evilquest | d21c1b9bc31b758fe2722fa864d3955b792d7b8e84906d6fe0e44d5660475791 | Triage

Submit
Reports

Overview

overview

Static

static

d21c1b9bc3...475791

macos_amd64

Analysis

max time network
151s
platform
macos_amd64
resource
macos
submitted
01-07-2021 16:21

Sharing

Static task

static1

Behavioral task

behavioral1

Sample

d21c1b9bc31b758fe2722fa864d3955b792d7b8e84906d6fe0e44d5660475791

Resource

macos

evilquest backdoor

macos_amd64

0 signatures

0 seconds

Report Analysis Logs

General

Target

d21c1b9bc31b758fe2722fa864d3955b792d7b8e84906d6fe0e44d5660475791
Size

8.0MB
MD5

add3676c0a7914d0d76dcd4150cda053
SHA1

92c0840e3ced4b4da8d6dcb7ed3354de16c91d69
SHA256

d21c1b9bc31b758fe2722fa864d3955b792d7b8e84906d6fe0e44d5660475791
SHA512

7a753d02b943e6e0c33ce45ed649a4c9a594a41531a78e07a218500bf0dc8c21c0544755ad3529feb0c794bf7e431a0f48369e2e076561db7f81dfef758d7e5d

Score

10^/10

evilquest backdoor

Malware Config

Signatures

EvilQuest
EvilQuest family.
backdoor evilquest

Processes

/bin/sh
sh -c "sudo /Users/run/d21c1b9bc31b758fe2722fa864d3955b792d7b8e84906d6fe0e44d5660475791"
1⤵
PID:466

/bin/bash
sh -c "sudo /Users/run/d21c1b9bc31b758fe2722fa864d3955b792d7b8e84906d6fe0e44d5660475791"
1⤵
PID:466

/usr/bin/sudo
sudo /Users/run/d21c1b9bc31b758fe2722fa864d3955b792d7b8e84906d6fe0e44d5660475791
1⤵
PID:466
- /Users/run/d21c1b9bc31b758fe2722fa864d3955b792d7b8e84906d6fe0e44d5660475791
  /Users/run/d21c1b9bc31b758fe2722fa864d3955b792d7b8e84906d6fe0e44d5660475791
  2⤵
  PID:469

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:494

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:494

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:494

/usr/libexec/xpcproxy
xpcproxy com.apple.security.authtrampoline
1⤵
PID:495

/System/Library/Frameworks/Security.framework/authtrampoline
/System/Library/Frameworks/Security.framework/authtrampoline
1⤵
PID:495

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:496

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:496
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:497
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:499

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:500

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:500

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:500

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:502

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:502
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:503
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:504

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:506

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:506
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:507
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:508

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:510

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:510
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:511
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:512

/usr/libexec/xpcproxy
xpcproxy com.apple.security.authtrampoline
1⤵
PID:611

/System/Library/Frameworks/Security.framework/authtrampoline
/System/Library/Frameworks/Security.framework/authtrampoline
1⤵
PID:611

/usr/libexec/xpcproxy
xpcproxy com.apple.security.authtrampoline
1⤵
PID:872

/System/Library/Frameworks/Security.framework/authtrampoline
/System/Library/Frameworks/Security.framework/authtrampoline
1⤵
PID:872

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

© 2018-2025

Terms | Privacy