{
	"id": "f58384da-f0f1-4737-a829-286db288ebd2",
	"created_at": "2026-04-06T00:10:20.973224Z",
	"updated_at": "2026-04-10T03:22:06.380392Z",
	"deleted_at": null,
	"sha1_hash": "09c742937a65d5be9b7c683d847f583cf4f6a2bb",
	"title": "Group Photos.zip OSX/Revir | OSX/iMuler samples March 2012-November 2012",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 151657,
	"plain_text": "Group Photos.zip OSX/Revir | OSX/iMuler samples March 2012-\r\nNovember 2012\r\nArchived: 2026-04-05 20:30:56 UTC\r\nGroup Photos.zip OSX/Revir | OSX/iMuler samples March 2012-November 2012\r\nSophos posted information about a variant of iMuler OSX trojan targeting Tibet activists (New variant of Mac Trojan\r\ndiscovered, targeting Tibet )  and posted the MD5 2d84bfbae1f1b7ab0fc1ca9dd372d35e (FileAgent 37.3 KB) of the trojan  .\r\nThis post is for the actual dropper, which is a full 1.9 MB package (Group photo.zip MD5:\r\n9e34256ded3a2ead43f7a51b9f197937)\r\n I don't have a Mac OS VM handy tonight to provide more details about the traffic or behavior so I will just describe the\r\npackage and post the previous version of the same trojan that was targeting fans of Russian topless models.\r\nDownload\r\nOctober 2012\r\nFile: Group photo.zip Size: 1976395\r\nMD5:  9E34256DED3A2EAD43F7A51B9F197937\r\n1. 7dba3a178662e7ff904d12f260f0fff3 (Installer)\r\n2. 9d2462920fdaed5e360875fb0cf8274f  (malicious payload))\r\n3. D029E0D44F07F9F4566B0FCE93D8A17E (payload variant)\r\n4. e00a280ad29440dcaab42ad093bcaafd  (uploader module)\r\nFile Information\r\nJust like the previous version of iMuler, this trojan hides inside a zip package with application bundle files .app disguised as\r\nphotos. Default installation of Mac OS will show those app files like any images files - see above. Clicking on them to\r\nexpand would install the trojan. \r\nThe screenshot made from Windows and list of files shows clearly that these are not just images.\r\nhttp://contagiodump.blogspot.com/2012/11/group-photoszip-osxrevir-osximuler.html\r\nPage 1 of 9\n\n├───DSC08381.app\r\n│   └───Contents\r\n│       │   Info.plist\r\n│       │   PkgInfo\r\n│       │\r\n│       ├───MacOS\r\n│       │       .cnf\r\n│       │       .confr  \u003c\u003c\u003c\u003c Image file\r\n│       │       .conft\r\n│       │       FileAgent    \u003c\u003c\u003c\u003c MD5:  2D84BFBAE1F1B7AB0FC1CA9DD372D35E\r\n(Virustotal 6/44)\r\n│       │\r\n│       └───Resources\r\n│           │   co.icns\r\n│           │\r\n│           └───English.lproj\r\n│                   InfoPlist.strings\r\n│                   MainMenu.nib\r\nhttp://contagiodump.blogspot.com/2012/11/group-photoszip-osxrevir-osximuler.html\r\nPage 2 of 9\n\n│\r\n├───DSC08387.app\r\n│   └───Contents\r\n│       │   Info.plist\r\n│       │   PkgInfo\r\n│       │\r\n│       ├───MacOS\r\n│       │       .cnf\r\n│       │       .confr   \u003c\u003c\u003c\u003c Image file\r\n│       │       .conft\r\n│       │       FileAgent  \u003c\u003c\u003c\u003c MD5:  2D84BFBAE1F1B7AB0FC1CA9DD372D35E  (Virustotal 6/44)\r\n│       │\r\n│       └───Resources\r\n│           │   co.icns\r\n│           │\r\n│           └───English.lproj\r\n│                   InfoPlist.strings\r\n│                   MainMenu.nib\r\n│\r\n└───DSC08511.app\r\n    └───Contents\r\n        │   Info.plist\r\n        │   PkgInfo\r\n        │\r\n        ├───MacOS\r\nhttp://contagiodump.blogspot.com/2012/11/group-photoszip-osxrevir-osximuler.html\r\nPage 3 of 9\n\n│       .cnf\r\n        │       .confr  \u003c\u003c\u003c\u003c Image file\r\n        │       .conft\r\n        │       FileAgent  \u003c\u003c\u003c\u003c MD5:  2D84BFBAE1F1B7AB0FC1CA9DD372D35E  (Virustotal 6/44)\r\n        │\r\n        └───Resources\r\n            │   co.icns\r\n            │\r\n            └───English.lproj\r\n                    InfoPlist.strings\r\n                    MainMenu.nib\r\nFile: FileAgent\r\nMD5:  2d84bfbae1f1b7ab0fc1ca9dd372d35e\r\nSize: 38212\r\nAscii Strings:\r\n---------------------------------------------------------------------------\r\n__PAGEZERO\r\n__TEXT\r\n__text\r\n__TEXT\r\n__cstring\r\n__TEXT\r\n__DATA\r\n__data\r\n__DATA\r\n__dyld\r\n__DATA\r\n__OBJC\r\n__image_info\r\nhttp://contagiodump.blogspot.com/2012/11/group-photoszip-osxrevir-osximuler.html\r\nPage 4 of 9\n\n__OBJC\r\n__IMPORT\r\n__jump_table\r\n__IMPORT\r\n__LINKEDIT\r\n/usr/lib/dyld\r\n/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa\r\n/usr/lib/libcrypto.0.9.7.dylib\r\n/usr/lib/libgcc_s.1.dylib\r\n/usr/lib/libSystem.B.dylib\r\nFILE\r\nAGEN\r\nTVer\r\n.conf\r\n.conf\r\n.cnf\r\nTMPA\r\nAABBf\r\n/tmp\r\n/Spo\r\ntligf\r\n/tmpf\r\nTMPA\r\nAABBf\r\nrm -\r\nrf \"\r\n/tmp\r\n/tmp/Spotlight\r\n/tmp/Spotlight\u0026\r\n/tmp/launch-ICS000\r\n#!/bin/sh\r\nopen \"\r\ndyld_stub_binding_helper\r\n__dyld_func_lookup\r\n_init_daemon\r\n_encryptFile\r\n_copyfile\r\n_main\r\n_NXArgc\r\n_NXArgv\r\n___progname\r\n__mh_execute_header\r\n_environ\r\nstart\r\n_RC4\r\n_RC4_set_key\r\nhttp://contagiodump.blogspot.com/2012/11/group-photoszip-osxrevir-osximuler.html\r\nPage 5 of 9\n\n_access\r\n_chdir\r\n_chmod$UNIX2003\r\n_close$UNIX2003\r\n_exit\r\n_fclose\r\n_fopen\r\n_fork\r\n_fread\r\n_free\r\n_fwrite$UNIX2003\r\n_malloc\r\n_memset\r\n_setsid\r\n_strcat\r\n_strcpy\r\n_strlen\r\n_system$UNIX2003\r\n_umask\r\n/Users/imac/Desktop/macback/FileAgent/main.m\r\n/Users/imac/Desktop/macback/FileAgent/build/FileAgent.build/Release/FileAgent.build/Objects-normal/i386/main.o\r\n_init_daemon\r\n_encryptFile\r\n_copyfile\r\n_main\r\n8__PAGEZERO\r\n__TEXT\r\n__text\r\n__TEXT\r\n__symbol_stub1\r\n__TEXT\r\n__cstring\r\n__TEXT\r\n__DATA\r\n__data\r\n__DATA\r\n__dyld\r\n__DATA\r\n__la_symbol_ptr\r\n__DATA\r\n|__OBJC\r\n__image_info\r\n__OBJC\r\n8__LINKEDIT\r\n/usr/lib/dyld\r\n/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa\r\nhttp://contagiodump.blogspot.com/2012/11/group-photoszip-osxrevir-osximuler.html\r\nPage 6 of 9\n\n/usr/lib/libcrypto.0.9.7.dylib\r\n/usr/lib/libgcc_s.1.dylib\r\n/usr/lib/libSystem.B.dylib\r\n+x8B\r\nP8`(\r\nx8`(\r\n#x|~\r\n /tmp\r\nFILEAGENTVer1.0\r\n.confr\r\n.conft\r\n.cnf\r\nTMPAAABBB\r\n/tmp/Spotlight\r\n/tmp/Spotlight\u0026\r\n/tmp/\r\n/tmp/launch-ICS000\r\n#!