Indicator (IOC)
Essential information
- Value / Name
93d92ec41cf618e0704784775953a38d66d47783- Confidence
- 100/100
- Revoked
- Yes
- Valid from
- 22/06/2023 20:56
- Valid until
- 24/09/2024 20:56
- Pattern type
- yara
- Published
- 20/12/2025 19:39
- Modified
- 21/12/2025 00:45
- Author / Source
- AlienVault
Description
No description.
Pattern
rule MacOS_Hacktool_Swiftbelt {
meta:
author = "Elastic Security"
creation_date = "2021-10-12"
last_modified = "2021-10-25"
threat_name = "MacOS.Hacktool.Swiftbelt"
reference_sample = "452c832a17436f61ad5f32ee1c97db05575160105ed1dcd0d3c6db9fb5a9aea1"
os = "macos"
arch_context = "x86"
license = "Elastic License v2"
strings:
$dbg1 = "SwiftBelt/Sources/SwiftBelt"
$dbg2 = "[-] Firefox places.sqlite database not found for user"
$dbg3 = "[-] No security products found"
$dbg4 = "SSH/AWS/gcloud Credentials Search:"
$dbg5 = "[-] Could not open the Slack Cookies database"
$sec1 = "[+] Malwarebytes A/V found on this host"
$sec2 = "[+] Cisco AMP for endpoints found"
$sec3 = "[+] SentinelOne agent running"
$sec4 = "[+] Crowdstrike Falcon agent found"
$sec5 = "[+] FireEye HX agent installed"
$sec6 = "[+] Little snitch firewall found"
$sec7 = "[+] ESET A/V installed"
$sec8 = "[+] Carbon Black OSX Sensor installed"
$sec9 = "/Library/Little Snitch"
$sec10 = "/Library/FireEye/xagt"
$sec11 = "/Library/CS/falcond"
$sec12 = "/Library/Logs/PaloAltoNetworks/GlobalProtect"
$sec13 = "/Library/Application Support/Malwarebytes"
$sec14 = "/usr/local/bin/osqueryi"
$sec15 = "/Library/Sophos Anti-Virus"
$sec16 = "/Library/Objective-See/Lulu"
$sec17 = "com.eset.remoteadministrator.agent"
$sec18 = "/Applications/CarbonBlack/CbOsxSensorService"
$sec19 = "/Applications/BlockBlock Helper.app"
$sec20 = "/Applications/KextViewr.app"
condition:
6 of them
}
Labels / Tags
Marking (TLP)
TLP:CLEAR
Related entities
No linked attack reports or intrusion sets yet.