Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now
21
Global rank
7 infographic chevron month
Month rank
9 infographic chevron week
Week rank
0
IOCs

Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely.

RAT
Type
Unknown
Origin
1 January, 2015
First seen
5 October, 2025
Last seen

How to analyze Quasar RAT with ANY.RUN

RAT
Type
Unknown
Origin
1 January, 2015
First seen
5 October, 2025
Last seen

IOCs

IP addresses
194.33.191.246
1.1.1.1
193.161.193.99
185.9.19.107
213.152.161.5
67.205.154.243
103.241.72.56
52.28.112.211
37.120.210.219
167.71.56.116
199.195.253.181
185.65.135.178
206.123.141.239
160.202.141.191
91.146.251.165
51.178.238.250
79.83.116.119
185.81.157.169
176.234.101.97
5.9.226.161
Hashes
452d95b8f72feeecf0cdf37153b6c867ed0ed5d2b619d28cebc82c565f6e2819
ec17b37bf2dccf56e34bdf5a819538348e626464889201482a2f05be5cbe198d
8f262a933be275930b09e0f01eacd7931ac20be063a9d4306439be095f9ce588
9eb19f274f7e57bed56f00c6209ecf88ba912898d52ec87eaabaa87dd124d8ca
0d40448a3a2a5dbe20a141742863fa4d6c4b984f03968c7537b4d536da21c0e6
8b53652eea41696a41ba8af21250514615dd215f5c5f382fbdd4c62e112bdef4
23325666d5ac028c9c840b4232406ab3a6ed37d8c45e68ed4a892536515de96e
e4113ba36491967e75e37bd17ae8ff274319f9977c6d450c528cada9f47808bd
9e558cb05e95240a404a5ab58b6790a3e06f170cfad11d4c8a4688ec622cdd4b
c959ea8c7fecdb4217aba283d13867cb5f8446e864a181cba78d8d370e125ded
9a4b97fb3450c182a25f7f9d933c0287ca66c3e0ce71319c48eaa0dab4bd86ca
8a68952c01136db4c61f4ead1f8553fb8a6daaeceab343483459740c87224b55
1110c7854696db48bb121dca5f8facc0ffa8b67a62b35d64718be00a7295b05a
c2a2c048fc0c68c4aba593ecf9326b040421a4e395db06a37251e79a4b2c45d3
9a5c3ea43a1c23dd04f445dc1e92e20b618c5e4f4d5a485ece6e2e4b50d535cc
4eb7837b370c8f3cacc740cbe69bc00ed2622b9572cffb12a2d1420d5ddc77b7
aca3a6283efbd6bb23af8168617f95a4f7da75d307f5f791b7c4db1854d15c43
7d1c8379cf2736faa1064a0e243e99bb2ce8644ea8ea19e7af612722fe3bb0a6
6b98224fdb7859c056ab73a74badf28370a244be06d7e9828bab5ffc2567fa51
620924ef602914f39a25a101121a7fda75e70c64ae0dff470f0c34db286802d9
Domains
0.tcp.ngrok.io
serveo.net
0.tcp.eu.ngrok.io
al3nzii.myq-see.com
omka11.duckdns.org
2.tcp.eu.ngrok.io
2.tcp.ngrok.io
kenzeey.duckdns.org
kenzeey.ddns.net
updatefacebook.duckdns.org
4.tcp.ngrok.io
1.tcp.eu.ngrok.io
4.tcp.eu.ngrok.io
0.tcp.in.ngrok.io
eu-central-7075.packetriot.net
0.tcp.ap.ngrok.io
6.tcp.ngrok.io
8.tcp.ngrok.io
nerdenas.duckdns.org
twart.myfirewall.org
URLs
http://www.telize.com/geoip
http://telize.com/geoip
http://binance.com/
http://freegeoip.net/xml/
tcp://6.tcp.ngrok.io:14412/
tcp://6.tcp.ngrok.io:4782/
tcp://EdgyxNatexx-23830.portmap.io:23830/
http://impact-eventually.at.playit.gg/tcp:60550
https://gofile.io/d/v2kHnq:8080
tcp://2.tcp.eu.ngrok.io:14336/
tcp://6.tcp.eu.ngrok.io:10324/
tcp://6.tcp.eu.ngrok.io:16457/
https://discordinit.ddns.net:4782/
http://church-apr.gl.at.ply.gg/:31194
tcp://6.tcp.eu.ngrok.io:16451/
tcp://0.tcp.ap.ngrok.io:16495/
http://18.134.234.207/update/ping
http://18.134.234.207/update/error
http://18.134.234.207/update/report
http://1.199.158.213.in-addr.arpa:49669/
Last Seen at
Last Seen at

Recent blog posts

post image
Release Notes: Palo Alto Networks, Microsoft,...
watchers 973
comments 0
post image
FunkSec’s FunkLocker: How AI Is Powering the...
watchers 2764
comments 0
post image
ANY.RUN & MS Defender: Enrich Alerts Faster,...
watchers 2664
comments 0

What is Quasar RAT?

Quasar is a remote access trojan is used by attackers to take remote control of infected machines. It is written using the .NET programming language and is available to a wide public as an open-source project for Microsoft Windows operating systems, making it a popular RAT featured in many attacks.

General description of Quasar RAT

Quasar RAT was first discovered in 2015 by security researchers, who, at the time, speculated that an in-house development team wrote this RAT after performing the analysis of a sample. However, Quasar is an evolution of an older malware called xRAT, and some of its samples can carry out as many as 16 malicious actions.

Over the course of its lifetime, the malware has been updated several times, improving its overall functionality. The last version of the malware, which the original author developed, is v. 1.3.0.0. It was released in 2016. Since then, several third parties have adapted the RAT and issued their own version, both minor and major, with the last major version being v. 2.0.0.1.

The RAT we are reviewing today consists of two main components – the server-side component and the Quasar client-side component. The server is equipped with a graphical user interface, and it is used for managing connections with the client-side programs. The Quasar client-server architecture is also utilized to build malware samples which are eventually delivered to potential victims. Malware users can select attributes and customize the executable to fit the attacker's needs. The Quasar client and server run on different OSs including all Windows versions.

The functionality of the resulting malware includes remote file management on the infected machine, registry alterations, recording the actions of the victim, establishing remote desktop connections, and more. All of the data including requests are sent to the host server with the user-agent strings.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

It should be noted that Quasar's execution can unfold completely silently. Thus, once the victim downloads and launches the Quasar client, usually delivered in a document via email, it can stay active for a long period of time, stealing data and giving the hacker control over the infected PC. The malware does generate a process that can be discovered using the Windows Task Manager or a similar application, but active user actions are required to discover Quasar trojan's presence on a machine.

As far as creators of this malware are concerned, the group of people or a person behind the original version of this malware managed to remain anonymous. As a result, the little-known information that we do have does not go beyond the name of the GitHub page author, which states “quasar.”

As evident from the description on the “official” Quasar GitHub page, this malware is presented as a legitimate remote administration program, which is clearly misleading. In fact, Quasar was featured in an attack aimed at the US government early in 2017. Later the same year, another wave of attacks using this malware occurred, targeting the private sector.

Quasar RAT malware analysis

The execution process of this malware can be viewed in a video recorded in the ANY.RUN malware hunting service, allowing to perform analysis of how the contamination process unfolds.

process graph of the quasar stealer execution Figure 1: Displays the lifecycle of Quasar in a visual form, as shown on the graph generated by ANY.RUN.

text report of quasar analysis Figure 2: Shows a customizable text report generated by the ANY.RUN malware hunting service.

Quasar RAT execution process

Based on the analysis, Quasar execution is pretty straightforward but can vary in minor details from sample to sample. The RAT's user-agent strings fake various processes such as a browser running on Windows. In the given example, Quasar was dropped from a Microsoft Office file. Then, the dropped file changed the registry value to run with every operating system start, checked for external IP, and copied itself at another location. After all these steps, the malware started the main malicious activity - collecting information about the operating system and waiting for commands from the C2 server. Quasar allows malware users to collect host system data.

How to avoid infection by Quasar?

Quasar trojan writes itself into scheduled tasks and uses registry keys to achieve persistence, allowing the malware the run every time a machine is started. The persistence method is chosen based on user privileges. If the user has admin rights, the malware uses schtasks to create a scheduled task that launches after a user logs on with the highest run level. If admin rights are lacking, then the scheduled task can only go as far as adding a registry value configured in the client builder and added to the current path as the startup program. The best way to avoid infection is for cybersecurity specialists gt to know various user-agent strings that exist in their network, and identify suspicious user-agent strings.

Distribution of Quasar RAT

Like most other RATs, for example Crimson RAT or Orcus RAT, Quasar is distributed in email spam campaigns that carry the malware’s loader. The loader is embedded in a malicious file attachment which usually carries a name designed to trick the user into thinking that they are receiving some sort of a document. Sometimes these files will have a double extension such as docx.exe. Again, this is done to trick the victim into thinking that the attached file is harmless. Of course, once opened, such files start a command prompt rather than Microsoft Office.

How to detect Quasar RAT using ANY.RUN?

ANY.RUN uses Suricata IDS rule sets, so if malware tries to communicate with C&C servers, it will be detected. To look at what threats were detected, just click on the "Threats" section of the "Network" tab.

quasar network threats Figure 3: Quasar network threats

Conclusion

Quasar trojan is a powerful open-source malware equipped with a robust persistence mechanism and a complete feature set of malicious capabilities. Being available to anybody with programming knowledge, Quasar became a widely used RAT which was even featured in an attack targeted at the American government.

However, unlike other more advanced Trojans, Quasar RAT does not have extremely sophisticated anti-analysis features, which makes setting up robust cyber-defense an easier task, especially when using malware hunting services like ANY.RUN to simplify and streamline the research process.

HAVE A LOOK AT

Remote Access Trojan screenshot
Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.
Read More
MassLogger screenshot
MassLogger
masslogger
MassLogger is a credential stealer and keylogger first identified in April 2020. It has been actively used in cyber campaigns to exfiltrate sensitive information from compromised systems. It is designed for easy use by less tech-savvy actors and is prominent for the capability of spreading via USB drives. It targets both individuals and organizations in various industries, mostly in Europe and the USA.
Read More
Razr screenshot
Razr
razr
Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key.
Read More
Virlock screenshot
Virlock
virlock
Virlock is a unique ransomware strain that combines encryption capabilities with file infection techniques. First observed in 2014, it stands out due to its polymorphic nature and ability to embed its code into compromised files, ensuring continued propagation. Once it infects a system, it encrypts files and locks the screen, demanding a ransom for file recovery and system access.
Read More
Wshrat screenshot
Wshrat
wshrat rat trojan
WSHRAT is a Remote Access Trojan — a malware that allows the attackers to take over the infected machines. The RAT has been in circulation since 2013 and it is arguably most notable for the numerous versions released into the wild.
Read More
zgRAT screenshot
zgRAT
zgrat
zgRAT is a malware known for its ability to infect systems and exfiltrate sensitive data to command-and-control (C2) servers. It is primarily distributed through loader malware, as well as phishing emails. zgRAT employs various advanced techniques, including process injection and code obfuscation, to evade detection and maintain persistence on infected systems. The malware can also spread via USB drives and uses popular messaging platforms like Telegram and Discord for data exfiltration.
Read More