/bin/sh\r\nopen \"\r\nrm -rf \"\r\ndyld_stub_binding_helper\r\n__dyld_func_lookup\r\n_init_daemon\r\n_encryptFile\r\n_copyfile\r\n_main\r\n_NXArgc\r\n_NXArgv\r\n___progname\r\n__mh_execute_header\r\n_environ\r\nstart\r\n_RC4\r\n_RC4_set_key\r\n_access\r\n_chdir\r\n_chmod$UNIX2003\r\n_close$UNIX2003\r\n_exit\r\n_fclose\r\n_fopen\r\n_fork\r\n_fread\r\n_free\r\n_fwrite$UNIX2003\r\n_malloc\r\nhttp://contagiodump.blogspot.com/2012/11/group-photoszip-osxrevir-osximuler.html\r\nPage 7 of 9\n\n_memset\r\n_setsid\r\n_strcat\r\n_strcpy\r\n_strlen\r\n_system$UNIX2003\r\n_umask\r\n/Users/imac/Desktop/macback/FileAgent/main.m\r\n/Users/imac/Desktop/macback/FileAgent/build/FileAgent.build/Release/FileAgent.build/Objects-normal/ppc/main.o\r\n_init_daemon\r\n_encryptFile\r\n_copyfile\r\n_main\r\nUnicode Strings:\r\n---------------------------------------------------------------------------\r\nAutomatic scans\r\nDropper\r\nhttps://www.virustotal.com/file/da7a5e69f1d5e4f77321b90b6153b84daed74d784e5ce016053fec7fcf5aea0a/analysis/1352874459\r\nSHA256: da7a5e69f1d5e4f77321b90b6153b84daed74d784e5ce016053fec7fcf5aea0a\r\nSHA1: b70505e0e8607b94f1f8437f8298d907168d37d5\r\nMD5: 9e34256ded3a2ead43f7a51b9f197937\r\nFile size: 1.9 MB ( 1976395 bytes )\r\nFile name: vti-rescan\r\nFile type: ZIP\r\nDetection ratio: 6 / 44\r\nAnalysis date: 2012-11-14 06:27:39 UTC ( 0 minutes ago )\r\nDrWeb Trojan.Muxler.7 20121114\r\nESET-NOD32 OSX/Imuler.E 20121113\r\nF-Secure Trojan-Dropper:OSX/Revir.D 20121114\r\nSophos OSX/Imuler-B 20121114\r\nTrendMicro OSX_IMULER.D 20121114\r\nTrendMicro-HouseCall OSX_IMULER.D 20121114\r\nhttps://www.virustotal.com/file/574bf26b5da7b8c400d85e48fad3c9ab3ff6fa432f80b46d3bd509940b04f373/analysis/\r\nSHA256: 574bf26b5da7b8c400d85e48fad3c9ab3ff6fa432f80b46d3bd509940b04f373\r\nSHA1: 782312db766a42337af30093a2fd358eeed97f53\r\nMD5: 2d84bfbae1f1b7ab0fc1ca9dd372d35e\r\nFile size: 37.3 KB ( 38212 bytes )\r\nFile name: vti-rescan\r\nFile type: unknown\r\nDetection ratio: 6 / 44\r\nAnalysis date: 2012-11-13 20:41:37 UTC ( 9 hours, 8 minutes ago ) \r\nDrWeb Trojan.Muxler.7 20121113\r\nESET-NOD32 OSX/Imuler.E 20121113\r\nhttp://contagiodump.blogspot.com/2012/11/group-photoszip-osxrevir-osximuler.html\r\nPage 8 of 9\n\nF-Secure Trojan-Dropper:OSX/Revir.D 20121113\r\nSophos OSX/Imuler-B 20121113\r\nTrendMicro OSX_IMULER.D 20121113\r\nTrendMicro-HouseCall OSX_IMULER.D 20121113\r\nSource: http://contagiodump.blogspot.com/2012/11/group-photoszip-osxrevir-osximuler.html\r\nhttp://contagiodump.blogspot.com/2012/11/group-photoszip-osxrevir-osximuler.html\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://contagiodump.blogspot.com/2012/11/group-photoszip-osxrevir-osximuler.html"
	],
	"report_names": [
		"group-photoszip-osxrevir-osximuler.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434220,
	"ts_updated_at": 1775791326,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/09c742937a65d5be9b7c683d847f583cf4f6a2bb.pdf",
		"text": "https://archive.orkl.eu/09c742937a65d5be9b7c683d847f583cf4f6a2bb.txt",
		"img": "https://archive.orkl.eu/09c742937a65d5be9b7c683d847f583cf4f6a2bb.jpg"
	}
}