BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
11
Global rank
17 infographic chevron month
Month rank
17 infographic chevron week
Week rank
1817
IOCs

Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely.

Trojan
Type
Unknown
Origin
1 January, 2015
First seen
17 July, 2024
Last seen

How to analyze Quasar RAT with ANY.RUN

Type
Unknown
Origin
1 January, 2015
First seen
17 July, 2024
Last seen

IOCs

IP addresses
37.120.233.226
185.208.158.208
147.185.221.16
147.185.221.19
103.252.137.65
1.2.3.4
185.85.255.38
45.77.45.120
45.66.231.158
147.185.221.20
65.56.180.162
24.167.114.213
193.161.193.99
213.47.175.92
78.51.140.123
185.241.208.185
77.187.147.67
117.18.7.76
91.92.242.80
109.199.104.52
Hashes
3522539c6d8cd20ae921e31d91eecabe6bf5a4a5afee42fc73b628c0ae11dc6f
471995f7d9517ffc568803747d488cc18a4a8f3bb71875c500a4addbaa4984b4
131b876752d63234d51e97f4558d1a35a8dcdc55794320e1426fd37691033c72
777894a1cb29d3cc1b4030000a5fb1d6f63c1af15a3daaddff1faeb142827c7d
4d45801772b476bb53a0fed32db423b19b97310d6c5ec2779b108cdcdf1ced6a
ff45b78cb2c7cdbde1589168f0689f1d2c227c1cf7bbebc774643637d23a0ff4
1817f80b7cf8e21d2f9e92fe20aad01ef580306639292346356eaa8292dd646b
77a97231baae46313b4bae33035dea60f0a69967a14a2d8273346dd7f6b7cf6a
da1661e48a2ac5d9ef639099429e6fd9e67c0ae9a8d8bdd721649095361b6f20
573bde6a6c3087516dd59217c865d64240dc7215715d7d3dad93af20de5e3b4d
8e60e810a78113b72be81bddf70e3c4037388d9b3eebb7cbb6202317eb4b999a
46c445ee473f05cca49e4021882694b1b2817ba3d1eb8bb11d9e731aef78eb8a
f55f318a58f3229681697e3405142697fa925455222a5a1f272fd34e9c84e314
82729184dd646d9f09a107b61bda17c95abb6cdbc27820987894f3cdd7b7bc4c
eb826224e8a2d58a45582ea75c4bb4bdaf2f7e51131513922c4401ea98f4e857
204bf17a10dd3d6d7e635ca0709873d4185da4d81fdea414a9b5478553fc8d3d
9bc86d7600883fea7d2bd5d30eaef3f7ff8336ac4736ca16efa3f542a81e7e77
43315abb9c8be9a39782bd8694a7ea9f16a867500dc804454d04b8bf2c15c51e
2259304db67dd25fa5ce47bde5b1c8cffab23292c2cec7d3bc2a0c303aace85b
363263493388f6043fe59f3735eb518b5251d82c745029c0541bf18b5d37a191
Domains
qrss.duckdns.org
20.ip.gl.ply.gg
thssdxf6y74-54495.portmap.host
5.tcp.eu.ngrok.io
0.tcp.ap.ngrok.io
marli27.duckdns.org
niggahunter92-23962.portmap.io
quasarrat220-24487.portmap.io
2.tcp.eu.ngrok.io
devsystems.zapto.org
4.tcp.eu.ngrok.io
legal-nextel.gl.at.ply.gg
0.tcp.eu.ngrok.io
r-minolta.gl.at.ply.gg
7.tcp.eu.ngrok.io
grigori.ddns.net
miguel2024.kozow.com
review-lambda.gl.at.ply.gg
c1434cc412c4.zapato.org
jebacdisaskurwysyna-33409.portmap.io
URLs
http://telize.com/geoip
http://1.199.158.213.in-addr.arpa:49669/
tcp://0.tcp.ap.ngrok.io:16495/
http://18.134.234.207/update/ping
http://18.134.234.207/update/error
http://18.134.234.207/update/report
tcp://6.tcp.eu.ngrok.io:16451/
http://church-apr.gl.at.ply.gg/:31194
https://discordinit.ddns.net:4782/
http://www.telize.com/geoip
tcp://6.tcp.eu.ngrok.io:16457/
tcp://2.tcp.eu.ngrok.io:14336/
tcp://6.tcp.eu.ngrok.io:10324/
https://gofile.io/d/v2kHnq:8080
http://impact-eventually.at.playit.gg/tcp:60550
tcp://EdgyxNatexx-23830.portmap.io:23830/
tcp://6.tcp.ngrok.io:14412/
tcp://6.tcp.ngrok.io:4782/
Last Seen at

Recent blog posts

post image
What Are the 3 Types of Threat Intelligence D...
watchers 149
comments 0
post image
Expert Q&A: Aaron Fillmore on his Cyberse...
watchers 161
comments 0
post image
Malware Trends Report: Q2, 2024 
watchers 1630
comments 0

What is Quasar RAT?

