[Mal Series #7] C# Quasar RAT

It is a Remote Access Trojan (RAT) named Quasar which is written in C#. In this sample it comes with the obfuscated loader that will dump out the first stager which will download/spawn the real payload from the c2 server.

Let’s scroll through it to find any interesting Windows API in it.

Some Windows API found in the obfuscated code

Besides, WriteProcessMemory, VirtualAlloc and VirtualProtect found in it.

From here, we will know that the stager will load the DLL dynamically and call the required functions to unload itself.

Then, load the malware in your favourite debugger (e.g. x64) and put breakpoint on some common malware used Windows API (e.g. VirtualAllocEx, CreateProcessetc.)

It will first allocate the stager shellcode inside the memory. Once the first part of the shellcode landed on the memory section, it will loads the rest of it dynamically during the runtime to complete the code construction. In the meantime, it was found that the shellcode stores Windows API in base64 form.

Base64 encoding to Windows API

It will spawn a new process (AddInProcess.exe if Winx64, AddInProcess if Winx32) to inject the its final payload into its memory section by using process hollowing technique.

Here is the Windows API used to dump the payload.

  • VirtualAllocEx
  • NtUnmapViewOfSection
  • WriteProcessMemory

It uses SetThreadContextto redirect the remote process to run the malicious thread.

The injected payload is in RWX section of the remote process which commonly found in other malware.

🛠⚙ Extract and fix the payload by using PE Bear (Aligning Sections Virtual Address to Raw Address or vice versa) 🛠⚙

Fix the PE sections in PE Bear (Before)

After that, drop the file into dnSpy for static analysis.

The Final C# Quasar RAT Payload!!!

The RAT will connects to 88[.]99[.]51[.]65:2012 with buildId “slovarik”.

Main Function of the RAT

Before anything get started, it has a Anti-VM check.

Anti-VM check :<

Then, it will gather the system information as shown in the picture below.

👁Gather the following System’s Info 👁

The screenshot below shows the item list that will be 👁 steal 👁 by the RAT from the system.

👁Steal the following credentials/info from the system 👁

Click Here for more info about what the RAT steals.

Locate the geolocation of the system by using ip-api.com.

Locate system geolocation by using ip-api

In order to get a Public Address IP, ipify has been abuse and assuming integrate with the RAT server or any malicious infrastructure (hide its Private IP).

Note: ipify itself is a clean site. That mostly use for developement purpose

Trying to get geolocation of the targeted system

Download the hex bytes from the URL below and save it into %TEMP% folder as Update.exe (not sure what it does as it has been taken down during the analysis)

Download the byte stream and safe the file into %TEMP% folder

Finally, all the stolen crendtials will send throught this websocket with the IP mentioned in the beginning. 👨‍💻

Annddddd. Self terminate the process and clearing the client setting

Remove the trace of the stolen data

Similar sample report.








Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Writing efficient Python code — Headstart on writing Pythonic Codes

Our Coding Climb (in progress, of course)

Ionic or Flutter: Which App Development Framework should you choose for your Next Project?

Bit Manipulation Tricks Explained

Py in 5: Lambda Expressions

Running a remote hack day

What is HandlerInterceptor in Spring MVC

Tribute to WD fans

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

More from Medium

[ Hack The Box ] Devzat — Writeup

PwnKit Privilege Escalation Detection

CVE-2019–8943 Try Hack Me Room “Blog”

Catching Flies in a Tpot with Honey