evilquest | b7b9b42059b8da0146b4c43bec0e8c2fad8fc8fce4adf2787d49b68e38e96c0f | Triage

Submit
Reports

Overview

overview

Static

static

b7b9b42059...e96c0f

macos_amd64

Analysis

max time network
150s
platform
macos_amd64
resource
macos
submitted
01-07-2021 16:28

Sharing

Static task

static1

Behavioral task

behavioral1

Sample

b7b9b42059b8da0146b4c43bec0e8c2fad8fc8fce4adf2787d49b68e38e96c0f

Resource

macos

evilquest backdoor

macos_amd64

0 signatures

0 seconds

Report Analysis Logs

General

Target

b7b9b42059b8da0146b4c43bec0e8c2fad8fc8fce4adf2787d49b68e38e96c0f
Size

17.0MB
MD5

99d11c62dac5ffb180b79787a2aab820
SHA1

9bed7f0e538c7d861638b5e55e069cec01f5cb3e
SHA256

b7b9b42059b8da0146b4c43bec0e8c2fad8fc8fce4adf2787d49b68e38e96c0f
SHA512

d579f61c307a7b6770a09be73e72c8ad8555ef770bc265b29f70ca77f445655bfdeb636733ae3f690167f1cd50a64ed2a58fd1c32e586dd2d6877aed69bca72a

Score

10^/10

evilquest backdoor

Malware Config

Signatures

EvilQuest
EvilQuest family.
backdoor evilquest

Processes

/bin/sh
sh -c "sudo /Users/run/b7b9b42059b8da0146b4c43bec0e8c2fad8fc8fce4adf2787d49b68e38e96c0f"
1⤵
PID:466

/bin/bash
sh -c "sudo /Users/run/b7b9b42059b8da0146b4c43bec0e8c2fad8fc8fce4adf2787d49b68e38e96c0f"
1⤵
PID:466

/usr/bin/sudo
sudo /Users/run/b7b9b42059b8da0146b4c43bec0e8c2fad8fc8fce4adf2787d49b68e38e96c0f
1⤵
PID:466
- /Users/run/b7b9b42059b8da0146b4c43bec0e8c2fad8fc8fce4adf2787d49b68e38e96c0f
  /Users/run/b7b9b42059b8da0146b4c43bec0e8c2fad8fc8fce4adf2787d49b68e38e96c0f
  2⤵
  PID:470

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:494

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:494

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:494

/usr/libexec/xpcproxy
xpcproxy com.apple.security.authtrampoline
1⤵
PID:495

/System/Library/Frameworks/Security.framework/authtrampoline
/System/Library/Frameworks/Security.framework/authtrampoline
1⤵
PID:495

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:496

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:496
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:497
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:499

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:500

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:500

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:500

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:501

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:501
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:502
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:503

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:507

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:507
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:508
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:509

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:511

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:511
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:512
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:513

/usr/libexec/xpcproxy
xpcproxy com.apple.security.authtrampoline
1⤵
PID:613

/System/Library/Frameworks/Security.framework/authtrampoline
/System/Library/Frameworks/Security.framework/authtrampoline
1⤵
PID:613

/usr/libexec/xpcproxy
xpcproxy com.apple.security.authtrampoline
1⤵
PID:880

/System/Library/Frameworks/Security.framework/authtrampoline
/System/Library/Frameworks/Security.framework/authtrampoline
1⤵
PID:880

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

© 2018-2024

Terms | Privacy