An MDR Analysis of the AMOS Stealer Campaign Targeting macOS via ‘Cracked’ Apps 
Indicators of Compromise

File Name	SHA 256									Detection
update		7a66c1a25b7caee9b6cc26a3199182379b6cdecc8196ac08be9fe03b4d193d6a	Trojan.MacOS.AMOS.PFH
app		4a33e10c87795e93c10de3d1a59937909d0093cac937e2a09d3242e7b17a36ce	Trojan.MacOS.AMOS.PFH
install.sh	3ecf98f90cb170475eef315dad43e125b14757d7fbfdd213d5221c4e31467ee9	Trojan.SH.AMOS.AA
update		aa534e2fc19c970adc6142cda3f0a3c4309d6e3e (SHA1)				TrojanSpy.MacOS.AMOSCPT.MANP
Installer.dmg	df92d2aac76ad76edeeb5fade987e1111d2742e7 (SHA1)				TrojanSpy.MacOS.AMOS.MANP
 
URL/Domain					Category
hxxps://goatramz[.]com/get4/install[.]sh	Disease Vector
hxxps://goatramz[.]com/get4/update		Disease Vector
hxxps://sivvino[.]com				Disease Vector
hxxps://letrucvert[.]com/get8/install.sh	Disease Vector
hxxps[:]//halesmp[.]com/zxc/app			Malware Accomplice
toutentris[.]com				C&C Server
misshon[.]com					C&C Server
ekochist[.]com					C&C Server
im9ov070725iqu[.]com				Disease Vector
riv4d3dsr17042596[.]com				Disease Vector
dtxxbz1jq070725p93[.]cfd			Disease Vector
halesmp[.]com					Disease Vector
haxmac[.]cc					Disease Vector
jey90080425s[.]cfd				Disease Vector
x5vw0y8h70804254[.]cfd				Disease Vector
goipbp9080425d4[.]cfd				Disease Vector