Banshee: The Stealer That "Stole Code" From MacOS XProtect - Check Point Research
Common Information
Type Value
UUID 3a7ce7ab-28a9-4909-852e-7e8d6f9e2bd8
Fingerprint 2d943913ab16a7d1
Analysis status DONE
Considered CTI value 2
Text language
Published Jan. 9, 2025, 2:08 p.m.
Added to db Jan. 9, 2025, 3:12 p.m.
Last updated Jan. 19, 2025, 10:17 a.m.
Headline Banshee: The Stealer That “Stole Code” From MacOS XProtect
Title Banshee: The Stealer That "Stole Code" From MacOS XProtect - Check Point Research
Detected Hints/Tags/Attributes 100/4/144
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 158 Malware Analysis, News and Indicators - Latest topics https://malware.news/latest.rss 2024-08-30 22:08
Details 515 Check Point Research https://research.checkpoint.com/feed/ 2024-09-01 15:09
Attributes
Details Type #Events CTI Value
Details Domain 2
authenticator.cc
Details Domain 9
chromewebstore.google.com
Details Domain 1
coin98.com
Details Domain 1
wallet.coinbase.com
Details Domain 1
core.app
Details Domain 1
broxus.com
Details Domain 1
exodus.com
Details Domain 1
fewcha.app
Details Domain 1
koii.network
Details Domain 1
icon.foundation
Details Domain 1
keplr.app
Details Domain 2
multiversx.com
Details Domain 1
martianwallet.xyz
Details Domain 1
mathwallet.org
Details Domain 6
metamask.io
Details Domain 1
mobox.io
Details Domain 1
oxygen.solutions
Details Domain 1
petra.app
Details Domain 2
phantom.app
Details Domain 1
pontem.network
Details Domain 1
safepal.com
Details Domain 1
solflare.com
Details Domain 1
westar.io
Details Domain 1
swashapp.io
Details Domain 1
tokenpocket.pro
Details Domain 1
trustwallet.com
Details Domain 1
xdefi.io
Details Domain 3
xmr.pt
Details Domain 1
yoroiwallet.com
Details Domain 137
api.ipify.org
Details Domain 378
com.apple
Details Domain 3
group.com.apple
Details Domain 9
urls.py
Details Domain 31
github.io
Details Domain 3
api7.cfd
Details Domain 16
ipapi.co
Details Domain 3
coincapy.com
Details Domain 3
fotor.software
Details Domain 6
authorisev.site
Details Domain 6
contemteny.site
Details Domain 4
dilemmadu.site
Details Domain 4
faulteyotk.site
Details Domain 4
forbidstow.site
Details Domain 4
goalyfeastz.site
Details Domain 4
opposezmny.site
Details Domain 4
seallysl.site
Details Domain 4
servicedny.site
Details Domain 55
steamcommunity.com
Details Domain 117
www.elastic.co
Details Domain 1
alden.io
Details Domain 5099
github.com
Details Domain 201
www.securityweek.com
Details File 2
system_info.json
Details File 6
cookies.bin
Details File 2
notestore.sql
Details File 8
output.json
Details File 8
urls.py
Details File 27
2.zip
Details File 4
2.dmg
Details File 6
0.dmg
Details File 24
0.zip
Details File 14
4.zip
Details File 7
installer.dmg
Details File 12
6.zip
Details File 231
setup.exe
Details File 1
telegram.dmg
Details File 951
index.html
Details File 3
mobile.html
Details File 1
sendnotification.php
Details File 1
mac.html
Details File 94
response.json
Details File 1
'mobile.html
Details File 1
'sendnotification.php
Details File 4
tradingview.dmg
Details File 1
mediakit.dmg
Details File 1
contract.dmg
Details Github username 1
evi1grey5
Details sha256 3
cdfbcb3d850713c49d451b3e80fb8507f86ba4ad9385e083c2a2bf8d11adc4fb
Details sha256 3
1dcf3b607d2c9e181643dd6bf1fd85e39d3dc4f95b6992e5a435d0d900333416
Details sha256 4
d8ecc92571b3bcd935dcab9cdbeda7c2ebda3021dda013920ace35d294db07be
Details sha256 3
00c68fb8bcb44581f15cb4f888b4dec8cd6d528cacb287dc1bdeeb34299b8c93
Details sha256 4
ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038
Details sha256 4
d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c2
Details sha256 4
3bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaab
Details sha256 4
b978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114
Details IPv4 4
41.216.183.49
Details Url 1
https://chromewebstore.google.com/detail/authenticator/bhghoamapcdpbohphigoooaddinpkbai
Details Url 1
https://chromewebstore.google.com/detail/bnb-chain-wallet/fhbohimaelbohpjbbldcngcnapndodjp
Details Url 1
https://chromewebstore.google.com/detail/coin98-wallet/aeachknmefphepccionboohckonoeemg
Details Url 1
https://chromewebstore.google.com/detail/coinbase-wallet-extension/hnfanknocfeofbddgcijnmhnfnkdnaad
Details Url 1
https://chromewebstore.google.com/detail/core-crypto-wallet-nft-ex/agoakfejjabomempkjlepdflaleeobhb
Details Url 1
https://chromewebstore.google.com/detail/ever-wallet/cgeeodpfagjceefieflmdfphplkenlfk
Details Url 1
https://chromewebstore.google.com/detail/exodus-web3-wallet/aholpfdialjgjfhomihkjbmgjidlcdno
Details Url 1
https://chromewebstore.google.com/detail/fewcha-move-wallet/ebfidpplhabeedpnhjnobghokpiioolj
Details Url 1
https://chromewebstore.google.com/detail/finnie/cjmkndjhnagcfbpiemnkdpomccnjblmj
Details Url 1
https://chromewebstore.google.com/detail/iconex/flpiciilemghbmfalicajoolhkkenfel
Details Url 1
https://chromewebstore.google.com/detail/kaia-wallet/jblndlipeogpafnldhgmapagcccfchpi
Details Url 1
https://chromewebstore.google.com/detail/kardiachain-wallet/pdadjkfkgcafgbceimcpbkalnfnepbnk
Details Url 1
https://chromewebstore.google.com/detail/keplr/dmkamcknogkgcdfhhbddcghachkejeap
Details Url 1
https://chromewebstore.google.com/detail/multiversx-wallet/dngmlblcodfobpdpecaadgfbcggfjfnm
Details Url 1
https://chromewebstore.google.com/detail/martian-aptos-sui-wallet/efbglgofoippbgcjepnhiblaibcnclgk
Details Url 1
https://chromewebstore.google.com/detail/mathwallet/afbcbjpbpfadlkmhmclhkeeodmamcflc
Details Url 1
https://chromewebstore.google.com/detail/metamask/nkbihfbeogaeaoehlefnkodbefgpgknn
Details Url 1
https://chromewebstore.google.com/detail/mobox-wallet/fcckkdbjnoikooededlapcalpionmalo
Details Url 1
https://chromewebstore.google.com/detail/nami/lpfcbjknijpeeillifnkikgncikgfhdo
Details Url 1
https://chromewebstore.google.com/detail/oxygen-atomic-crypto-wall/fhilaheimglignddkjgofkcbgekhenbh
Details Url 1
https://chromewebstore.google.com/detail/pali-wallet/mgffkfbidihjpoaomajlbgchddlicgpn
Details Url 1
https://chromewebstore.google.com/detail/petra-aptos-wallet/ejjladinnckdgjemekebdpeokbikhfci
Details Url 1
https://chromewebstore.google.com/detail/phantom/bfnaelmomeimhlpmgjnjophhpkkoljpa
Details Url 1
https://chromewebstore.google.com/detail/pontem-crypto-wallet-eth/phkbamefinggmakgklpkljjmgibohnba
