It is a Remote Access Trojan (RAT) named Quasar which is written in C#. In this sample it comes with the obfuscated loader that will dump out the first stager which will download/spawn the real payload from the c2 server.
Let’s scroll through it to find any interesting Windows API in it.
Besides, WriteProcessMemory, VirtualAlloc and VirtualProtect found in it.
From here, we will know that the stager will load the DLL dynamically and call the required functions to unload itself.
Then, load the malware in your favourite debugger (e.g. x64) and put breakpoint on some common malware used Windows API (e.g. VirtualAllocEx, CreateProcessetc.)
It will first allocate the stager shellcode inside the memory. Once the first part of the shellcode landed on the memory section, it will loads the rest of it dynamically during the runtime to complete the code construction. In the meantime, it was found that the shellcode stores Windows API in base64 form.
It will spawn a new process (AddInProcess.exe if Winx64, AddInProcess if Winx32) to inject the its final payload into its memory section by using process hollowing technique.
Here is the Windows API used to dump the payload.
- VirtualAllocEx
- NtUnmapViewOfSection
- WriteProcessMemory
It uses SetThreadContextto redirect the remote process to run the malicious thread.
The injected payload is in RWX section of the remote process which commonly found in other malware.
🛠⚙ Extract and fix the payload by using PE Bear (Aligning Sections Virtual Address to Raw Address or vice versa) 🛠⚙
After that, drop the file into dnSpy for static analysis.
The Final C# Quasar RAT Payload!!!
The RAT will connects to 88[.]99[.]51[.]65:2012 with buildId “slovarik”.
Before anything get started, it has a Anti-VM check.
Then, it will gather the system information as shown in the picture below.
The screenshot below shows the item list that will be 👁 steal 👁 by the RAT from the system.
Click Here for more info about what the RAT steals.
Locate the geolocation of the system by using ip-api.com.
In order to get a Public Address IP, ipify has been abuse and assuming integrate with the RAT server or any malicious infrastructure (hide its Private IP).
Note: ipify itself is a clean site. That mostly use for developement purpose
Download the hex bytes from the URL below and save it into %TEMP% folder as Update.exe (not sure what it does as it has been taken down during the analysis)
Finally, all the stolen crendtials will send throught this websocket with the IP mentioned in the beginning. 👨💻
Annddddd. Self terminate the process and clearing the client setting
Similar sample report.
https://app.any.run/tasks/82c69c12-ebd5-4f2d-801b-17b2604f6226/
Sha256
245deb1693e39d6340bcd2e8c9d8f5e78e4906e359172b150a066eb1678987f5
