evilquest | 5a024ffabefa6082031dccdb1e74a7fec9f60f257cd0b1ab0f698ba2a5baca6b

Target

evilquest
Size

85KB
MD5

322f4fb8f257a2e651b128c41df92b1d
SHA1

efbb681a61967e6f5a811f8649ec26efe16f50ae
SHA256

5a024ffabefa6082031dccdb1e74a7fec9f60f257cd0b1ab0f698ba2a5baca6b
SHA512

33c8cf815e4b37a3481c0ba4dfb14a4735a46575f6f70d5b351a8595e4ec8886224577c89c80d726f2e3d7cf2460d0cdd983379acb5fda0a9b7310f86c988e53

Score

10^/10

evilquest backdoor suricata

Malware Config

Signatures

EvilQuest
EvilQuest family.
backdoor evilquest

EvilQuest Payload 24 IoCs

resource	yara_rule
behavioral1/files/0x0000000300088700-0.dat	family_evilquest
behavioral1/files/0x0000000300088702-1.dat	family_evilquest
behavioral1/files/0x0000000300088704-2.dat	family_evilquest
behavioral1/files/0x0000000300088700-7.dat	family_evilquest
behavioral1/files/0x0000000300088704-8.dat	family_evilquest
behavioral1/files/0x0000000300088702-10.dat	family_evilquest
behavioral1/files/0x0000000300088718-11.dat	family_evilquest
behavioral1/files/0x0000000300088702-12.dat	family_evilquest
behavioral1/files/0x000000030008871a-13.dat	family_evilquest
behavioral1/files/0x0000000300088702-14.dat	family_evilquest
behavioral1/files/0x0000000300088692-16.dat	family_evilquest
behavioral1/files/0x0000000300088692-17.dat	family_evilquest
behavioral1/files/0x0000000300088700-18.dat	family_evilquest
behavioral1/files/0x0000000300088692-19.dat	family_evilquest
behavioral1/files/0x0000000300087d49-20.dat	family_evilquest
behavioral1/files/0x0000000300088692-21.dat	family_evilquest
behavioral1/files/0x0000000300088704-22.dat	family_evilquest
behavioral1/files/0x0000000300088692-23.dat	family_evilquest
behavioral1/files/0x0000000300082e25-24.dat	family_evilquest
behavioral1/files/0x0000000300088692-27.dat	family_evilquest
behavioral1/files/0x0000000300088700-28.dat	family_evilquest
behavioral1/files/0x0000000300087d49-29.dat	family_evilquest
behavioral1/files/0x0000000300088704-30.dat	family_evilquest
behavioral1/files/0x0000000300082e25-32.dat	family_evilquest

suricata: ET MALWARE ThiefQuest CnC Domain in DNS Lookup
suricata: ET MALWARE ThiefQuest CnC Domain in DNS Lookup
suricata

/bin/sh
sh -c "sudo /Users/run/evilquest"
1⤵
PID:484

/bin/bash
sh -c "sudo /Users/run/evilquest"
1⤵
PID:484

/usr/bin/sudo
sudo /Users/run/evilquest
1⤵
PID:484
- /Users/run/evilquest
  /Users/run/evilquest
  2⤵
  PID:487

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:499

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:499

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:499

/usr/libexec/xpcproxy
xpcproxy com.apple.security.authtrampoline
1⤵
PID:501

/System/Library/Frameworks/Security.framework/authtrampoline
/System/Library/Frameworks/Security.framework/authtrampoline
1⤵
PID:501

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:502

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:502
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:503
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:505

/usr/libexec/xpcproxy
xpcproxy questd
1⤵
PID:504

/usr/bin/sudo
sudo /Library/AppQuest/com.apple.questd --silent
1⤵
PID:504
- /Library/AppQuest/com.apple.questd
  /Library/AppQuest/com.apple.questd --silent
  2⤵
  PID:507

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:506

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:506

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:506

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:508

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:508
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:509
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:510

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:511

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:511

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:511

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:512

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:512
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:513
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:514

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:515

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:515

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:515

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:516

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:516
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:517
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:518

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads