Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2023 15:08
Behavioral task
behavioral1
Sample
bSee.exe
Resource
win7-20231201-en
7 signatures
150 seconds
General
-
Target
bSee.exe
-
Size
348KB
-
MD5
629cefe795be0f1fd1ae952cc1eb79de
-
SHA1
faedb770efe20006272183a5f6e4c99e39754c12
-
SHA256
d47e620d1c305da86a151ae4e615aedcb53448c66808998251b407831d8f669b
-
SHA512
0d774ce706def61a647b02bad28e76ef1d16475ac0b89faf50901b0496fe46e730f857eb8755dc6880fbf0f7e119518cc0dd67d930c7037bb2d3f6b75d0fb5af
-
SSDEEP
6144:izNHXf500MJb3+/8baFioEbNX3OaHZ77T4RRC:8d50XLo+5XT4RRC
Malware Config
Extracted
Family
quasar
Version
1.3.0.0
Botnet
Office04
C2
nodetecton.ddns.net:5552
Mutex
QSR_MUTEX_PV7LCoiUmiwD1RBPCq
Attributes
-
encryption_key
eZUVZ8omJzgRh5woZARI
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/3164-0-0x0000000000170000-0x00000000001CE000-memory.dmp family_quasar -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 27 ip-api.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3164 bSee.exe