Concrete signature match: Trojan - Appears legitimate but performs malicious actions for macOS platform, family Multiverze
Trojan:MacOS/Multiverze!rfn is a confirmed macOS Trojan (concrete detection, low FP risk) designed to communicate with external command and control (C2) domains like gpmce.net and booble.com, likely for data exfiltration or further instructions. Its binaries contain anomalous Windows-specific strings (e.g., MSVBVM60.DLL, registry run keys) which might indicate anti-analysis techniques or dormant multi-platform functionality.
Relevant strings associated with this threat:
- www.gpmce.net (PEHSTR_EXT)
- www.booble.com (PEHSTR_EXT)
- MSVBVM60.DLL (PEHSTR_EXT)
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
- \n(<M (NID)
- 1em\M (NID)
- 2~oS\^ (SNID)
- ^%+n~/ (SNID)
- M/DFGL (SNID)
- v4.`L+ (SNID)
- \-a'f (SNID)
- 82W9\yH (SNID)
- i.L98& (SNID)
- &/%#2 (SNID)
- $B/OF (SNID)
- l\I~@S\ (SNID)
- /,Fs@~J8 (SNID)
- \\5J' (SNID)
- Qc3\x]fZ (SNID)
- ~U5B-{/% (SNID)
- :A /3 (SNID)
- \)/*A (SNID)
- YK"\} (SNID)
- iDH.0 (SNID)
- %a.VD (SNID)
- HgCY\N (SNID)
- .(K'u,% (SNID)
- -$.l= (SNID)
- qa>6ngd. (SNID)
- vG.].4X (SNID)
- }O$]/ (SNID)
- ~,jN.v (SNID)
- ;1\C4d (SNID)
- 5{\%) (SNID)
- `ksW. (SNID)
- q`+H7H/ (SNID)
- lp\M~ (SNID)
- ;*\v{"7F7 (SNID)
- 'H\z{ (SNID)
- FkXA.:F+ (SNID)
- EW/j-^ (SNID)
- (t1dx. (SNID)
- g/^IE (SNID)
- /6[mt (SNID)
- hk.j' (SNID)
- mW\\q% (SNID)
- 0YZ\. (SNID)
- m.p<p (SNID)
- PN.o$0 (SNID)
- ,UP/' (SNID)
- [/C`mH (SNID)
- ?.O6T (SNID)
- {@gW. (SNID)
- TB"\Y (SNID)
- |mO\V (SNID)
- VcSX\ (SNID)
- qz7P/! (SNID)
- /Fgb$ (SNID)
- jSo (SNID)
- #-zW\ (SNID)
- V\p'6 (SNID)
- &._X" (SNID)
- -6\1~||j7( (SNID)
- -Ke/- (SNID)
- .%Viq (SNID)
- j/VXH_Y[ (SNID)
- 8p^.O (SNID)
- T`/+' (SNID)
- XX<+m\ (SNID)
- 7/w`5 (SNID)
- \d:a0 (SNID)
- 7B/DO (SNID)
- >4/kL (SNID)
- 'go/, (SNID)
- IW\1# (SNID)
- Xi\#E (SNID)
- .OL5i\o (SNID)
- N~.8g (SNID)
- &a3$/= (SNID)
- 5Qoi\U` (SNID)
- =&j/3[ (SNID)
- T6.:) (SNID)
- RZZ.EM (SNID)
- 8UTw\t1 (SNID)
- W:\ty (SNID)
- y1g/a (NID)
- .JuUv (SNID)
- KP9i. (SNID)
- jSmHrat (SNID)
- +)t/S (SNID)
- R9'>/ (SNID)
- /'SYR (SNID)
- /" E. (SNID)
