ioc[.]one - OSINT Cyber Threat Intelligence Database

Beyond the wail: deconstructing the BANSHEE infostealer — Elastic Security Labs

Tags

country:	Russia
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Model Applescript - T1059.002 Credentials - T1589.001 Hardware - T1592.001 Keychain - T1634.001 Keychain - T1555.001 Keychain - T1579 Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Software - T1592.002 Applescript - T1155 Browser Extensions - T1176 Keychain - T1142

Show in Graph

Common Information

Type	Value
UUID	30ddfb3c-91a0-49d5-ba61-5e8ca92adb65
Fingerprint	a518e810675fa795
Analysis status	DONE
Considered CTI value	0
Text language
Published	Aug. 15, 2024, midnight
Added to db	Aug. 31, 2024, 9:31 a.m.
Last updated	Oct. 16, 2024, 1:15 a.m.
Headline	Beyond the wail: deconstructing the BANSHEE infostealer
Title	Beyond the wail: deconstructing the BANSHEE infostealer — Elastic Security Labs
Detected Hints/Tags/Attributes	51/3/13

Source URLs

	Redirection	Url
Details	Source	https://www.elastic.co/security-labs/beyond-the-wail

URL Provider

Details	Provider	Source level domain
Details	elastic.co	www.elastic.co

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	306	✔	Elastic Security Labs	https://www.elastic.co/security-labs/rss/feed.xml	2024-08-30 22:08

Attributes

Details	Type	#Events	CTI	Value
Details	Domain	1		freeipapi.com
Details	File	1		controller.cpp
Details	File	1		browsers.cpp
Details	File	2		system.cpp
Details	File	1		tools.cpp
Details	File	1		wallets.cpp
Details	File	1		system_info.json
Details	File	13		login.key
Details	File	1		macos.inf
Details	sha256	2		11aa6eeca2547fcf807129787bec0d576de1a29b56945c5a8fb16ed8bf68f782
Details	IPv4	3		45.142.122.92
Details	Url	1		http://45.142.122.92/send
Details	Yara rule	1		rule Macos_Infostealer_Banshee { meta: author = "Elastic Security" creation_date = "2024-08-13" last_modified = "2024-08-13" os = "MacOS" arch = "x86, arm64" category_type = "Infostealer" family = "Banshee" threat_name = "Macos.Infostealer.Banshee" license = "Elastic License v2" strings: $str_0 = "No debugging, VM, or Russian language detected." ascii fullword $str_1 = "Remote IP: " ascii fullword $str_2 = "Russian language detected!" ascii fullword $str_3 = " is empty or does not exist, skipping." ascii fullword $str_4 = "Data posted successfully" ascii fullword $binary_0 = { 8B 55 BC 0F BE 08 31 D1 88 08 48 8B 45 D8 48 83 C0 01 48 89 45 D8 E9 } $binary_1 = { 48 83 EC 60 48 89 7D C8 48 89 F8 48 89 45 D0 48 89 7D F8 48 89 75 F0 48 89 55 E8 C6 45 E7 00 } condition: all of ($str_) or all of ($binary_) }