rule AbkA rule AdPluginA rule AdPluginB rule BundloreA rule BundloreB rule CoinThiefA rule CoinThiefB rule CoinThiefC rule CrossRiderA : adware rule DevilRobberA rule DevilRobberB rule EICAR rule EleanorA rule FileStealA rule FileStealB rule FkCodecA rule FlashbackA rule FlashbackB rule FlashbackC rule GenieoA rule GenieoB rule GenieoC rule GenieoD rule GenieoDropper rule GenieoE rule GetShellA rule HMining rule HMiningB rule HMining_Binary_A rule HellRTS rule IServiceA rule IWormA rule IWormBC rule InstallCoreA rule InstallImitatorA rule InstallImitatorB rule InstallImitatorC rule KeRangerA rule LaoShuA rule LeverageA rule MDropperA rule MaControlA rule MacDefenderA rule MacDefenderB rule MachookA rule MachookB rule NetWeirdA rule NetWeirdB rule NetwireA rule OSX_Bundlore_A rule OSX_ExtensionsInstaller_A rule OSX_Findzip_A { rule OSX_HMining_C rule OSX_Proton_A rule OSX_XAgent_A rule OSX_iKitten_A rule OpinionSpyA rule OpinionSpyB rule PrxlA rule QHostWBA rule RSPlugA rule RevirA rule RevirB rule RevirC rule RevirD rule SMSSendA rule SMSSendB rule TroviProxyApp rule VSearchA rule VindinstallerA rule XProtect_AdLoad_A rule XProtect_AdLoad_B_1 rule XProtect_AdLoad_B_2 ; dropper rule XProtect_Bundlore_B rule XProtect_Genieo_G_1 rule XProtect_HONKBOX_A ; +v2166 Honkbox (e8c0e4ad17b28e2ad20ad231704dc135031fcee9, c52d182e05615f6083a4430bf31cf8ae32485688, 507575dcccae37e97d1a5c71bf388fa5252c6f74) rule XProtect_HONKBOX_B ; +v2166 Honkbox (e8c0e4ad17b28e2ad20ad231704dc135031fcee9, c52d182e05615f6083a4430bf31cf8ae32485688, 507575dcccae37e97d1a5c71bf388fa5252c6f74) rule XProtect_HONKBOX_C ; +v2166 Honkbox (e8c0e4ad17b28e2ad20ad231704dc135031fcee9, c52d182e05615f6083a4430bf31cf8ae32485688, 507575dcccae37e97d1a5c71bf388fa5252c6f74) rule XProtect_MACOS_03b5cbe ; Genieo Safari Extension (Pitchofcase variants; 5bf86d5860b886bbce146188078a1b406ec30620, ade7e10339acbdf8518a65a802299b5f01e31af2, 8b1d4328e32db7f0a079f1f9e208c77ada76b1e1, 78084f36435ec4971d96262c04c441dfe5ecbd17) rule XProtect_MACOS_0e32a32 ; +v2144 Bundlore Script (scripts like: 9dae8dacf4c3065db026e4197a89b776b466de3a, 00181d218f21ab5e8c9c1c5ab776846397d9ae41, df84c2566de17c983d037a6fe707fd2f7f9ec5c1 - payloads like: 393ce20cc73b1b03eb7a0077c8d6245d2ad7da29) rule XProtect_MACOS_0e62876 ; Bundlore, Koiot rule XProtect_MACOS_11eaac1 ; +v2144 VindInstaller.B (8c3e28f6c64a812124428f8718971474fb5fb10d, c671d911c5f92709ef6c0188166ce279e27570f8, 867befac764b4e9154c706074a56d5b0027d0a38) rule XProtect_MACOS_1373c52 ; AdLoad, AdLoad.9 rule XProtect_MACOS_16e6816 ; +v2170 MetaStealer (cfa56e10c8185792f8a9d1e6d9a7512177044a8b, 47620d2242dfaf14b7766562e812b7778a342a48, c4d9272ef906c7bf4ccc2a11a7107d6b7071537b, 8dfeda030bd3b38592b29d633c40e041d5f3331d) rule XProtect_MACOS_1940318 ; +v2159 UNK () rule XProtect_MACOS_1afcb8b ; +v2160 UNK () rule XProtect_MACOS_1c119be ; Generic Safari Extension Adware (2b1ae502d165a87f5cd4268f107ffd276c472768, 91c59a46bc8091c8fc5ea56a6d1383bff73720e6, 3fbfc78df992c482ea72476184f4f6d7ffb8e121, 2da3b4bc816262bdd1ea26580fc165a2cf636634, 2688a79c3bae96b71370725cf0bd2e05b58579f7, efc9c1d99a5cbb950426829be819f3ae4c77d935, 0645ec09b51c22d1b4999feaa429d48ca33ac299) rule XProtect_MACOS_1db9cfa (DUBROBBER.D) ; +v2142 XCSSET (c9a06c124998647c85f82dcec024dd03f683559c81fe7ad125a94ed308e4236f, 546e20d7053d6031045ae44a57e20e402388f9d51278ab87cccd8cf8a8965b15) rule XProtect_MACOS_1f26189 ; Genieo, Pirrit.C, Adload (70ca0635fbbc438478b0e9182bf33fff9b7a3f2a, 8c7927d1c8c2477ce96bebd29623985ec2f615f4, f136908ff7b0217f33c9aa2f7c6a02459db89b3d, 3e27b3af5240cfc9f4ea2d68c6f6561319020108, 5305a3651249c0a6fc5570e9bd89d915a52ee2af) rule XProtect_MACOS_2070d41 (DUBROBBER.A) ; XCSSET AppleScript rule XProtect_MACOS_22d71e9 ; AdLoad-AD, OSX.Cimpli (d5aa02a6dec64532b65e887440b3a1b292e6b471, 2eae433cb9851d29902ca6c14875bab7e1e828dd, de8a1c35ec39395777539a5caab98b8fadcd32e4, 884054a35808b7e79abf4ecdba23d40a8322642d) rule XProtect_MACOS_22f03bb ; +v2158 macOS.Zuru (see https://www.sentinelone.com/blog/top-10-macos-malware-discoveries-in-2021-a-guide-to-prevention-detection/) rule XProtect_MACOS_260ae81 ; Lazarus WatchCat.A rule XProtect_MACOS_275ff12 ; +2159 Adload (7eca5034295b62c2bf17b18b578dca4df34ff97c, 5447da0bb00a30b632976086855eadc99f3522c3, 3385eca7db6e634767bf50bd932a002f7e9aff77, 6e8735f365d265459575ae38bbbe9aa4d2707635, 6865b23d09421f1a1ccd0d4e13c027b680b32f31) rule XProtect_MACOS.2afe6bd ; +v2141 Adload (638f3d6ca5180ebd3198e455b1cf4b519b4bc963, cb7462ac7647c7208243c9464d7b096dc5e85619); https://labs.sentinelone.com/how-adload-macos-malware-continues-to-adapt-evade/ rule XProtect_MACOS_2b3d4cb ; Lazarus / NukeSped (b72850897ccb6c621431a00623cd7f3a3caa351f, e9651ba8a1de96213f4a8b4678c48d1d5ccda74c, f543491bc3c37c06b5ad6bdb16bd8aef749e1002) rule XProtect_MACOS_2b50ea5 ; +v2145 Adload (com.WeatherNow: 3e23c5714d95006e8a8f0f83b3211990146a4cde9523671453bc5a1320343e1c, 2494d890800c753b74dc62feaa54d3d96e6497119a01d62021f8dc28dcee72de, 4227859edc8e023b762105fb959494e846dd344f65b2af0be581d4c07c9e9d53) rule XProtect_MACOS_30445d1 ; Genieo, PDFConverter4u script (233171c0b8ca06c6f1592187b8246e0ea76dbbccfd110414a4491cffc752c7b2) rule XProtect_MACOS_3ea93d1 ; Bundlore (5224624b3e52d85b194364f917b69ab3a62c234a, 50d6ce4ac90698ed2d9a1440a2b2f5caf7f248ad, 85356008de37f2954429075a018241503d6915b8, 91d066aece20a0157a08ef89a763fe579a8c390d, 11d00ea63621a166fa87e45e3a0a421f2a702ee1, 76a2e16b9570417af3844e93f0425250d4e674f1, 56262d0899e9c80a800e3f483d75484b3b7927a0; Parent like Player.dmg 347c5ce2d35e12614d827502772b6dad0dcf6d9b) rule XProtect_MACOS_449a7ed ; Bundlore.EJT (NOTARIZED adware with BIDs like 'com.Ethernet.bundle.installer', 'com.MousePointer.bundle.installer', 6276db3d0031b9e5c3abad745b18ba2727e519da, 2e03b4f58a0811e8358713a315196ed6ce773b10, 2015780a046a6ece142775b9e4ac89d16a5784b9, 2099fe400ec596c7682290ce7258c689949e8f4c, f3d712118caa74c053249ef28bd1904e5de723cf) rule XProtect_MACOS_44db411 ; AMC, Tuneupmymac, Smart Mac Care, Optimizer (rule doesn't return any matches on VT retrohunt, but searching for com.tuneupmymac leads to 150+ files: https://www.virustotal.com/gui/search/signature%253Acom.tuneupmymac/files) rule XProtect_MACOS_489e70f ; Pirrit (MacPerformance, MacRunnerDaemon: 904548b1c289fb4bccd9d92cf6a6e2b58ff3aafc, 80f235707c3cd9f7aa73d737bb884d2f9ff145f6) rule XProtect_MACOS_4d60c89 ; +v2140 Notarized Shlayer (DLVPlayer d5d71a2f4f38c283825253e4fff4f26d8f007fef, MacCleanBooster 28f4d43ebbe2031d636522155cd3a8ed819df46b) rule XProtect_MACOS_51f7dde ; Refog Keylogger (fef1daece1c5874778a6bc19e6ddcabd925459e0, 026a2f15415a8e58e3d164d29494be2a912978e3, 8e0ebf12a26d735d7e90a144f5b824592514fd10, 86da85f7cbaffb4d3053f5117ce7ce30b5f50916, a28c0fb587a481e7c5f3d3bbf93aa6b8d55d8ac3, 446ea643e59aecdba68354596b1c7d66f484dce5, 7d0bdd0508747d12cba7440f100094ad7d0caf13) rule XProtect_MACOS_54d6414 ; +v2149 Bundlore/Shlayer (22e976d9057154a63c282639fc40e9d24de92239, 3d536e03af34be732a309277ab8f16deab189d93, 1e224062c58d656b519e04c38308746f6fc1a7fb, 25f541d9e6045637c5130fe7b5209e654265f7a3, 5ad00d2680971fc85b573c2545bbf78bcc429d18, 3626b7a27f539fd2b8b5abd468b040ee6c7e3fe6) rule XProtect_MACOS_580a1bc ; Lazarus WatchCat.B rule XProtect_MACOS_5af1486 ; Genieo variant (a25304e572f4ecc8f216835d98e6611d5c7cd1cb, d70218de0a08fcc7cb1ee1df2a8af39ad439c5c5) rule XProtect_MACOS_60a3d68 ; Bundlore/Shlayer (3176535fffab2ac02986afed582aae7ec8a110a3, 73914d717dcd04979825476584e9aaee1aa5bdbf, 9d2c51a333896d2cc0911c7b9a6a4eccff7bab73, 54ac49fec09112691cbcd52c9166a1ba1dd1048b,edb67a177780f6b486a8ba6e92d712a7f9fc0c55, 7a5943fbd1c071c3f0edf44758e2f8ca2b27d585) rule XProtect_MACOS_6175e25 ; com.techyutils.UnPack adware variants rule XProtect_MACOS_61ee022 ; Lazarus (Cryptoistic: c834d324f8588a837279459882dbdba436079696) https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/ rule XProtect_MACOS_6319b53 ; +v2172 Adload (6ebdb4c95e8896479a0540c51edebcb1d801ba80, 858d96b2dfa21971c40844dd419abdcacb899f2f, df181e2d5fdf55c8633bc847ff4646bdb596ca26, 5bcce4ed01f1725690c4e8f956fb22198efc07ec) rule XProtect_MACOS_644e18d ; +v2161 Adload payload (09fb15aabaadda780c18f7d9a496d1e872086900, be1fcbb3ef35c00a73c894e4b52cb9e82da64952, 48a2d37ed064b58ee2a0c5bb5c270b7a007b0c69, 465a1fe1e3322286d18c347bff5380bb0ddd6b12) rule XProtect_MACOS_6cb9746 ; EvilQuest/ThiefQuest (ksfetch variants: 804251b229130fad49be7eacaf92d749e49c8424, 