Details Url 1
https://chromewebstore.google.com/detail/ronin-wallet/fnjhmkhhmkbjkkabndcnnogagogbneec
Details Url 1
https://chromewebstore.google.com/detail/safepal-extension-wallet/lgmpcpglpngdoalbgeoldeajfclnhafa
Details Url 1
https://chromewebstore.google.com/detail/slope-wallet/pocmplpaccanhmnllbbkpgfliimjljgo
Details Url 1
https://chromewebstore.google.com/detail/solflare-wallet/bhhhlbepdkbapadjdnnojkbgioiodbic
Details Url 1
https://chromewebstore.google.com/detail/starmask/mfhbebgoclkghebffdldpobeajmbecfk
Details Url 1
https://chromewebstore.google.com/detail/swash/cmndjbecilbocjfkibfbifhngkdmjgog
Details Url 1
https://chromewebstore.google.com/detail/temple-tezos-wallet/ookjlbkiijinhpmnjffcofjonbfbgaoc
Details Url 1
https://chromewebstore.google.com/detail/station-wallet/aiifbnbfobpmeekipheeijimdpnlpgpp
Details Url 1
https://chromewebstore.google.com/detail/tokenpocket-web3-nostr-wa/mfgccjchihfkkindfppnaooecgfneiii
Details Url 1
https://chromewebstore.google.com/detail/ton-wallet/nphplpgoakhhjchkkhmiggakijnkhfnd
Details Url 1
https://chromewebstore.google.com/detail/tronlink/ibnejdfjmmkpcnlpebklmnkoeoihofec
Details Url 1
https://chromewebstore.google.com/detail/trust-wallet/egjidjbpglichdcondbcbdnbeeppgdph
Details Url 1
https://chromewebstore.google.com/detail/wombat-gaming-wallet-for/amkmjjmmflddogmhpjloimipbofnfjih
Details Url 1
https://chromewebstore.google.com/detail/xdefi-wallet/hmeobnfnfcmdkdcmlblgagmfpfboieaf
Details Url 1
https://chromewebstore.google.com/detail/xmrpt/eigblbgjknlfbajkfhopmcojidlgcehm
Details Url 1
https://chromewebstore.google.com/detail/xdcpay/bocpokimicclpaiekenaeelehdjllofo
Details Url 1
https://chromewebstore.google.com/detail/yoroi/ffnbelfdoeiohenkjibnmadjiehjhajb
Details Url 1
https://chromewebstore.google.com/detail/iwallet/kncchdigobghenbbaddojjnnaogfppfj
Details Url 2
http://41.216.183.49/api/send
Details Url 2
https://github.com/arvendrachhonkar/todo/releases/download/macosandwindows/project_v1.2.0.zip
Details Url 2
https://github.com/arvendrachhonkar/todo/releases/download/macosandwindows/install_setup_v1.2.0.dmg
Details Url 2
https://api7.cfd/testet123t/telegram.dmg
Details Url 4
https://ipapi.co/json
Details Url 3
http://api7.cfd/testet123t
Details Url 3
https://coincapy.com/zx
Details Url 3
https://fotor.software/mediakit
Details Url 3
https://fotor.software/macos/collaboration
Details Url 12
https://steamcommunity.com/profiles/76561199724331900
Details Url 1
https://www.elastic.co/security-labs/beyond-the-wail
Details Url 1
https://alden.io/posts/secrets-of-xprotect/#reverse
Details Url 1
https://github.com/evi1grey5/macos-s
Details Url 1
https://www.securityweek.com/source-code-of-3000-a-month-macos-malware-banshee-stealer-leaked
Details Url 1
https://www.sentinelone.com/blog/from-amos-to-poseidon-a-soc-teams-guide-to-detecting-macos-atomic-stealers-2024
Details Yara rule 2
rule macos_binary {
	meta:
		author = "Antonis Terefos @Tera0017/@Check Point Research"
		descr = "MacOS file format"
	condition:
		uint32(0) == 0xFEEDFACE or uint32(0) == 0xFEEDFACF or uint32(0) == 0xBEBAFECA
}