Analysis Overview
SHA256
99c56d67cc1b28ce8abcca58e52ec21f17e2534ef0d22f1674a4cde24ce88997
Threat Level: Known bad
The file 2024-11-08_6725d177815cec308e83863870a38943_adload_evilquest_rekoobe was found to be: Known bad.
Malicious Activity Summary
Evilquest family
EvilQuest payload
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-08 16:23
Signatures
EvilQuest payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Evilquest family
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 16:23
Reported
2024-11-08 16:26
Platform
macos-20241101-en
Max time kernel
47s
Max time network
124s
Command Line
Signatures
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/2024-11-08_6725d177815cec308e83863870a38943_adload_evilquest_rekoobe"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/2024-11-08_6725d177815cec308e83863870a38943_adload_evilquest_rekoobe"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/2024-11-08_6725d177815cec308e83863870a38943_adload_evilquest_rekoobe]
/bin/zsh
[/bin/zsh -c /Users/run/2024-11-08_6725d177815cec308e83863870a38943_adload_evilquest_rekoobe]
/Users/run/2024-11-08_6725d177815cec308e83863870a38943_adload_evilquest_rekoobe
[/Users/run/2024-11-08_6725d177815cec308e83863870a38943_adload_evilquest_rekoobe]
/bin/sh
[sh -c sysctl -n hw.ncpu]
/bin/bash
[sh -c sysctl -n hw.ncpu]
/usr/sbin/sysctl
[sysctl -n hw.ncpu]
/usr/libexec/xpcproxy
[xpcproxy com.apple.sysmond]
/usr/libexec/sysmond
[/usr/libexec/sysmond]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lb._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |