415 words
2 minutes
MAL-250610-01-01
2025-06-10
Malware Research
analysis
/
csharp
/
dotnet

MAL-250610-01-01#

MetadataInformation
Report IDMAL-250610-01-01
Incident DateUnknown
Report Date2025-06/10
Malware NameQuasarRAT
Version01
Analyst@therustymate
OrganizationPrivate
SeverityCritical
StatusPublic/Draft
Malware TypeRAT
Detection Date2025-06-10 00:20:15 UTC
Affected SystemsWindows/Home
CVEN/A
TagsBackdoor

Incident Metadata#

MetadataInformation
Command & Control (C2) Server185.244.29[.]181:1604
Indicators of Compromise185.244.29[.]181:1604
Infection VectorDownload
Persistence MechanismsNYA
Payload DescriptionBackdoor
Network BehaviorC2 Connection & Communcation

File Names#

File NameSize
edf5ee6173907a5c75650016186ea5a8.exe514’048 bytes

Hashes#

File NameHash TypeHash
edf5ee6173907a5c75650016186ea5a8.exeMD5edf5ee6173907a5c75650016186ea5a8
SHA18dabd536d13a57364812eb9c8d413c50b8788b8e
SHA256cd425ba34aa2ac7f31b6c498b09780cd7bacb7d7826cdc119fd6a35e95ee8700

References#

!!!WARNING!!! Some references may not be fully reliable.

TitleLink
MalwareBazaarhere

Blackbox Analysis#

Anyrun URL: https://app.any.run/tasks/7fcb71c2-1a6c-4bfd-99e1-9aaaaa2490bd

0047e7ae    int32_t _CorExeMain()
0047e7ae  return _CorExeMain() __tailcall

I confirmed the presence of a tailcall to _CorExeMain() at the program’s entry point using Binary Ninja. Therefore, I will use ILSpy to decompile the binary.

csproj File Contents#

<Project Sdk="Microsoft.NET.Sdk.WindowsDesktop">
  <PropertyGroup>
    <AssemblyName>Client</AssemblyName>
    <GenerateAssemblyInfo>False</GenerateAssemblyInfo>
    <OutputType>WinExe</OutputType>
    <UseWindowsForms>True</UseWindowsForms>
    <TargetFramework>net452</TargetFramework>
  </PropertyGroup>
  <PropertyGroup>
    <LangVersion>12.0</LangVersion>
    <AllowUnsafeBlocks>True</AllowUnsafeBlocks>
  </PropertyGroup>
  <PropertyGroup>
    <ApplicationManifest>app.manifest</ApplicationManifest>
    <RootNamespace />
  </PropertyGroup>
  <ItemGroup>
    <None Remove="ILRepack.List" />
    <EmbeddedResource Include="ILRepack.List" LogicalName="ILRepack.List" />
  </ItemGroup>
  <ItemGroup>
    <Reference Include="System.Core" />
    <Reference Include="System.Xml" />
    <Reference Include="System.Security" />
    <Reference Include="System.Runtime.Serialization" />
    <Reference Include="System.Web" />
    <Reference Include="System.Management" />
    <Reference Include="System.ServiceModel" />
  </ItemGroup>
</Project>
FieldValue
Project Type.NET SDK-style Windows Forms Desktop Application
Target Framework.NET Framework 4.5.2 (net452)
Output TypeWinExe (Graphical executable, no console window)
Assembly NameClient
Language VersionC# 12.0
Unsafe Code AllowedYes (AllowUnsafeBlocks=True)
Windows Forms EnabledYes (UseWindowsForms=True)
Auto Assembly Info GenerationDisabled (GenerateAssemblyInfo=False)
Manifest Fileapp.manifest
Embedded ResourceILRepack.List
Referenced LibrariesSystem.Core, System.Xml, System.Web, System.Management, System.ServiceModel, etc.

AssemblyInfo.cs File Contents#

using System.Diagnostics;
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
using System.Runtime.Versioning;
using System.Security;
using System.Security.Permissions;


[assembly: AssemblyDescription("")]
[assembly: AssemblyCompany("")]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyProduct("Quasar")]
[assembly: AssemblyCopyright("Copyright © MaxXor 2020")]
[assembly: AssemblyTrademark("")]
[assembly: InternalsVisibleTo("Client.Tests")]
[assembly: ComVisible(false)]
[assembly: AssemblyFileVersion("1.4.0")]
[assembly: AssemblyTitle("Quasar Client")]
[assembly: AssemblyVersion("1.4.0.0")]
AttributeValue
TitleQuasar Client
ProductQuasar
Company(Empty)
Copyright© MaxXor 2020
File Version1.4.0
Assembly Version1.4.0.0
ComVisiblefalse (not visible to COM components)
InternalsVisibleToClient.Tests (likely for unit testing)

MaxXor is the original author of Quasar RAT.