- Wy\t (SNID)
- o/L}j (SNID)
- ,.{pS7~ (SNID)
- ;ZYJs~6 (SNID)
- ;gL.:C (SNID)
- "~ 1/ (SNID)
- &/y D# (SNID)
- d\^yy (SNID)
- E?.cb (SNID)
- 1-\\ULe (SNID)
- 2/BFE (SNID)
- I}/M7PH (SNID)
- ZkO/_ (SNID)
- K:.Wj2 (SNID)
- Y_/Hr (SNID)
- AjS (SNID)
- .\K; (SNID)
- iu)@/ (SNID)
- v;].QA{ (SNID)
- G.q)d (SNID)
- 4ggj\ (SNID)
- \/<9M (SNID)
- MxE2. (SNID)
- V,@U/ (SNID)
- \s=Tkz (SNID)
- 9Oy/;EM (SNID)
- l.gH3 (SNID)
- \u|[{l (SNID)
- o'H/X (SNID)
- wCxj\ (SNID)
- w52/Q (SNID)
- w0N3(\ (SNID)
- $o9.A (SNID)
- \u:}N (SNID)
- cYLY/ (SNID)
- +E^lS;/ (SNID)
- \&L'Sz (SNID)
- DZ\%F (SNID)
- '`gQ . (SNID)
- /$2pW (SNID)
- Xu._2 (SNID)
- j.|z[ (SNID)
- "'8\q# (SNID)
- )ITG.7 (SNID)
- TEZ4(6;/ (SNID)
- G8\hY~`Y (SNID)
- .d3lL> (SNID)
- \/n}Usn(A (SNID)
- 1Js (SNID)
- "8C(/ (SNID)
- MvU.V (SNID)
- %JS (SNID)
- hW.3, (SNID)
- bK_7.& (SNID)
- N,.96 (SNID)
- k*Js$ (SNID)
- .z _R (SNID)
- 8+%/' (SNID)
- 3w;/$ (SNID)
- st.=#71 (SNID)
- GOo/R] (SNID)
- 1/',js (SNID)
- /50hj (SNID)
- y/Vxf (SNID)
- ^jPFF. (SNID)
- sb`\U (SNID)
- t1r.[l (SNID)
- Fci.N (SNID)
- / /M) (SNID)
- \AA=E (SNID)
- Gg{/Q (SNID)
- ]?/e*&t (SNID)
- N/+RzG (SNID)
- Tz3ch_. (SNID)
- \q[VD (SNID)
- Xvi9\ (SNID)
- T/K%f (SNID)
- s)Z/!z (SNID)
- WF*/k (SNID)
- e\HIn (SNID)
- fqsv/ (SNID)
- \\X*b (SNID)
- _A%/e (SNID)
- S;.>x (SNID)
- Z!\I^ (SNID)
- !PO.o (SNID)
- \'KBjE (SNID)
- N/KFv (SNID)
- /mma; (SNID)
- !X\Sn (SNID)
- \C=g($ (SNID)
- A\w/y` (SNID)
- .{\wco (SNID)
- 2h/TW (SNID)
- "f`]WfR/c (SNID)
- 0unFE.QL (SNID)
- dlm\D (SNID)
- <k/Z[ (SNID)
- X,/MQ (SNID)
- " .'< (SNID)
- Kxk/^ (SNID)
- kw\2E> (SNID)
- /,KIb (SNID)
- @d h/ (SNID)
- n/i<2- (SNID)
- GNy\# (SNID)
- g.dLM (NID)
- RCOM (NID)
- <T.QM (NID)
- OP|/I (SNID)
- jsk (SNID)
- vK.O] (SNID)
- HS/b4 (SNID)
- jsa (SNID)
- /H[8&S (SNID)
- va.0< (SNID)
- !ugo\n (SNID)
- \dtfa (NID)
- DC\YLv (SNID)
- 3n/?R (SNID)
- -i"\~ (SNID)
- qE/R}cg (SNID)
- ]Y9G\ (SNID)
- /G),[ (SNID)
- \8*z! (SNID)
- Ic3/x (SNID)
- /#$h: (SNID)
- :n0c/ (SNID)
- jOnE. (SNID)
- lz\@% (SNID)
- h[.<$0c (SNID)
- MgS0/\ (SNID)
- un\EZ (SNID)
- *.&-M (NID)
- JSh (NID)
- ye/:{ (SNID)
- /cF(^ (SNID)
- 9q/Ui (SNID)
