[Mal Series #7] C# Quasar RAT

It is a Remote Access Trojan (RAT) named Quasar which is written in C#. In this sample it comes with the obfuscated loader that will dump out the first stager which will download/spawn the real payload from the c2 server.

Let’s scroll through it to find any interesting Windows API in it.

Some Windows API found in the obfuscated code

Besides, WriteProcessMemory, VirtualAlloc and VirtualProtect found in it.

From here, we will know that the stager will load the DLL dynamically and call the required functions to unload itself.

Then, load the malware in your favourite debugger (e.g. x64) and put breakpoint on some common malware used Windows API (e.g. VirtualAllocEx, CreateProcessetc.)

It will first allocate the stager shellcode inside the memory. Once the first part of the shellcode landed on the memory section, it will loads the rest of it dynamically during the runtime to complete the code construction. In the meantime, it was found that the shellcode stores Windows API in base64 form.

Base64 encoding to Windows API

It will spawn a new process (AddInProcess.exe if Winx64, AddInProcess if Winx32) to inject the its final payload into its memory section by using process hollowing technique.

Here is the Windows API used to dump the payload.

  • VirtualAllocEx
  • NtUnmapViewOfSection
  • WriteProcessMemory

It uses SetThreadContextto redirect the remote process to run the malicious thread.

The injected payload is in RWX section of the remote process which commonly found in other malware.

🛠⚙ Extract and fix the payload by using PE Bear (Aligning Sections Virtual Address to Raw Address or vice versa) 🛠⚙

Fix the PE sections in PE Bear (Before)

After that, drop the file into dnSpy for static analysis.

The Final C# Quasar RAT Payload!!!

The RAT will connects to 88[.]99[.]51[.]65:2012 with buildId “slovarik”.

Main Function of the RAT

Before anything get started, it has a Anti-VM check.

Anti-VM check :<

Then, it will gather the system information as shown in the picture below.

👁Gather the following System’s Info 👁

The screenshot below shows the item list that will be 👁 steal 👁 by the RAT from the system.

👁Steal the following credentials/info from the system 👁

Click Here for more info about what the RAT steals.

Locate the geolocation of the system by using ip-api.com.

Locate system geolocation by using ip-api

In order to get a Public Address IP, ipify has been abuse and assuming integrate with the RAT server or any malicious infrastructure (hide its Private IP).

Note: ipify itself is a clean site. That mostly use for developement purpose

Trying to get geolocation of the targeted system

Download the hex bytes from the URL below and save it into %TEMP% folder as Update.exe (not sure what it does as it has been taken down during the analysis)

Download the byte stream and safe the file into %TEMP% folder

Finally, all the stolen crendtials will send throught this websocket with the IP mentioned in the beginning. 👨‍💻

Annddddd. Self terminate the process and clearing the client setting

Remove the trace of the stolen data

Similar sample report.

https://app.any.run/tasks/82c69c12-ebd5-4f2d-801b-17b2604f6226/

Sha256

245deb1693e39d6340bcd2e8c9d8f5e78e4906e359172b150a066eb1678987f5

References:

Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec