Malware Analysis Report

2025-01-18 04:25

Sample ID 231202-sjrj2adf57
Target bSee.exe
SHA256 d47e620d1c305da86a151ae4e615aedcb53448c66808998251b407831d8f669b
Tags
office04 quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d47e620d1c305da86a151ae4e615aedcb53448c66808998251b407831d8f669b

Threat Level: Known bad

The file bSee.exe was found to be: Known bad.

Malicious Activity Summary

office04 quasar spyware trojan

Quasar family

Quasar payload

Quasar RAT

Looks up external IP address via web service

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-02 15:09

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-02 15:09

Reported

2023-12-02 15:12

Platform

win7-20231130-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bSee.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bSee.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bSee.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bSee.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2152 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\bSee.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\bSee.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\bSee.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\bSee.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2520 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2520 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2520 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2520 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2520 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2520 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2520 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2520 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\bSee.exe
PID 2520 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\bSee.exe
PID 2520 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\bSee.exe
PID 2520 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\bSee.exe
PID 2216 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\bSee.exe C:\Windows\SysWOW64\cmd.exe
PID 2216 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\bSee.exe C:\Windows\SysWOW64\cmd.exe
PID 2216 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\bSee.exe C:\Windows\SysWOW64\cmd.exe
PID 2216 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\bSee.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2368 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2368 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2368 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2368 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2368 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2368 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2368 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2368 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\bSee.exe
PID 2368 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\bSee.exe
PID 2368 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\bSee.exe
PID 2368 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\bSee.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bSee.exe

"C:\Users\Admin\AppData\Local\Temp\bSee.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWMigcC5EOGm.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\bSee.exe

"C:\Users\Admin\AppData\Local\Temp\bSee.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\G12e28CnefKZ.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\bSee.exe

"C:\Users\Admin\AppData\Local\Temp\bSee.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 nodetecton.ddns.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 nodetecton.ddns.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp

Files

memory/2152-0-0x0000000000D70000-0x0000000000DCE000-memory.dmp

memory/2152-1-0x0000000074BD0000-0x00000000752BE000-memory.dmp

memory/2152-2-0x0000000000650000-0x0000000000690000-memory.dmp

memory/2152-3-0x0000000074BD0000-0x00000000752BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XWMigcC5EOGm.bat

MD5 4dc76c3377b620a56ee5078c0a9cb6af
SHA1 5d725ccad6a8061fc3e10412e4029280d072deb9
SHA256 8854f4ee91da04aaaf99aa72deb0352f2fbea4ccf408b254953aa2c33903e77e
SHA512 9b015c49079df55db5f4ae17f67876fb72c3a333ae080d85dce0cebd7b8030f245ec37d2043959d549a25170cfef98994791bdb3701de06ee1a1002595864ef4

C:\Users\Admin\AppData\Local\Temp\XWMigcC5EOGm.bat

MD5 4dc76c3377b620a56ee5078c0a9cb6af
SHA1 5d725ccad6a8061fc3e10412e4029280d072deb9
SHA256 8854f4ee91da04aaaf99aa72deb0352f2fbea4ccf408b254953aa2c33903e77e
SHA512 9b015c49079df55db5f4ae17f67876fb72c3a333ae080d85dce0cebd7b8030f245ec37d2043959d549a25170cfef98994791bdb3701de06ee1a1002595864ef4

memory/2152-13-0x0000000074BD0000-0x00000000752BE000-memory.dmp

memory/2216-15-0x0000000074B80000-0x000000007526E000-memory.dmp

memory/2216-14-0x0000000000D70000-0x0000000000DCE000-memory.dmp

memory/2216-16-0x00000000044D0000-0x0000000004510000-memory.dmp

memory/2216-17-0x0000000074B80000-0x000000007526E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\G12e28CnefKZ.bat

MD5 fa3a07a7016ec1129c111c02d2e00eef
SHA1 4c22695e4e807a403a830835afdd04f730d56437
SHA256 923538176eb63cd36d3ae2453443f10b3103be940ae8968074acf87b5bd55442
SHA512 521c9e3e3e3fcc627420d67d3a1f8ad04c32141b36d4b030dbf0fcd3714cd4256727f49a496d4bc45f0e65075c60e00dbe240245ba96fc4fea02b5ddaba14df4

C:\Users\Admin\AppData\Local\Temp\G12e28CnefKZ.bat

MD5 fa3a07a7016ec1129c111c02d2e00eef
SHA1 4c22695e4e807a403a830835afdd04f730d56437
SHA256 923538176eb63cd36d3ae2453443f10b3103be940ae8968074acf87b5bd55442
SHA512 521c9e3e3e3fcc627420d67d3a1f8ad04c32141b36d4b030dbf0fcd3714cd4256727f49a496d4bc45f0e65075c60e00dbe240245ba96fc4fea02b5ddaba14df4

memory/2216-27-0x0000000074B80000-0x000000007526E000-memory.dmp

memory/2188-29-0x0000000074BD0000-0x00000000752BE000-memory.dmp

memory/2188-28-0x0000000000E10000-0x0000000000E6E000-memory.dmp

memory/2188-30-0x0000000004420000-0x0000000004460000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-02 15:09

Reported

2023-12-02 15:12

Platform

win10v2004-20231127-en

Max time kernel

129s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bSee.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bSee.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bSee.exe

"C:\Users\Admin\AppData\Local\Temp\bSee.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 nodetecton.ddns.net udp
BR 179.104.80.89:5552 nodetecton.ddns.net tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
BR 179.104.80.89:5552 nodetecton.ddns.net tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 65.252.72.23.in-addr.arpa udp
BR 179.104.80.89:5552 nodetecton.ddns.net tcp
US 8.8.8.8:53 nodetecton.ddns.net udp
BR 179.104.80.89:5552 nodetecton.ddns.net tcp
BR 179.104.80.89:5552 nodetecton.ddns.net tcp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp
BR 179.104.80.89:5552 nodetecton.ddns.net tcp

Files

memory/3856-0-0x00000000007D0000-0x000000000082E000-memory.dmp

memory/3856-1-0x0000000075300000-0x0000000075AB0000-memory.dmp

memory/3856-2-0x00000000056F0000-0x0000000005C94000-memory.dmp

memory/3856-3-0x00000000052D0000-0x0000000005362000-memory.dmp

memory/3856-4-0x0000000005220000-0x0000000005230000-memory.dmp

memory/3856-5-0x0000000005670000-0x00000000056D6000-memory.dmp

memory/3856-6-0x0000000006240000-0x0000000006252000-memory.dmp

memory/3856-7-0x0000000006680000-0x00000000066BC000-memory.dmp

memory/3856-8-0x0000000075300000-0x0000000075AB0000-memory.dmp

memory/3856-9-0x0000000006840000-0x000000000684A000-memory.dmp

memory/3856-10-0x0000000005220000-0x0000000005230000-memory.dmp