- .</RI (SNID)
- 7.|}_-= (SNID)
- 5wzb2/ (SNID)
- Ka/]$ (SNID)
- {.[Gw (SNID)
- \vla= (SNID)
- n. ^) (SNID)
- 1&m.\$ (SNID)
- v)/pA2 (SNID)
- 8</:?e" (SNID)
- \NkpIlC (SNID)
- 'a[_. (SNID)
- -j.J# (SNID)
- \v&h,R (SNID)
- <I\jn! (SNID)
- Cr/oj# (SNID)
- ;J\~F (SNID)
- /O|)#p] (SNID)
- \8.08 (SNID)
- }[\jri (SNID)
- j/dLI (SNID)
- y?.p] (SNID)
- r2/[E (SNID)
- H\idS (SNID)
- Rko.# (SNID)
- >~.qd^ (SNID)
- 0.vF< (SNID)
- $\;qM (NID)
- *.$Kw (SNID)
- w/!x]Y (SNID)
- 4.N5p (SNID)
- ZbE\p (SNID)
- 4esO-..p (SNID)
- $/j+ g (SNID)
- \{vOI (SNID)
- scR (SNID)
- ;2;/ac (SNID)
- /Smi? (SNID)
- \cH7,~ (SNID)
- .]k.E> (SNID)
- .p|hr> (SNID)
- 0F.=^ (SNID)
- jv.ij (SNID)
- \3'%X (SNID)
- \tTfj Z (SNID)
- :P\8M (SNID)
- ru/hn (SNID)
- +t\86 (SNID)
- 4B*J. (SNID)
- {j\?N (SNID)
- ..7IC (SNID)
- Z\v:9T (SNID)
- $hZ7Be/ (SNID)
- z.0_\ (SNID)
- /mt)&h (SNID)
- \^k(B<3 (SNID)
- @>=\AX (SNID)
- YTv{'9. (SNID)
- {JX&\ (SNID)
- H/$;\( (SNID)
- <4\7A6 (SNID)
- /-mc_ (SNID)
- zv_[/lH (SNID)
- Ja8Lw.G@72 (SNID)
- /+Cv) (SNID)
- \f0zj (SNID)
- 0r/6 V (SNID)
- +P`uwLC.] (SNID)
- vbS (SNID)
- q3J/\ (SNID)
- \%>G] (SNID)
- %b+'.p& (SNID)
- TeZNH.9 (SNID)
- 0\\8@ (SNID)
- wf1J\ (SNID)
- 4d[q\ (SNID)
- ; \@r (SNID)
- \AJI;M (SNID)
- ,h-/H (SNID)
- #K@/2 (SNID)
- /lp1Z@ (SNID)
- Wc\;F (SNID)
- T.?qfy (SNID)
- -QAjJ/ (SNID)
- 7\arKy (SNID)
- Cb.-\ (SNID)
- \8y<1 (SNID)
- #e5/c4 (SNID)
- 4~/!c (SNID)
- w0{U|l/ (SNID)
- Z~\bx@f (SNID)
- D\FvxG (SNID)
- Uy`\~ (SNID)
- F\Y6`6 (SNID)
- /4`@nS (SNID)
- =/jW] (SNID)
- \`.i9 (SNID)
- tgy\C (SNID)
- .yL"> (SNID)
- R{t@. (SNID)
- BXVo. (SNID)
- /@_~; (SNID)
- PE/b)]x2T (SNID)
- .A[G< (SNID)
- <BH/U (SNID)
- +.XrV (SNID)
- %?.,WY (SNID)
- )/VE&?$ (SNID)
- $$ 68/ (SNID)
- .lz*$ZJ_B (SNID)
- 4/(=-= (SNID)
- ^N\kM (SNID)
- ;\A(e@ (SNID)
- \MLz8 (SNID)
- Fz\YpiS% (SNID)
- \'NI. (SNID)
- >]._} (SNID)
- nJs (SNID)
- OAb3\ (SNID)
- bkDP_\n (SNID)
- =.P</ (SNID)
- '.`n+p (SNID)
- MM<.^ (SNID)
- /_CFM (SNID)
- \Xz^k (SNID)
- #)].z (SNID)
- \/~"j (SNID)
- X m~. (SNID)
- 2j>\M (NID)
- \4;a: (SNID)
- :.d{[} (SNID)
- <*rZ\ (SNID)
- ]Eb\| (SNID)
- ;b/Xl (SNID)
- /R&_h (SNID)
- 0.;\c< (SNID)
- .]$q.f (SNID)
