216.73.217.50

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 19:39 · Modified 21/12/2025 00:45

Essential information

Value / Name
93d92ec41cf618e0704784775953a38d66d47783
Confidence
100/100
Revoked
Yes
Valid from
22/06/2023 20:56
Valid until
24/09/2024 20:56
Pattern type
yara
Published
20/12/2025 19:39
Modified
21/12/2025 00:45
Author / Source
AlienVault

Description

No description.

Pattern

rule MacOS_Hacktool_Swiftbelt {   
       meta:   
           author = "Elastic Security"   
           creation_date = "2021-10-12"   
           last_modified = "2021-10-25"   
           threat_name = "MacOS.Hacktool.Swiftbelt"   
           reference_sample = "452c832a17436f61ad5f32ee1c97db05575160105ed1dcd0d3c6db9fb5a9aea1"   
           os = "macos"   
           arch_context = "x86"   
           license = "Elastic License v2"   
              
       strings:   
           $dbg1 = "SwiftBelt/Sources/SwiftBelt"   
           $dbg2 = "[-] Firefox places.sqlite database not found for user"   
           $dbg3 = "[-] No security products found"   
           $dbg4 = "SSH/AWS/gcloud Credentials Search:"   
           $dbg5 = "[-] Could not open the Slack Cookies database"   
           $sec1 = "[+] Malwarebytes A/V found on this host"   
           $sec2 = "[+] Cisco AMP for endpoints found"   
           $sec3 = "[+] SentinelOne agent running"   
           $sec4 = "[+] Crowdstrike Falcon agent found"   
           $sec5 = "[+] FireEye HX agent installed"   
           $sec6 = "[+] Little snitch firewall found"   
           $sec7 = "[+] ESET A/V installed"   
           $sec8 = "[+] Carbon Black OSX Sensor installed"   
           $sec9 = "/Library/Little Snitch"   
           $sec10 = "/Library/FireEye/xagt"   
           $sec11 = "/Library/CS/falcond"   
           $sec12 = "/Library/Logs/PaloAltoNetworks/GlobalProtect"   
           $sec13 = "/Library/Application Support/Malwarebytes"   
           $sec14 = "/usr/local/bin/osqueryi"   
           $sec15 = "/Library/Sophos Anti-Virus"   
           $sec16 = "/Library/Objective-See/Lulu"   
           $sec17 = "com.eset.remoteadministrator.agent"   
           $sec18 = "/Applications/CarbonBlack/CbOsxSensorService"   
           $sec19 = "/Applications/BlockBlock Helper.app"   
           $sec20 = "/Applications/KextViewr.app"   
       condition:   
           6 of them   
   }

Labels / Tags

Labels: apache bitcoin hacktool jokerspy macos

Marking (TLP)

TLP:CLEAR

Related entities

No linked attack reports or intrusion sets yet.