ThisAssembly.cs File Contents#

internal sealed class ThisAssembly
{
  internal const string AssemblyVersion = "2.4.0.0";


  internal const string AssemblyFileVersion = "2.4.6.0";


  internal const string AssemblyInformationalVersion = "2.4.6+g43df102394";


  internal const string AssemblyName = "protobuf-net";


  internal const string AssemblyTitle = "protobuf-net";


  internal const string AssemblyConfiguration = "Release";


  internal const string PublicKey = "002400000480000094000000060200000024000052534131000400000100010009ed9caa457bfc205716c3d4e8b255a63ddf71c9e53b1b5f574ab6ffdba11e80ab4b50be9c46d43b75206280070ddba67bd4c830f93f0317504a76ba6a48243c36d2590695991164592767a7bbc4453b34694e31e20815a096e4483605139a32a76ec2fef196507487329c12047bf6a68bca8ee9354155f4d01daf6eec5ff6bc";


  internal const string PublicKeyToken = "257b51d87d2e4d67";


  internal const string RootNamespace = "ProtoBuf";


  private ThisAssembly()
  {
  }
}
FieldValue
Assembly Version2.4.0.0
File Version2.4.6.0
Informational Version2.4.6+g43df102394
Assembly Nameprotobuf-net
Titleprotobuf-net
ConfigurationRelease
Public Key002400000480000094000000060200000024000052534131000400000100010009ed9caa457bfc205716c3d4e8b255a63ddf71c9e53b1b5f574ab6ffdba11e80ab4b50be9c46d43b75206280070ddba67bd4c830f93f0317504a76ba6a48243c36d2590695991164592767a7bbc4453b34694e31e20815a096e4483605139a32a76ec2fef196507487329c12047bf6a68bca8ee9354155f4d01daf6eec5ff6bc
Public Key Token257b51d87d2e4d67
Root NamespaceProtoBuf

Deobfuscation#

Approximately 60% of the obfuscated code has been successfully recovered. The command structure and operational behavior have now been clearly identified. Below is the confirmed command structure:

FileCommandAction
IMessage_ClientUninstall.csClientUninstallUninstall QuasarRAT
IMessage_CloseConnection.csCloseConnectionClose C2 Server Connection
IMessage_GetSystemInfo.cs GetSystemInfoGet System Information
IMessage_Keylogger.cs KeyloggerLog Keystrokes
IMessage_PasswordStealer.csPasswordStealerParse Passwords from Browsers
IMessage_Process.cs ProcessAdd/Delete/Modify Processes
IMessage_Registry.cs RegistryAdd/Delete/Modify Registry
IMessage_ReverseProxy.cs ReverseProxySpawn a Reverse Proxy
IMessage_ShellExecute.cs ShellExecuteExecute a Shell Command
IMessage_ShowMessageBox.cs ShowMessageBoxShow a Messagebox
IMessage_Shutdown.cs ShutdownShutdown the Device
IMessage_StartupItem.cs StartupItemAdd/Delete/Modify Startup Items
IMessage_VisitWebsite.cs VisitWebsiteOpen a Website Link

QuasarRAT communicates with its C2 server through an object called IMessage. This IMessage object encapsulates various payloads capable of performing tasks such as keylogging, command execution, and password theft.

Below is a list of the Windows API functions utilized by QuasarRAT during its operation:

FileAPIDLL
API_Windows.csLoadLibrarykernel32.dll
API_Windows.csFreeLibrarykernel32.dll
API_Windows.csGetProcAddresskernel32.dll
API_Windows.csQueryFullProcessImageNamekernel32.dll
API_Windows.csBitBltgdi32.dll
API_Windows.csCreateDCgdi32.dll
API_Windows.csDeleteDCgdi32.dll
API_Windows.csGetLastInputInfouser32.dll
API_Windows.csSetCursorPosuser32.dll
API_Windows.csSendInputuser32.dll
API_Windows.csSystemParametersInfouser32.dll
API_Windows.csPostMessageuser32.dll
API_Windows.csOpenDesktopuser32.dll
API_Windows.csCloseDesktopuser32.dll
API_Windows.csEnumDesktopWindowsuser32.dll
API_Windows.csIsWindowVisibleuser32.dll
API_Windows.csGetForegroundWindowuser32.dll
API_Windows.csGetWindowTextuser32.dll
API_Windows.csGetExtendedTcpTableiphlpapi.dll
API_Windows.csSetTcpEntryiphlpapi.dll
API_Windows_FileAPIs.csDeleteFilekernel32.dll
API_Unknown6.csUrlCanonicalizeshlwapi.dll
API_Unknown6.csFileTimeToSystemTimekernel32.dll
API_Unknown6.csSystemTimeToFileTimekernel32.dll
API_Unknown6.csCompareFileTimekernel32.dll
API_Unknown6.csSHGetFileInfoshell32.dll

Below is the list of password in applications that QuasarRAT is capable of parsing:

Application NameFile
ChromeParser_ChromeLoginData.cs
OperaParser_OperaLoginData.cs
YandexParser_YandexLoginData.cs
FirefoxParser_FirefoxLoginData.cs
IE (Internet Explorer)Parser_IELoginData.cs
FileZillaParser_FileZillaLoginData.cs
WinSCPParser_WinSCPLoginData.cs
MAL-250610-01-01
https://fuwari.vercel.app/posts/mal-250610-01-01/
Author
The Rusty
Published at
2025-06-10
License
CC BY-NC-SA 4.0
lovnzb08's zrox's crackme easy
MAL-250608-01-01
© 2025 The Rusty. All Rights Reserved. / RSS / Sitemap
Powered by Astro & Fuwari