evilquest | e9c6463527fad82ce0f0c6f6f4f8c98295e336283513cbaff9a5f8a6629bd14f

Analysis

max time kernel
142s
max time network
152s
platform
macos_amd64
resource
macos-20220504-en
resource tags

arch:amd64arch:i386image:macos-20220504-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
23-10-2023 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-04_2f90a486b290f8933a79044ae2cdd4d7_adload_evilquest_JC.unknown
Size

168KB
MD5

2f90a486b290f8933a79044ae2cdd4d7
SHA1

550b38e2cb435da2b151affebc67401314434316
SHA256

e9c6463527fad82ce0f0c6f6f4f8c98295e336283513cbaff9a5f8a6629bd14f
SHA512

ec79c81294b786b1b351b4ae35a8c1a308bad984098f1f811b87474b474cee4d8e73443d852dd27020ab18e399e75f9c9d04feedf21182e8c054066f77168be1
SSDEEP

3072:cx6SZwEgOQtbap1jZNFnYo6w68cqhS2iJvHLzxq9uhrS0:5SeOQdaZNxtk8cqhSxvHY9u

Score

10^/10

evilquest backdoor

Malware Config

Signatures

EvilQuest
EvilQuest family.
backdoor evilquest

EvilQuest payload 7 IoCs

resource	yara_rule
behavioral1/files/0x00000003000896c9-0.dat	family_evilquest
behavioral1/files/0x00000003000896c9-2.dat	family_evilquest
behavioral1/files/0x0000000300089733-3.dat	family_evilquest
behavioral1/files/0x00000003000896c9-4.dat	family_evilquest
behavioral1/files/0x00000003000896c9-5.dat	family_evilquest
behavioral1/files/0x0000000300089735-6.dat	family_evilquest
behavioral1/files/0x0000000300089737-7.dat	family_evilquest

/usr/sbin/spctl
/usr/sbin/spctl --status
1⤵
PID:493

/usr/sbin/spctl
/usr/sbin/spctl --test-devid-status
1⤵
PID:495

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/NEAS.2023-09-04_2f90a486b290f8933a79044ae2cdd4d7_adload_evilquest_JC.unknown\""
1⤵
PID:496

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/NEAS.2023-09-04_2f90a486b290f8933a79044ae2cdd4d7_adload_evilquest_JC.unknown\""
1⤵
PID:496

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/NEAS.2023-09-04_2f90a486b290f8933a79044ae2cdd4d7_adload_evilquest_JC.unknown\""
1⤵
PID:496

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/NEAS.2023-09-04_2f90a486b290f8933a79044ae2cdd4d7_adload_evilquest_JC.unknown
1⤵
PID:496

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/NEAS.2023-09-04_2f90a486b290f8933a79044ae2cdd4d7_adload_evilquest_JC.unknown
1⤵
PID:496
- /bin/zsh
  /bin/zsh -c /Users/run/NEAS.2023-09-04_2f90a486b290f8933a79044ae2cdd4d7_adload_evilquest_JC.unknown
  2⤵
  PID:512
- /bin/zsh
  /bin/zsh -c /Users/run/NEAS.2023-09-04_2f90a486b290f8933a79044ae2cdd4d7_adload_evilquest_JC.unknown
  2⤵
  PID:512
- /Users/run/NEAS.2023-09-04_2f90a486b290f8933a79044ae2cdd4d7_adload_evilquest_JC.unknown
  /Users/run/NEAS.2023-09-04_2f90a486b290f8933a79044ae2cdd4d7_adload_evilquest_JC.unknown
  2⤵
  PID:512
- /Users/run/NEAS.2023-09-04_2f90a486b290f8933a79044ae2cdd4d7_adload_evilquest_JC.unknown
  /Users/run/NEAS.2023-09-04_2f90a486b290f8933a79044ae2cdd4d7_adload_evilquest_JC.unknown
  2⤵
  PID:512

/usr/bin/syslog
/usr/bin/syslog -s -k com.apple.message.domain com.apple.security.assessment.current_state com.apple.message.signature "assessments enabled" com.apple.message.signature2 "devid enabled" Message "Gatekeeper state assessments enabled/devid enabled"
1⤵
PID:497

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:513

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:513

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:513

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:513

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:513

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/Library/LaunchDaemons/com.apple.afsvcpd.plist

Filesize
442B

MD5
98ac9867a02942743223416bb55cb710

SHA1
96a0bddf25fa6587af228c1e1ccc8daefd921c64

SHA256
9c902e7c84016b5bb9839f9fbc44ad9a545a3e2770b56a94e6d8ca277111ef60

SHA512
190ca2fc3fef6d8be34777ce59287894a703f5f5aa9f70c9d3af876c58092a5de3d9a52ab0b8b2b56c528a82595954c07705602cdd46bdfffeef13303556db69

Download Submit
/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
dcce6ebd296fdf1827ae051c8bd587cc

SHA1
7d33c36a569d36f44fd79847bb38e18875766e45

SHA256
3bae7b70d222e768878db2d17292d4084e6c35990cfd4d32510262368ab3f441

SHA512
afdb4df9d58d91e5869a3976cb1557e0404bf2396652ff887b20289b1989c1251e3f4d8369407c51fffd19258bcf80d104fb266a1a5bda5ecccc65c6e488bb81

Download Submit
/Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist

Filesize
430B

MD5
3d269391b44f568c96f9f5a420609082

SHA1
e2d49405da7ba6f883b366f71b6905b6ab556cae

SHA256
261e6af4aec0840afe0b4c75c21353d7bc8d69ffb1d26db364f5475962381a12

SHA512
81ae24faac0d2973a90b7ec7415273f95789fbbdeae164df6ffab10bfdfc4896d6ecf4d9b09ca13b2a151a385c59f48594d7b3d0df3b49e3bbc056f15908432c