Quasar is a remote access trojan is used by attackers to take remote control of infected machines. It is written using the .NET programming language and is available to a wide public as an open-source project for Microsoft Windows operating systems, making it a popular RAT featured in many attacks.

General description of Quasar RAT

Quasar RAT was first discovered in 2015 by security researchers, who, at the time, speculated that an in-house development team wrote this RAT after performing the analysis of a sample. However, Quasar is an evolution of an older malware called xRAT, and some of its samples can carry out as many as 16 malicious actions.

Over the course of its lifetime, the malware has been updated several times, improving its overall functionality. The last version of the malware, which the original author developed, is v. 1.3.0.0. It was released in 2016. Since then, several third parties have adapted the RAT and issued their own version, both minor and major, with the last major version being v. 2.0.0.1.

The RAT we are reviewing today consists of two main components – the server-side component and the Quasar client-side component. The server is equipped with a graphical user interface, and it is used for managing connections with the client-side programs. The Quasar client-server architecture is also utilized to build malware samples which are eventually delivered to potential victims. Malware users can select attributes and customize the executable to fit the attacker's needs. The Quasar client and server run on different OSs including all Windows versions.

The functionality of the resulting malware includes remote file management on the infected machine, registry alterations, recording the actions of the victim, establishing remote desktop connections, and more. All of the data including requests are sent to the host server with the user-agent strings.

Get started today for free

Easily analyze emerging malware with ANY.RUN interactive online sandbox

Register for free

It should be noted that Quasar's execution can unfold completely silently. Thus, once the victim downloads and launches the Quasar client, usually delivered in a document via email, it can stay active for a long period of time, stealing data and giving the hacker control over the infected PC. The malware does generate a process that can be discovered using the Windows Task Manager or a similar application, but active user actions are required to discover Quasar trojan's presence on a machine.

As far as creators of this malware are concerned, the group of people or a person behind the original version of this malware managed to remain anonymous. As a result, the little-known information that we do have does not go beyond the name of the GitHub page author, which states “quasar.”

As evident from the description on the “official” Quasar GitHub page, this malware is presented as a legitimate remote administration program, which is clearly misleading. In fact, Quasar was featured in an attack aimed at the US government early in 2017. Later the same year, another wave of attacks using this malware occurred, targeting the private sector.

Quasar RAT malware analysis

The execution process of this malware can be viewed in a video recorded in the ANY.RUN malware hunting service, allowing to perform analysis of how the contamination process unfolds.

process graph of the quasar stealer execution Figure 1: Displays the lifecycle of Quasar in a visual form, as shown on the graph generated by ANY.RUN.

text report of quasar analysis Figure 2: Shows a customizable text report generated by the ANY.RUN malware hunting service.

Quasar RAT execution process

Based on the analysis, Quasar execution is pretty straightforward but can vary in minor details from sample to sample. The RAT's user-agent strings fake various processes such as a browser running on Windows. In the given example, Quasar was dropped from a Microsoft Office file. Then, the dropped file changed the registry value to run with every operating system start, checked for external IP, and copied itself at another location. After all these steps, the malware started the main malicious activity - collecting information about the operating system and waiting for commands from the C2 server. Quasar allows malware users to collect host system data.

How to avoid infection by Quasar?

Quasar trojan writes itself into scheduled tasks and uses registry keys to achieve persistence, allowing the malware the run every time a machine is started. The persistence method is chosen based on user privileges. If the user has admin rights, the malware uses schtasks to create a scheduled task that launches after a user logs on with the highest run level. If admin rights are lacking, then the scheduled task can only go as far as adding a registry value configured in the client builder and added to the current path as the startup program. The best way to avoid infection is for cybersecurity specialists gt to know various user-agent strings that exist in their network, and identify suspicious user-agent strings.

Distribution of Quasar RAT

Like most other RATs, for example Crimson RAT or Orcus RAT, Quasar is distributed in email spam campaigns that carry the malware’s loader. The loader is embedded in a malicious file attachment which usually carries a name designed to trick the user into thinking that they are receiving some sort of a document. Sometimes these files will have a double extension such as docx.exe. Again, this is done to trick the victim into thinking that the attached file is harmless. Of course, once opened, such files start a command prompt rather than Microsoft Office.

How to detect Quasar RAT using ANY.RUN?

ANY.RUN uses Suricata IDS rule sets, so if malware tries to communicate with C&C servers, it will be detected. To look at what threats were detected, just click on the "Threats" section of the "Network" tab.

quasar network threats Figure 3: Quasar network threats

Conclusion

Quasar trojan is a powerful open-source malware equipped with a robust persistence mechanism and a complete feature set of malicious capabilities. Being available to anybody with programming knowledge, Quasar became a widely used RAT which was even featured in an attack targeted at the American government.

However, unlike other more advanced Trojans, Quasar RAT does not have extremely sophisticated anti-analysis features, which makes setting up robust cyber-defense an easier task, especially when using malware hunting services like ANY.RUN to simplify and streamline the research process.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy