681394c0e5773fe4939508b9dcf7077bf04, 26341b518d7cbb6e5a6d96ab357ca278e1f2d23d, 7d3cc10b998597855d6866a89dddf03e26be6411, 17a279322693102bfc0477484c57e6a56dc05e25)
rule XProtect_MACOS_7f5b902 ; Genieo, PDFConverter4u Mach-O (a9f0135ba8ad120ba713cbad41b7b32972eebe7a)
rule XProtect_MACOS_8032420 ; Genieo, MaxOfferDeal (variants like: com.company.InstallerShell, com.moods.happymoods, com.newscaster.forecast 3ebb809b282c845d2d786756c1b704413e3c18df, 3cfd68fbdfc5063a3dd5b7a83ffc318b5e1075e9, 9837c83a10be757408dab9a8a9a16aa15eb27a3f, 167ecb893eea006cab977a2983790779b66f784c, 7ed38f6c3e22ecbb06b049c38ca32b587c1b7d65, af80bf3985bbb3ccf1ed0c274059daa538303766, e5d286cdc91c9427e00fa7bf6be21dd6d375cf20)
rule XProtect_MACOS_8283b86 ; AMC, techyutils (MacMechanic Pro f1a38916362ba48058f7b0aa0b89e9fdadc6251f)
rule XProtect_MACOS_8340d93 ; Lazarus/NukeSped variant (890a0a0a751cf0f44c3e9eebf4c4d93aa76e09bdc8ffe29988ac4410ea60bf7d)
rule XProtect_MACOS_889c9e6 (DUBROBBER.C) ; +v2140 XCSSET (xcassets variants: no matches on VT)
rule XProtect_MACOS_8d038b3 ; Lazarus (UnionCrypto: e8f29f1e3f35a4f2c18be424551e280ed66b1dd7)
rule XProtect_MACOS_8f20223 ; MacSearch (org.Safari.SearchAppExtension 006721efc9c44b32365070bed6c2b9a38cdf2ec3, 8a95602902e7a7466f270255b95725d0428c263c, dcbac1da2c13b35761d871b25900d85d9ab952f9, 013ae376f0b6957a6023ebb3eb55cb6824a89c4e, 9a0b46bcc997ccd6cb48ee6d3e465eb930e550f1)
rule XProtect_MACOS_9bdf6ec ; AdLoad variants (00ba9ae62e3dc079f3d8b6ad436db7e4716a764f, eb7a9481f8a1b63f0d8d7314d077b035ba76137e, aa6dba06ee9299ac8c8e44607b1955a4bbdf0593, ba3ff57c51da31ebaff312108b58631682ee8801, 2ce3caf32cc5085f137c6d84962edc624f16699f, f167910f5c6e6686cec87d500b3fac7ba66d464a, 8c0d4b883932f454c7ae79523fccca7316870c1c) https://labs.sentinelone.com/how-adload-macos-malware-continues-to-adapt-evade/
rule XProtect_MACOS_9a3e9ed ; +v2153, changed v2154 FireSearch (e5cc62a162c6f8d02234be64eb51f7d1b2fdf84c3a037a590d65979404ba16da); MMInstall, MMUpdater, MyShopCoupon, SurfBuyer (05041dbb236108ea2dcb3c4ead1151b2de26929b, 54289f73f5843c4729bc1fdfa50cee1247ba5b31, 276f1274b9e655c6beb7c9c66c3a991d8af97a6c)
rule XProtect_MACOS_9e2bab9 (DUBROBBER.B) ; +v2140 macOS.OSAMiner (1f68005ec2461b571744bebb8570f14ece546d1e, 800ef18045c4d0a448ad4f7bfe543308a3ef035a, f3c9ecc8484ce602493652a923e9afdbb5b1058, 93b2653a4259d9c04e5b780762dc4abc40c49d35, 0f44f24aa2e5a05134041fe54893865b9ede636e, fef7101396e50f300680abda7e464e5275f7daaf, cbea422e321131ef972e330f867edf9d1b5fc09c); https://labs.sentinelone.com/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/
rule XProtect_MACOS_a291b70 ; Genieo, PDFConverter4u (a9f0135ba8ad120ba713cbad41b7b32972eebe7a, a9231d016ffdb224ad972a1a4ce84f28e7f4318f)
rule XProtect_MACOS_a9ea9b4 ; Bundlore (f3e546886993e6c3ad3a0455c85ca181dd9cd0f7, 8f036f78de578090207efc8c067dd63c3568e315)
