Malware Analysis Report

2024-11-13 15:45

Sample ID 241108-tv7wtsvgkg
Target 2024-11-08_6725d177815cec308e83863870a38943_adload_evilquest_rekoobe
SHA256 99c56d67cc1b28ce8abcca58e52ec21f17e2534ef0d22f1674a4cde24ce88997
Tags
evilquest
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

99c56d67cc1b28ce8abcca58e52ec21f17e2534ef0d22f1674a4cde24ce88997

Threat Level: Known bad

The file 2024-11-08_6725d177815cec308e83863870a38943_adload_evilquest_rekoobe was found to be: Known bad.

Malicious Activity Summary

evilquest

Evilquest family

EvilQuest payload

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-11-08 16:23

Signatures

EvilQuest payload

Description Indicator Process Target
N/A N/A N/A N/A

Evilquest family

evilquest

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 16:23

Reported

2024-11-08 16:26

Platform

macos-20241101-en

Max time kernel

47s

Max time network

124s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/2024-11-08_6725d177815cec308e83863870a38943_adload_evilquest_rekoobe"]

Signatures

N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/2024-11-08_6725d177815cec308e83863870a38943_adload_evilquest_rekoobe"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/2024-11-08_6725d177815cec308e83863870a38943_adload_evilquest_rekoobe"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/2024-11-08_6725d177815cec308e83863870a38943_adload_evilquest_rekoobe]

/bin/zsh

[/bin/zsh -c /Users/run/2024-11-08_6725d177815cec308e83863870a38943_adload_evilquest_rekoobe]

/Users/run/2024-11-08_6725d177815cec308e83863870a38943_adload_evilquest_rekoobe

[/Users/run/2024-11-08_6725d177815cec308e83863870a38943_adload_evilquest_rekoobe]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

Network

Country Destination Domain Proto
US 8.8.8.8:53 lb._dns-sd._udp.0.0.127.10.in-addr.arpa udp

Files

N/A