- fKt.!l (SNID)
- EFP|b1,k.| (SNID)
- /o~cS (SNID)
- L/<{}f$ (SNID)
- \)MKW (SNID)
- I$._j:/ (SNID)
- Gon.o (SNID)
- :WBk. (SNID)
- /F~8avl (SNID)
- *.Y5I (SNID)
- \Il`uk (SNID)
- lrq8@.kb (SNID)
- RYyL\b (SNID)
- \~Xv (SNID)
- )\j|t (SNID)
- &,TU. (SNID)
- Vy(/# (SNID)
- 6$\12/ (SNID)
- JSn (SNID)
- n5X?[Rw. (SNID)
- 5.C>Y (SNID)
- }/S41 (SNID)
- "Y"S. (SNID)
- m>m/S (SNID)
- (V9/: (SNID)
- V-..g (SNID)
- js: (SNID)
- ym",\\ (SNID)
- dO;v\ (SNID)
- \uZ!d (SNID)
- u/Z,n (SNID)
- Y\pUH (SNID)
- 3f\$# (SNID)
- .}rx (SNID)
- udqV. (SNID)
- ${Q&. (SNID)
- 4f\8l(4>a (SNID)
- .k+:W% (SNID)
- z7/!Q (SNID)
- IV/*V:V (SNID)
- J1"/ (SNID)
- 4mg.) (SNID)
- [\*{y (SNID)
- \7l5(" (SNID)
- Lc\wlm (SNID)
- Sf\,Uo (SNID)
- MS/B374 (SNID)
- q7/r&X4 (SNID)
- A&|#V. (SNID)
- JcU\Rw (SNID)
- ;r!=F/` Tx (SNID)
- @\9F5 (SNID)
- r</k= (SNID)
- " w'-. (SNID)
- =?[R. (SNID)
- bcF)\ (SNID)
- QFC\ H"* (SNID)
- /f0oZ (SNID)
- T\Eva (SNID)
- %].0L (SNID)
- js-N (SNID)
- KlO/&R (SNID)
- K_o\^ (SNID)
- 79w.l (SNID)
- axR/] (SNID)
- "beO\v'ss (SNID)
- .i+?5 (SNID)
- )Qa_/ (SNID)
- 0~!5/ (SNID)
- :%Ui.C; (SNID)
- :.eX%X (SNID)
- `ve\Rc (SNID)
- Xw.(n (SNID)
- xN6Zs/ (SNID)
- y/ule (SNID)
- 5|B\e. (SNID)
- M.$YT\ (SNID)
- \a)rW (SNID)
- fL.&C (SNID)
- Lc/]M[ (SNID)
- |W]\c (SNID)
- /<)g9y (SNID)
- 2%7.p#:.O& (SNID)
- y/:{IT (SNID)
- /kzCf% (SNID)
- 4.N_< (SNID)
- ;$z;n. (SNID)
- /Qm>?L (SNID)
- ve7>/n& (SNID)
- f11Y.4 (SNID)
- ujSS0aC (SNID)
- BE\1~ (SNID)
- .-LPNa (SNID)
- \2km~ (SNID)
- /NBWHO?| (SNID)
- oV\]* (SNID)
- JSV (SNID)
- .DN,mG (SNID)
- +.mg% (SNID)
- H}<W/ (SNID)
- dIjs (SNID)
- &qkE. (SNID)
- (c!\: (SNID)
- T2\~' (SNID)
- /fF1f (SNID)
- Y7Exe$8- (SNID)
- <I){/7 (SNID)
- /-/,HP`) (SNID)
- v0.1< (SNID)
- +vy.6{ (SNID)
- Y\@1&BT (SNID)
- @GI.y (SNID)
- "h".KY (SNID)
- dMJ./ (SNID)
- yn(7. (SNID)
- q#cqI/ (SNID)
- m\"RH (SNID)
- /o^@S (SNID)
- PV%r\ (SNID)
- ,\tV? (SNID)
- n%\ # (SNID)
- .W7c) (SNID)
- *+S.W],g (SNID)
- hV\=b (SNID)
- /*^)W: (SNID)
- 4%4!qb/) (SNID)
- d\\+-Wl (SNID)
- /A[F9 (SNID)
- 54u.3 (SNID)
- G\6fbLhS: (SNID)
- 62S/U (SNID)
- J~Wf.0 (SNID)
- .%SP-M (SNID)
- >JS (SNID)
- UU\Wj (SNID)