rule XProtect_MACOS_b17a97e ; Lazarus OSX.Cassoo/OSXAri (af42ff72986f73e983619440318c561ad2ad5c3e, 40d24649471551a5787d8b4404cdfcfe2d45d5c3, bf8dd8729325944224b7576cd8dce0ecc670603f, e6f3ff554f003752a21ede0ca0bfcce059afcc16, 9bbdc8b0b20e14bca949e82e12c66db4921b6d37); https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/
rule XProtect_MACOS_b264ff6 ; AMC, AMCleaner (Mactonic, hlprnwamc: 9e72a3bdd0a4f80bfe43d32f7287bd4ae684c957, eae98132a7eea865c8a8667e1270ad84a72b9b6c, 6f2d4820a5ddcd7db9f7470f770379e202d617b8, 37d65439a1697613797d6336edd60de8e2a99c4e, ec97139be85513c20b6646d64bd0bb57c7f1e77d)
rule XProtect_MACOS_b5bd028 ; +v2141 Bundlore (bf015894e6542d114c28ca5f5d8065ce27d9dae6, dceb36588f62652a1d28cddff595fa465c9eec0d, 76953668e7cf59507636673c504a40a44ce209c7)
rule XProtect_MACOS_b70290c ; AdLoad-AD, OSX.Cimpli (d5aa02a6dec64532b65e887440b3a1b292e6b471, 2eae433cb9851d29902ca6c14875bab7e1e828dd, de8a1c35ec39395777539a5caab98b8fadcd32e4, 884054a35808b7e79abf4ecdba23d40a8322642d, 0c9bea512187c796d1a76addab58b7df05ac325f)
rule XProtect_MACOS_bb90861 ; Lazarus / NukeSped (iContact.pkg: 9e3682c626d786cbfa2e33bc64c60397d2b057f4)
rule XProtect_MACOS_bd64115 ; Lazarus / NukeSped (CoinGoTrade: c1ab302a314a29a42ccf5e226bc43f0c7722e079, 80923c208c2c821ed99e1ed8f50bd549598a210c)
rule XProtect_MACOS_c592675 ; Pirrit (CallUtilDaemon, AppAssistDaemon: 1cfd91a89abf05faeea5bb785a2b289fc6969587)
rule XProtect_MACOS_c723519 ; Lazarus / NukeSped (prtspool: 58b0516d28bd7218b1908fb266b8fe7582e22a5f)
rule XProtect_MACOS_cb4abc2 ; Lazarus / DaclsRAT (SubMenu.nib: fa3deb60b8a2eaa29a7dccf14bee6adae81f442f)
rule XProtect_MACOS.cbb1424 ; +v2161 WizardUpdate variant (e54c9bcc2601f5b4c1665003560cfcd4c3502cc4, f1e3bd6273748133f46140778aeeb1dc3ebe94c0, 35ca9983807ba9a03ad0fbd5dd7ac92d015f6e52, 9f5af92f2fb8a11d3de4f0ecabe449ce71234e0b)
rule XProtect_MACOS_ce3281e ; Genieo, PDFConverter4u (no exact matches on VT) 
rule XProtect_MACOS_d1e06b8 ; (no exact matches on VT, but likely com.installcapital.www, like: 82f6bc529f48221c5e2609af1ee8f7e38112cbb9, d4609e1cee8ccbe6480a1d63a80766969d16fc2d, bb5581b0b0d9295a4decc42092fef8e595cbd361)
rule XProtect_MACOS_d444820 ; Bundlore, Convuster (com.invisibilitys.kingliest: 817f729329283692755d4a57dd1963dff752f443)
rule XProtect_MACOS_d4735e3 ; (no matches on VT for this rule)
rule XProtect_MACOS_d92d83c ; MMInstall, com.mm-install-macos.www (no exact matches on VT for this rule)
rule XProtect_MACOS_d98ded3 ; +v2141 Genieo, MaxOfferDeal (f1b092c1a49a70d552153cce9bfed90842e4c0a8, 202381794e8f01ef8b01ad38ead3bedbb7d7b79b, 6157ba9a7a7762a155a70eb0aa82a4bbff7d13f7, c6d22101b079695158fb0828338c517702fef5b3)
rule XProtect_MACOS_da36796 ; +v2165 Meta Installer (c3ee8bfbf6cb3567b9caff44bcfb19fa86ba4939)
rule XProtect_MACOS_de444f2 ; AdLoad-AD, OSX.Cimpli (d5aa02a6dec64532b65e887440b3a1b292e6b471, 2eae433cb9851d29902ca6c14875bab7e1e828dd, de8a1c35ec39395777539a5caab98b8fadcd32e4, 884054a35808b7e79abf4ecdba23d40a8322642d, 0c9bea512187c796d1a76addab58b7df05ac325f)
rule XProtect_MACOS_e150543 ; +v2157 OSX.Agent (c3ce7814f652d84f30e55b247b2a7dd520155b24, 45b08b7ccdeae23227bf1654e1813f21eb839d21, ae2b3d4c65988250aded3f99974ef5c3e79be29b, 991a32af2855fdc9604aeaddecbc6939212d30d5, 24815752d5f9b17f69a3b2d03badde8f8b3f48d6)