255a646078d317652df371343c622bd6ee93c29e, 46dae95e75897d7a4611efef0c9388e50009177e, d5cbff5ec92619057c50aa34f6fff561038f0255, d60cb8621cc2b129bcede68592f41f44d941917f) rule XProtect_MACOS_6e6bed7 ; +v2160 (35ca9983807ba9a03ad0fbd5dd7ac92d015f6e52, 9f5af92f2fb8a11d3de4f0ecabe449ce71234e0b, bb74351195df68e933b584006792b75ad340e9f5, 2b6048fb87d398a25b0275e31051679c9d7c1b44) rule XProtect_MACOS_6eaea4b (DUBROBBER.E) ; +v2144 XCSSET hashes (rule specifices list of SHA1s) rule XProtect_MACOS_6e7d4c2 ; MacSearch (com.tinstaller.macsearch: 00f38923cceaf5c912578ab39a7acb1d1934c682, 8cf1e20ca12e61fe4b042d1b5c628416f3bbae7f, d0131547e20c1ccc78d1c66242d642b5c25f0555, ebf1912da61c1b7ad1eb1a854b375d95b6b345d0, 6684b4236fad9da735b5ca7882726ed91f844ec4) rule XProtect_MACOS_71915a8 ; ZShlayer (713df263d539a6dae725dafb1acae5e6bb0178ab, c4971f6a9100034434b71b9621e5b67cc50de306, e85c5e2a7644ba57e2e26ac98f1d09286c1bc96b) rule XProtect_MACOS_74416b0 ; +v2140 WizardUpdate (77c247afdbdf3c254fb56f066bf95c0800c00226, 92b9bba886056bc6a8c3df9c0f6c687f5a774247, 3cd4835c84d51daf57e1fad860fc9022af4d77fb, ad7a328749afa78a207232dba60d0bdba030bca1) rule XProtect_MACOS_7c241b4 ; +v2150, AdLoad variant (84bebd83d649254d057899b1429c8fc2319452c6, b87fa95363843c72bab66a01f969500179205327, db462b80dd9aaa2db229f442842ac5a66875c2c9, ba41db111f638100ad16471e6463ada902a1e39b, c4d5933ce69081028b800cda7a60ce1c5dc9a3af) rule XProtect_MACOS_7ef4bab ; -v2141, +v2140 AdLoad variants (1172ca7b53c21ead825f759adf95e575690eb608, bf1a5982760305c48ce692c4a114c5182ad01713, 7fa689bba03d33403646f43843369d10998fb176, a8399681394c0e5773fe4939508b9dcf7077bf04, 26341b518d7cbb6e5a6d96ab357ca278e1f2d23d, 7d3cc10b998597855d6866a89dddf03e26be6411, 17a279322693102bfc0477484c57e6a56dc05e25) rule XProtect_MACOS_7f5b902 ; Genieo, PDFConverter4u Mach-O (a9f0135ba8ad120ba713cbad41b7b32972eebe7a) rule XProtect_MACOS_8032420 ; Genieo, MaxOfferDeal (variants like: com.company.InstallerShell, com.moods.happymoods, com.newscaster.forecast 3ebb809b282c845d2d786756c1b704413e3c18df, 3cfd68fbdfc5063a3dd5b7a83ffc318b5e1075e9, 9837c83a10be757408dab9a8a9a16aa15eb27a3f, 167ecb893eea006cab977a2983790779b66f784c, 7ed38f6c3e22ecbb06b049c38ca32b587c1b7d65, af80bf3985bbb3ccf1ed0c274059daa538303766, e5d286cdc91c9427e00fa7bf6be21dd6d375cf20) rule XProtect_MACOS_8283b86 ; AMC, techyutils (MacMechanic Pro f1a38916362ba48058f7b0aa0b89e9fdadc6251f) rule XProtect_MACOS_8340d93 ; Lazarus/NukeSped variant (890a0a0a751cf0f44c3e9eebf4c4d93aa76e09bdc8ffe29988ac4410ea60bf7d) rule XProtect_MACOS_889c9e6 (DUBROBBER.C) ; +v2140 XCSSET (xcassets variants: no matches on VT) rule XProtect_MACOS_8d038b3 ; Lazarus (UnionCrypto: e8f29f1e3f35a4f2c18be424551e280ed66b1dd7) rule XProtect_MACOS_8f20223 ; MacSearch (org.Safari.SearchAppExtension 006721efc9c44b32365070bed6c2b9a38cdf2ec3, 8a95602902e7a7466f270255b95725d0428c263c, dcbac1da2c13b35761d871b25900d85d9ab952f9, 013ae376f0b6957a6023ebb3eb55cb6824a89c4e, 9a0b46bcc997ccd6cb48ee6d3e465eb930e550f1) rule XProtect_MACOS_9bdf6ec ; AdLoad variants (00ba9ae62e3dc079f3d8b6ad436db7e4716a764f, eb7a9481f8a1b63f0d8d7314d077b035ba76137e, aa6dba06ee9299ac8c8e44607b1955a4bbdf0593, ba3ff57c51da31ebaff312108b58631682ee8801, 2ce3caf32cc5085f137c6d84962edc624f16699f, f167910f5c6e6686cec87d500b3fac7ba66d464a, 8c0d4b883932f454c7ae79523fccca7316870c1c) https://labs.sentinelone.com/how-adload-macos-malware-continues-to-adapt-evade/ rule XProtect_MACOS_9a3e9ed ; +v2153, changed v2154 FireSearch (e5cc62a162c6f8d02234be64eb51f7d1b2fdf84c3a037a590d65979404ba16da); MMInstall, MMUpdater, MyShopCoupon, SurfBuyer (05041dbb236108ea2dcb3c4ead1151b2de26929b, 54289f73f5843c4729bc1fdfa50cee1247ba5b31, 276f1274b9e655c6beb7c9c66c3a991d8af97a6c) rule XProtect_MACOS_9e2bab9 (DUBROBBER.B) ; +v2140 macOS.OSAMiner (1f68005ec2461b571744bebb8570f14ece546d1e, 800ef18045c4d0a448ad4f7bfe543308a3ef035a, f3c9ecc8484ce602493652a923e9afdbb5b1058, 93b2653a4259d9c04e5b780762dc4abc40c49d35, 0f44f24aa2e5a05134041fe54893865b9ede636e, fef7101396e50f300680abda7e464e5275f7daaf, cbea422e321131ef972e330f867edf9d1b5fc09c); https://labs.sentinelone.com/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/ rule XProtect_MACOS_a291b70 ; Genieo, PDFConverter4u (a9f0135ba8ad120ba713cbad41b7b32972eebe7a, a9231d016ffdb224ad972a1a4ce84f28e7f4318f) rule XProtect_MACOS_a9ea9b4 ; Bundlore (f3e546886993e6c3ad3a0455c85ca181dd9cd0f7, 8f036f78de578090207efc8c067dd63c3568e315) rule XProtect_MACOS_b17a97e ; Lazarus OSX.Cassoo/OSXAri (af42ff72986f73e983619440318c561ad2ad5c3e, 40d24649471551a5787d8b4404cdfcfe2d45d5c3, bf8dd8729325944224b7576cd8dce0ecc670603f, e6f3ff554f003752a21ede0ca0bfcce059afcc16, 9bbdc8b0b20e14bca949e82e12c66db4921b6d37); https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/ rule XProtect_MACOS_b264ff6 ; AMC, AMCleaner (Mactonic, hlprnwamc: 9e72a3bdd0a4f80bfe43d32f7287bd4ae684c957, eae98132a7eea865c8a8667e1270ad84a72b9b6c, 6f2d4820a5ddcd7db9f7470f770379e202d617b8, 37d65439a1697613797d6336edd60de8e2a99c4e, ec97139be85513c20b6646d64bd0bb57c7f1e77d) rule XProtect_MACOS_b5bd028 ; +v2141 Bundlore (bf015894e6542d114c28ca5f5d8065ce27d9dae6, dceb36588f62652a1d28cddff595fa465c9eec0d, 76953668e7cf59507636673c504a40a44ce209c7) rule XProtect_MACOS_b70290c ; AdLoad-AD, OSX.Cimpli (d5aa02a6dec64532b65e887440b3a1b292e6b471, 2eae433cb9851d29902ca6c14875bab7e1e828dd, de8a1c35ec39395777539a5caab98b8fadcd32e4, 884054a35808b7e79abf4ecdba23d40a8322642d, 0c9bea512187c796d1a76addab58b7df05ac325f) rule XProtect_MACOS_bb90861 ; Lazarus / NukeSped (iContact.pkg: 9e3682c626d786cbfa2e33bc64c60397d2b057f4) rule XProtect_MACOS_bd64115 ; Lazarus / NukeSped (CoinGoTrade: c1ab302a314a29a42ccf5e226bc43f0c7722e079, 80923c208c2c821ed99e1ed8f50bd549598a210c) rule XProtect_MACOS_c592675 ; Pirrit (CallUtilDaemon, AppAssistDaemon: 1cfd91a89abf05faeea5bb785a2b289fc6969587) rule XProtect_MACOS_c723519 ; Lazarus / NukeSped (prtspool: 58b0516d28bd7218b1908fb266b8fe7582e22a5f) rule XProtect_MACOS_cb4abc2 ; Lazarus / DaclsRAT (SubMenu.nib: fa3deb60b8a2eaa29a7dccf14bee6adae81f442f) rule XProtect_MACOS.cbb1424 ; +v2161 WizardUpdate variant (e54c9bcc2601f5b4c1665003560cfcd4c3502cc4, f1e3bd6273748133f46140778aeeb1dc3ebe94c0, 35ca9983807ba9a03ad0fbd5dd7ac92d015f6e52, 9f5af92f2fb8a11d3de4f0ecabe449ce71234e0b) rule XProtect_MACOS_ce3281e ; Genieo, PDFConverter4u (no exact matches on VT) rule XProtect_MACOS_d1e06b8 ; (no exact matches on VT, but likely com.installcapital.www, like: 82f6bc529f48221c5e2609af1ee8f7e38112cbb9, d4609e1cee8ccbe6480a1d63a80766969d16fc2d, bb5581b0b0d9295a4decc42092fef8e595cbd361) rule XProtect_MACOS_d444820 ; Bundlore, Convuster (com.invisibilitys.kingliest: 817f729329283692755d4a57dd1963dff752f443) rule XProtect_MACOS_d4735e3 ; (no matches on VT for this rule) rule XProtect_MACOS_d92d83c ; MMInstall, com.mm-install-macos.www (no exact matches on VT for this rule) rule XProtect_MACOS_d98ded3 ; +v2141 Genieo, MaxOfferDeal (f1b092c1a49a70d552153cce9bfed90842e4c0a8, 202381794e8f01ef8b01ad38ead3bedbb7d7b79b, 6157ba9a7a7762a155a70eb0aa82a4bbff7d13f7, c6d22101b079695158fb0828338c517702fef5b3) rule XProtect_MACOS_da36796 ; +v2165 Meta Installer (c3ee8bfbf6cb3567b9caff44bcfb19fa86ba4939) rule XProtect_MACOS_de444f2 ; AdLoad-AD, OSX.Cimpli (d5aa02a6dec64532b65e887440b3a1b292e6b471, 2eae433cb9851d29902ca6c14875bab7e1e828dd, de8a1c35ec39395777539a5caab98b8fadcd32e4, 884054a35808b7e79abf4ecdba23d40a8322642d, 0c9bea512187c796d1a76addab58b7df05ac325f) rule XProtect_MACOS_e150543 ; +v2157 OSX.Agent (c3ce7814f652d84f30e55b247b2a7dd520155b24, 45b08b7ccdeae23227bf1654e1813f21eb839d21, ae2b3d4c65988250aded3f99974ef5c3e79be29b, 991a32af2855fdc9604aeaddecbc6939212d30d5, 24815752d5f9b17f69a3b2d03badde8f8b3f48d6) rule XProtect_MACOS_e16be2c ; Pirrit (GSearch/QSearch Extension: 23d2daad85f94a06f635422f8ae349e58b26429e, 8f3f08522eea5a4eda218e1991b9b4e6a8c62e88, 9decd25aa0f61aee54c9e36570683f1d69b029dd, 420f54698fb41c607daa8448599bb0c12f76fda7, a3022a03937be25e301f6d92f9a2bc9efb55f1aa) rule XProtect_MACOS_e3548bb ; AdLoad (c4708467b25176c02b16fb1d3eead8be0adc2d05) rule XProtect_MACOS_e4644f7 ; com.xyz.xyInstaller (0/60 VT: 650c6349fadd52c87d9f32d13bca221dc681a3fd) rule XProtect_MACOS_e71e847 ; +v2159 SearchProxy, Synataeb (eea093d24823291edf4b24f561590fd5fe5d738d, f0a3ca0d2bc098705c8bb1fd6b853353a54d1443, b9e7d02cfef26becb0c800a48b3a1e9e2c54afeb, 7c31ad3f4e3b8b02449fc5d185810519307ca8f5, 