- /Vjr_j (SNID)
- YG2\n (SNID)
- ]/xDT (SNID)
- \pDvw (SNID)
- yE\)L (SNID)
- "51\9 (SNID)
- $^?bwy. (SNID)
- F"E.L (SNID)
- X/d.Z (SNID)
- z\jJEeg (SNID)
- \.,Cr (SNID)
- '/xk% (SNID)
- (.WI_ (SNID)
- *:UU.BV_N (SNID)
- [s#/N (SNID)
- 7d\yz (SNID)
- ";js0 (SNID)
- gg.Z z (SNID)
- 1k|WS8t. (SNID)
- /l<=#" (SNID)
- #Pr'. (SNID)
- uJ2`\H (SNID)
- DuuW+. (SNID)
- l(\@L (SNID)
- {_vQ. (SNID)
- /G#kp (SNID)
- )IJQ/ (SNID)
- ;/_Vn (SNID)
- "\gbJFL (SNID)
- /BG3M<+ (SNID)
- <I/A! (SNID)
- 3Jr\;2 (SNID)
- ;js (SNID)
- fKDg.F (SNID)
- "A\Zz` (SNID)
- /4d5p (SNID)
- KJs (SNID)
- -w._Mmk (SNID)
- 15&z. (SNID)
- -f/d0KS" (SNID)
- k)N/9 (SNID)
- [/N0, (SNID)
- ]\#AU, (SNID)
- UxLc\ (SNID)
- 1;S?{/ (SNID)
- +CZ/NT (SNID)
- >\?$i (SNID)
- }jS (SNID)
- JS/ (SNID)
- 7 !// (SNID)
- _Y44&/ (SNID)
- A:@?\@ (SNID)
- .""P, (SNID)
- .(<gaA (SNID)
- +c/\uhr (SNID)
- A/<FkX (SNID)
- \S^|= (SNID)
- d.KQ_c (SNID)
- cJsg (SNID)
- Ct/z@ D (SNID)
- Br.[Ny (SNID)
- k7?.# (SNID)
- Uje \ (SNID)
- <a/urh (SNID)
- x/7~N} (SNID)
- xJs2 (SNID)
- \4_,T< (SNID)
- <21/Q (SNID)
- -.3Zgr (SNID)
- RJ0/8 (SNID)
- PW.HL (SNID)
- wX.XH (SNID)
- }\IQ* (SNID)
- p5/ea (SNID)
- }p{\4Q (SNID)
- .F6LN (SNID)
- t.}QN (SNID)
- {;W6. (SNID)
- }Js;) (SNID)
- =*A.)sz3 (SNID)
- bq:.u (SNID)
- a\f:NY (SNID)
- K\BP5 (SNID)
- n?vF. (SNID)
- *!h/N (SNID)
- JS. (SNID)
- tgW/vV (SNID)
- \~JcI (SNID)
- nLjs (SNID)
- /KaO'Z (SNID)
- \.$w~` (SNID)
- .~B_$Bl (SNID)
- 4/+7i (SNID)
- 0Z[/Lam (SNID)
- !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
- rundll32 (PEHSTR_EXT)
- !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
- !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
- !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)5b85fcb9789c2e5acafb527b1c5eadceb0767ca2d60b8730644b58f7f4b659814d751dd363298589cb436d78cd302f9d794ae1e3670722a464884be908671a9cIsolate the infected macOS device, perform a full system scan with updated antivirus software to remove the Trojan, and block identified C2 domains (gpmce.net, booble.com) at the network level. Review system for any persistent malicious components and consider changing affected user credentials.