rule XProtect_MACOS_e16be2c ; Pirrit (GSearch/QSearch Extension: 23d2daad85f94a06f635422f8ae349e58b26429e, 8f3f08522eea5a4eda218e1991b9b4e6a8c62e88, 9decd25aa0f61aee54c9e36570683f1d69b029dd, 420f54698fb41c607daa8448599bb0c12f76fda7, a3022a03937be25e301f6d92f9a2bc9efb55f1aa)
rule XProtect_MACOS_e3548bb ; AdLoad (c4708467b25176c02b16fb1d3eead8be0adc2d05)
rule XProtect_MACOS_e4644f7 ; com.xyz.xyInstaller (0/60 VT: 650c6349fadd52c87d9f32d13bca221dc681a3fd)
rule XProtect_MACOS_e71e847 ; +v2159 SearchProxy, Synataeb (eea093d24823291edf4b24f561590fd5fe5d738d, f0a3ca0d2bc098705c8bb1fd6b853353a54d1443, b9e7d02cfef26becb0c800a48b3a1e9e2c54afeb, 7c31ad3f4e3b8b02449fc5d185810519307ca8f5, 3cdffca2c8815f59816deabc3333a6f624e04364)
rule XProtect_MACOS_e79dc35 ; AdLoad (com.extrabrowser: 493aaed3779ce233b572a8206f1cbddf100c60ad)
rule XProtect_MACOS.ef3df25 : +v2144 Bundlore Script (scripts: 085a136c03f8b024a173068768c67b1a5ad928c1, 30ee4e65933106e7bc0baf4e56449e2683dedaae - payloads like: 20ac95c44549710a434902267394525333e96c0b, 04bed04e347f6889c140c4fe6cb137a54b9fc047)
rule XProtect_MACOS_efb903b ; +v2158 OSX.Gimmick (macOS Macma variant; fe3a3e65b86d2b07654f9a6104c8cb392c88b7e8)
rule XProtect_MACOS_f3edc61 ; AMC, AMCleaner (MacMechanic: 9e72a3bdd0a4f80bfe43d32f7287bd4ae684c957, d6d636ea2ddf02c8db1b68d9ed1828bea627a68e)
rule XProtect_MACOS_f4a3a92 ; Lazarus / NukeSped (.CrashReporter: cf5eaafb00b535af209fb95ed987d0964730cf17)
rule XProtect_MACOS_f5d33c9 ; +v2150 Shlayer Dropper (e605ae3b2c530973e9132d9232056bd52de345d0,92e2d00427858b7ada910e73888cab7ca0dfc678, cf63d82f26f5383993146f86c6d421dab23d5198)
rule XProtect_MACOS_fa6a259 ; Lazarus / NukeSped (TinkaOTP: a909cdb57132b9a928467540e2031b0d25fed39d, dfdcde21871beeb3e0fab040e6c51046b4cfd0ee)
rule XProtect_OSX_28a9883 ; OSX.Agent (63d4726936b8d503c026472b2679222c0686413c, 36278457b37721e0798a35b6b9bae831ca0628b4, e4dacc2b8cc9673bd3a623eb1c27aabf617dcc6c, 470f43ede2fc3a2d553db94afb88fc3b5a68b962)
rule XProtect_OSX_ATG15_B ; OceanLotus (0c16ba49cf87b42ff85dc87a045950fdefbffcae) https://labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/
rule XProtect_MACOS_KEYSTEAL_A ; +v2166 KeySteal (ca985f4395e47f1bf9274013b36a0901343fc5a5, 5a8a7e665fdd7a422798d5c055c290fa8b7356d9, d85b6531843d5c29cc3bbb86e59d47249db89b9a)
rule XProtect_OSX_AceInstaller_B
rule XProtect_OSX_Bundlore_D
rule XProtect_OSX_Dok_A
rule XProtect_OSX_Dok_B
rule XProtect_OSX_Genieo_G
rule XProtect_OSX_HMining_D
rule XProtect_OSX_HiddenLotus_A
rule XProtect_OSX_Leverage_A
rule XProtect_OSX_Mughthesec_A
rule XProtect_OSX_Mughthesec_B
rule XProtect_OSX_Particle_Smasher_A
rule XProtect_OSX_Proton_B
rule XProtect_snowdrift ; CloudMensis/InkySquid +v2162 (c3e48c2a2d43c752121e55b909fc705fe4fdaef6, 9c13aaf9ab344d3904b02cd81bf73fc7f03b3bb3) https://www.sentinelone.com/labs/labscon-replay-inkysquid-the-missing-arsenal/
rule XcodeGhost