{
	"id": "1b9248ed-05dd-464c-b300-43b8470b1659",
	"created_at": "2026-04-06T00:13:17.722129Z",
	"updated_at": "2026-04-10T03:21:17.495224Z",
	"deleted_at": null,
	"sha1_hash": "9841529d4fd5b7137fb877acfb44911e01a79813",
	"title": "OSX/Flashback.O sample + some domains",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 41374,
	"plain_text": "OSX/Flashback.O sample + some domains\r\nArchived: 2026-04-06 00:03:35 UTC\r\nOSX/Flashback.O sample + some domains\r\n1. A few hours after I posted the Flashback.K, someone anonymously uploaded Flashback.O sample (thank\r\nyou very much!), which I am posting below. Like in the first case, it is a payload binary from a victim, not the downloader,\r\nwhich makes it impossible to install.  If you succeed or have a binary that installs, please share. I personally have not tried\r\nto run them yet, did not have a vm.\r\n2. Matt Thompson from Unveillance emailed his comments about the Flackback.K sample please see the quote below.\r\n3. Update April 11 - I will put domains and URLs in a separate post because they relate to various versions of Flashback,\r\nnot v.40/O\r\nDownload\r\nFrom  Matt Thompson regarding the previous Flashback.K\r\nThis is the exact payload binary I have been working with.\r\nI extracted the x86_64 architecture into a thin binary.\r\nAt 0x10000158e it sets up an RC4 identity Sbox.\r\nAt 0x1000015b2 it starts the RC4 KSA mix with the Hardware UUID. r9\r\ncontains the pointer to the UUID string\r\n0x1000041f0 contains the ciphertext length.\r\n0x100004200 is the beginning of 4275 bytes of ciphertext.\r\n0x1000041e8 contains a flag indicating if the data block is encrypted or\r\nnot. If this is set to 1 the code just memcpy()'s the data into a\r\nmalloc'd buffer rather than decrypting with RC4.\r\nIf the Hardware UUID were available from the machine that downloaded\r\nthis binary, it would be trivial to write the plaintext back into the\r\nbinary and set 0x1000041e8 to 1.\r\nAutomated Scans\r\nVirustotal\r\nSHA256:     228be46149dd6efe9c57c881cc057d5dc1cfb759f9e9be8445f1d9d2d68875b3\r\nSHA1:     62121738530d17292a75d17421bcd76a4051cad8\r\nMD5:     782c4d24d406538498c1fb79fa0f6d62\r\nFile size:     394.2 KB ( 403676 bytes )\r\nhttp://contagiodump.blogspot.com/2012/04/osxflashbacko-sample-some-domains.html\r\nPage 1 of 3\n\nFile name:     FlashBack.O_ 782C4D24D406538498C1FB79FA0F6D62\r\nFile type:     unknown\r\nDetection ratio:     19 / 42\r\nAnalysis date:     2012-04-11 01:15:36 UTC ( 38 minutes ago )\r\nAntiy-AVL     Trojan/OSX.Flashfake     20120410\r\nBitDefender     MAC.OSX.Trojan.FlashBack.O     20120411\r\nClamAV     OSX.Flashback-12     20120411\r\nComodo     UnclassifiedMalware     20120410\r\nDrWeb     BackDoor.Flashback.40     20120411\r\nEmsisoft     Trojan-Downloader.OSX.Flashfake!IK     20120410\r\nF-Secure     MAC.OSX.Trojan.FlashBack.O     20120410\r\nFortinet     OSX/Flshplyr.A     20120411\r\nGData     MAC.OSX.Trojan.FlashBack.O     20120411\r\nIkarus     Trojan-Downloader.OSX.Flashfake     20120411\r\nJiangmin     TrojanDownloader.OSX.w     20120410\r\nKaspersky     Trojan-Downloader.OSX.Flashfake.ae     20120410\r\nMicrosoft     Backdoor:MacOS_X/Flashback.E     20120411\r\nNOD32     OSX/Flashback.I     20120410\r\nnProtect     MAC.OSX.Trojan.FlashBack.O     20120410\r\nSophos     OSX/Flshplyr-A     20120411\r\nSymantec     OSX.Flashback.K     20120411\r\nTheHacker     -     20120410\r\nTrendMicro     OSX_FLASHBACK.A     20120411\r\nTrendMicro-HouseCall     OSX_FLASHBACK.A     20120411\r\n6144:7tC8qm/SOIMr5lGsl1SFBu5w7FyR5ifPhebUUCNQQFJHvC4SODuanMiiK:Rvqw5lGsl1SFBuVRAZGUUCeQnvR52K\r\nTrID\r\nJava Bytecode (53.2%)\r\nMac OS X Universal Binary executable (35.5%)\r\nHSC music composer song (11.2%)\r\nExifTool\r\nMIMEType.................: application/octet-stream\r\nFileType.................: Mach-O fat binary executable\r\nCPUCount.................: 2\r\nObjectFileType...........: Dynamically bound shared library\r\nCPUType..................: x86 64-bit, x86\r\nCPUSubtype...............: i386 (all) 64-bit, i386 (all)\r\nFirst seen by VirusTotal\r\n2012-04-05 17:06:28 UTC ( 5 days, 8 hours ago )\r\nLast seen by VirusTotal\r\n2012-04-11 01:15:36 UTC ( 38 minutes ago )\r\nFile names (max. 25)\r\n   1. FlashBack.O_ 782C4D24D406538498C1FB79FA0F6D62\r\nhttp://contagiodump.blogspot.com/2012/04/osxflashbacko-sample-some-domains.html\r\nPage 2 of 3\n\nSource: http://contagiodump.blogspot.com/2012/04/osxflashbacko-sample-some-domains.html\r\nhttp://contagiodump.blogspot.com/2012/04/osxflashbacko-sample-some-domains.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://contagiodump.blogspot.com/2012/04/osxflashbacko-sample-some-domains.html"
	],
	"report_names": [
		"osxflashbacko-sample-some-domains.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434397,
	"ts_updated_at": 1775791277,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9841529d4fd5b7137fb877acfb44911e01a79813.pdf",
		"text": "https://archive.orkl.eu/9841529d4fd5b7137fb877acfb44911e01a79813.txt",
		"img": "https://archive.orkl.eu/9841529d4fd5b7137fb877acfb44911e01a79813.jpg"
	}
}