3cdffca2c8815f59816deabc3333a6f624e04364) rule XProtect_MACOS_e79dc35 ; AdLoad (com.extrabrowser: 493aaed3779ce233b572a8206f1cbddf100c60ad) rule XProtect_MACOS.ef3df25 : +v2144 Bundlore Script (scripts: 085a136c03f8b024a173068768c67b1a5ad928c1, 30ee4e65933106e7bc0baf4e56449e2683dedaae - payloads like: 20ac95c44549710a434902267394525333e96c0b, 04bed04e347f6889c140c4fe6cb137a54b9fc047) rule XProtect_MACOS_efb903b ; +v2158 OSX.Gimmick (macOS Macma variant; fe3a3e65b86d2b07654f9a6104c8cb392c88b7e8) rule XProtect_MACOS_f3edc61 ; AMC, AMCleaner (MacMechanic: 9e72a3bdd0a4f80bfe43d32f7287bd4ae684c957, d6d636ea2ddf02c8db1b68d9ed1828bea627a68e) rule XProtect_MACOS_f4a3a92 ; Lazarus / NukeSped (.CrashReporter: cf5eaafb00b535af209fb95ed987d0964730cf17) rule XProtect_MACOS_f5d33c9 ; +v2150 Shlayer Dropper (e605ae3b2c530973e9132d9232056bd52de345d0,92e2d00427858b7ada910e73888cab7ca0dfc678, cf63d82f26f5383993146f86c6d421dab23d5198) rule XProtect_MACOS_fa6a259 ; Lazarus / NukeSped (TinkaOTP: a909cdb57132b9a928467540e2031b0d25fed39d, dfdcde21871beeb3e0fab040e6c51046b4cfd0ee) rule XProtect_MACOS_KEYSTEAL_A ; +v2166 KeySteal (ca985f4395e47f1bf9274013b36a0901343fc5a5, 5a8a7e665fdd7a422798d5c055c290fa8b7356d9, d85b6531843d5c29cc3bbb86e59d47249db89b9a) rule XProtect_MACOS_ADLOAD_WSS ; +v2173 Adload (5e75539a7e95ddf5f7579a88a13f17bd877de94d, c356fa85a65cfed3c7a7baaf13e0e9ee241c403c, 83ad9ee03c346c950a354b5095e7d19df75e9c06) rule XProtect_MACOS_BUNDLORE_E ; +v2174 Bundlore_E (fb58f01d5669ec4b20ef0c6c9e96c2bb52c1d8c8,c60294f6db5e4cda63bae609d6f2736d6da1506c,e050113f48ced876658743bf8422df88e81a5c4a,08527a3cd298720aa3565e0b8b90a5c6a4bb5a2f,f82c916552285920fcffb7cdb5685a6d7e6807b5) rule XProtect_MACOS_SOMA_A ; +v2173 Atomic Stealer (see https://s1.ai/amos) rule XProtect_MACOS_SOMA_C ; +v2173 Atomic Stealer (see https://s1.ai/amos) rule XProtect_OSX_28a9883 ; OSX.Agent (63d4726936b8d503c026472b2679222c0686413c, 36278457b37721e0798a35b6b9bae831ca0628b4, e4dacc2b8cc9673bd3a623eb1c27aabf617dcc6c, 470f43ede2fc3a2d553db94afb88fc3b5a68b962) rule XProtect_OSX_ATG15_B ; OceanLotus (0c16ba49cf87b42ff85dc87a045950fdefbffcae) https://labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/ rule XProtect_OSX_AceInstaller_B rule XProtect_OSX_Bundlore_D rule XProtect_OSX_Dok_A rule XProtect_OSX_Dok_B rule XProtect_OSX_Genieo_G rule XProtect_OSX_HMining_D rule XProtect_OSX_HiddenLotus_A rule XProtect_OSX_Leverage_A rule XProtect_OSX_Mughthesec_A rule XProtect_OSX_Mughthesec_B rule XProtect_OSX_Particle_Smasher_A rule XProtect_OSX_Proton_B rule XProtect_snowdrift ; CloudMensis/InkySquid +v2162 (c3e48c2a2d43c752121e55b909fc705fe4fdaef6, 9c13aaf9ab344d3904b02cd81bf73fc7f03b3bb3) https://www.sentinelone.com/labs/labscon-replay-inkysquid-the-missing-arsenal/ rule XcodeGhost