Download Submit
/Users/run/Library/com.apple.fmgd

Filesize
168KB

MD5
dcce6ebd296fdf1827ae051c8bd587cc

SHA1
7d33c36a569d36f44fd79847bb38e18875766e45

SHA256
3bae7b70d222e768878db2d17292d4084e6c35990cfd4d32510262368ab3f441

SHA512
afdb4df9d58d91e5869a3976cb1557e0404bf2396652ff887b20289b1989c1251e3f4d8369407c51fffd19258bcf80d104fb266a1a5bda5ecccc65c6e488bb81

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
dcce6ebd296fdf1827ae051c8bd587cc

SHA1
7d33c36a569d36f44fd79847bb38e18875766e45

SHA256
3bae7b70d222e768878db2d17292d4084e6c35990cfd4d32510262368ab3f441

SHA512
afdb4df9d58d91e5869a3976cb1557e0404bf2396652ff887b20289b1989c1251e3f4d8369407c51fffd19258bcf80d104fb266a1a5bda5ecccc65c6e488bb81

Download Submit
/Users/run/NEAS.2023-09-04_2f90a486b290f8933a79044ae2cdd4d7_adload_evilquest_JC.unknown

Filesize
168KB

MD5
dcce6ebd296fdf1827ae051c8bd587cc

SHA1
7d33c36a569d36f44fd79847bb38e18875766e45

SHA256
3bae7b70d222e768878db2d17292d4084e6c35990cfd4d32510262368ab3f441

SHA512
afdb4df9d58d91e5869a3976cb1557e0404bf2396652ff887b20289b1989c1251e3f4d8369407c51fffd19258bcf80d104fb266a1a5bda5ecccc65c6e488bb81

Download Submit
/Users/run/NEAS.2023-09-04_2f90a486b290f8933a79044ae2cdd4d7_adload_evilquest_JC.unknown

Filesize
168KB

MD5
dcce6ebd296fdf1827ae051c8bd587cc

SHA1
7d33c36a569d36f44fd79847bb38e18875766e45

SHA256
3bae7b70d222e768878db2d17292d4084e6c35990cfd4d32510262368ab3f441

SHA512
afdb4df9d58d91e5869a3976cb1557e0404bf2396652ff887b20289b1989c1251e3f4d8369407c51fffd19258bcf80d104fb266a1a5bda5ecccc65c6e488bb81

Download Submit
/Users/run/NEAS.2023-09-04_2f90a486b290f8933a79044ae2cdd4d7_adload_evilquest_JC.unknown

Filesize
168KB

MD5
dcce6ebd296fdf1827ae051c8bd587cc

SHA1
7d33c36a569d36f44fd79847bb38e18875766e45

SHA256
3bae7b70d222e768878db2d17292d4084e6c35990cfd4d32510262368ab3f441

SHA512
afdb4df9d58d91e5869a3976cb1557e0404bf2396652ff887b20289b1989c1251e3f4d8369407c51fffd19258bcf80d104fb266a1a5bda5ecccc65c6e488bb81

Download Submit
/Users/run/NEAS.2023-09-04_2f90a486b290f8933a79044ae2cdd4d7_adload_evilquest_JC.unknown

Filesize
168KB

MD5
dcce6ebd296fdf1827ae051c8bd587cc

SHA1
7d33c36a569d36f44fd79847bb38e18875766e45

SHA256
3bae7b70d222e768878db2d17292d4084e6c35990cfd4d32510262368ab3f441

SHA512
afdb4df9d58d91e5869a3976cb1557e0404bf2396652ff887b20289b1989c1251e3f4d8369407c51fffd19258bcf80d104fb266a1a5bda5ecccc65c6e488bb81

Download Submit
/private/etc/emond.d/rules/com.apple.afsvcpd.plist

Filesize
610B

MD5
3caf58748fbc551d38eca0afd5a82171

SHA1
5fb28536e2e2cc93744202afe7f763a7336cdca3

SHA256
62c02caab63b164c1264c41e92d76426a0c2f13abe3c94e0e89e1345a8149332

SHA512
cb6b65b928bf09d9cf1f46e81a08762d2332c7387aa9a2afd4e723b5a3c911bd7930b77deb17d68afeb21e17704c2d61d535aaa789208a10c58ac49be4cc3ff6

Download Submit
/private/tmp/eo/512

Filesize
28B

MD5
ff9256f01fa5c9704936b83a50415aef

SHA1
b33c11e80cb52e6098cb8bf951c305b913436a0b

SHA256
75652eaf6bc7678abd5f0e8f8e9eac1c190273e74c00e155e1b5cf341e2b786f

SHA512
a7e8dee15c839059eef237e5254d00e3a7d1b5a64459d418b33918c7d0bbd5214c27008ab16f9510c015d465663adbf642fb4b39e575a84404384e71e0598327

Download Submit
/private/tmp/eo/512

Filesize
28B

MD5
45a747786c65138e3085b1595325fc16

SHA1
0b86560fbbc6da2b5397677ba903a92ac635e61d

SHA256
11c3eb95be081ddf083cd5831e510cfdba5ebac9f638613349f13162e3ee65eb

SHA512
8dc663f76d27ce2553cc3ae8666bb56ecc36ff19d4b9eaf4d9e5a1c144866bf787be685cbc1fbb49c389bb3bdea7a4aebbd578170ec63cfa4e373278d36d1ebf

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads