quasar: 0347df42 — Version 1.4.1.0 open-source .NET RAT, March 2023 build, unobfuscated

Executive Summary — A near-pristine build of the open-source Quasar remote-access trojan (v1.4.1.0, compiled March 2023). Unobfuscated .NET Framework PE32 with full type names, embedded third-party libraries, and plaintext version resources. No packing, no obfuscation, no CAPE detonation possible (no Windows guest). High-confidence family attribution via assembly metadata, namespace strings, and capa capability fingerprint matching known Quasar behaviour bundles.

What It Is

• File: nungcac.exe, 3.3 MB (3,266,048 bytes) ^[file.txt]
• Format: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, 3 sections ^[file.txt]
• Compiler / toolchain: .NET Framework CIL, linker v8.0, compiled Sun Mar 12 16:16:39 2023 UTC ^[pefile.txt:34] ^[rabin2-info.txt:11]
• Assembly version: 1.4.1.0 ^[pefile.txt:233] ^[exiftool.json:46]
• Version info: FileDescription Quasar Client, ProductName Quasar, Copyright Copyright © MaxXor 2023, OriginalFilename Client.exe ^[exiftool.json:38-44]
• Signed: No ^[rabin2-info.txt:27]
• Packed / obfuscated: None. No ConfuserEx, no SmartAssembly, no Xenocode. Entropy of .text section 6.08 (typical for unobfuscated CIL). ^[pefile.txt:92]
• Dynamic analysis: Skipped — no CAPE Windows guest available. ^[dynamic-analysis.md]

Family attribution is high-confidence: the binary contains the literal namespace strings Quasar.Client, Quasar.Common, Quasar.Common.Messages, and Quasar.Common.Enums throughout the string table. ^[strings.txt:101] ^[strings.txt:3091] The version-info block explicitly names the project and author. This is a stock build of the open-source Quasar RAT by MaxXor, not a forked or heavily modified variant.

How It Works

Quasar is a modular .NET RAT with a plugin-like command architecture. The client binary (this sample) connects to a Quasar server (not embedded in the binary — configured at runtime or passed via command line / config file). Communication uses protobuf-net serialization over TCP sockets, wrapped in a custom message framing protocol. ^[strings.txt:100] ^[capa.txt]

Key modules visible in unobfuscated CIL metadata:

• Keylogging: Global hooks via Gma.System.MouseKeyHook v5.6.130. ^[strings.txt:99] Capa detects log keystrokes via polling (2 matches). ^[capa.txt]
• Credential harvesting: Quasar.Client.Recovery.Browsers namespace + capa gather chrome based browser login information. ^[strings.txt:3094] ^[capa.txt]
• Remote shell: DoShellExecute / DoShellExecuteResponse message types. ^[strings.txt:6406] ^[strings.txt:6046]
• File manager: Chunked file transfer via FileSplit + FileChunk. ^[strings.txt:3152] ^[strings.txt:6071]
• Desktop / webcam capture: GetMonitors, MonitorIndex, DoWebcamStop, ImageCodecInfo, BitmapData. ^[strings.txt:12606] ^[strings.txt:9704]
• Reverse proxy: ReverseProxyConnect, ReverseProxyDisconnect, GetReverseProxyByConnectionId. ^[strings.txt:13726] ^[strings.txt:6066]
• System information: GetSystemInfo, GetSystemInfoResponse, OS version query, network interface enumeration, drive listing, process enumeration. ^[strings.txt:9423] ^[strings.txt:6054] ^[capa.txt]
• Registry manipulation: Full read/write/delete on HKCU/HKLM; startup persistence via LocalMachineRun, CurrentUserRun, LocalMachineRunOnce, CurrentUserRunOnce. ^[strings.txt:9302] ^[strings.txt:4632] ^[strings.txt:12079]
• Persistence: DoStartupItemAdd, DoStartupItemRemove, and capa schedule task via schtasks. ^[strings.txt:3817] ^[strings.txt:6611] ^[capa.txt]
• Self-uninstall: DoClientUninstall. ^[strings.txt:8054]
• Cryptography: BouncyCastle.Crypto v1.9.0 embedded for TLS handshakes and certificate handling; capa reports DPAPI encryption, ChaCha/Salsa20, SHA1/SHA256, and Base64 encode/decode. ^[strings.txt:97] ^[capa.txt]

No hardcoded C2 host, port, or password is visible in plaintext strings — Quasar stores this in a separate Settings file or the operator configures it at build time via the builder. Without runtime detonation or access to the companion config, C2 IOCs are not recoverable statically.

Decompiled Behavior

Ghidra analysis is not applicable for this sample. The binary is pure .NET CIL (not native x86 code) and Ghidra does not produce meaningful pseudo-C from CIL. ILSpy / dnSpy would be the correct tool. Because the assembly is completely unobfuscated, the behaviour described above is recoverable directly from static strings, capa, and pefile metadata without requiring decompiler output. No control-flow obfuscation, no string encryption, no anti-debug checks, and no anti-VM logic were identified.

C2 Infrastructure

Not recoverable statically. Quasar builder produces a client binary without embedded C2 credentials; the server host/port/password are injected into the client at build time, but the resulting config is not stored as a plaintext resource in this sample. No IP addresses, domains, or URL patterns were found in the string table. Without dynamic execution or access to the builder output / campaign artifacts, C2 IOCs are absent.

Interesting Tidbits

• Author attribution in plaintext: The version-info block contains the real name of the open-source project (Quasar) and author (MaxXor). Threat actors made zero effort to strip this. ^[exiftool.json:42]
• Third-party library bloat: The 3.3 MB size is largely due to embedded BouncyCastle.Crypto (TLS/crypto) and protobuf-net (serialization) rather than malware logic.
• No evasion at all: No anti-VM, no anti-debug, no sandbox detection, no sleep loops, no WMI/CPUID checks. This is a stock open-source build dropped straight onto a victim.
• Startup item naming: The StartupItem class uses generic registry run keys (LocalMachineRun, CurrentUserRunOnce) rather than the more obvious Quasar name, suggesting some operational awareness from the actor configuring the builder. ^[strings.txt:1727]
• FLOSS failure: The flare-floss invocation failed with an argument-parsing error (--no flag collision with the sample path). ^[floss.txt] Decoded strings were unnecessary anyway — the assembly is unobfuscated.

How To Mess With It (Homelab Replication)

Goal: Build your own Quasar client and compare its capa fingerprint to this sample.

1. Clone the public repository: git clone https://github.com/quasar/Quasar.git
2. Checkout tag v1.4.1 (or near-March-2023 commit).
3. Open Quasar.sln in Visual Studio 2019/2022.
4. Build the Client project in Release mode targeting .NET Framework 4.8 (or 4.5.2 depending on the branch).
5. The output Client.exe will carry the same capa namespace hits: compiled to the .NET platform, create TCP socket, send data, receive data, encode data using Base64, hash data using SHA1, log keystrokes via polling, query or enumerate registry key, create process in .NET, etc.
6. Verification: Run capa Client.exe. The capability table should closely match this sample's capa.txt — expect ~60+ host-interaction hits, ~10 communication hits, and the same ATT&CK tactic coverage (Collection, Credential Access, Defense Evasion, Discovery, Execution, Persistence).
7. Learning outcome: You will see exactly how an unobfuscated .NET RAT looks in strings, capa, and pefile — useful baseline for spotting obfuscated variants later.

Deployable Signatures

YARA rule

rule quasar_rat_unobfuscated
{
    meta:
        description = "Unobfuscated Quasar RAT client — v1.4.x build fingerprint"
        author = "Titus"
        date = "2026-06-06"
        sha256 = "0347df42837474af34bf984b151e6d34bc46c02082ce01a36296d384a1244e52"
    strings:
        $quasar_client = "Quasar.Client" ascii wide
        $quasar_common = "Quasar.Common" ascii wide
        $quasar_messages = "Quasar.Common.Messages" ascii wide
        $quasar_enums = "Quasar.Common.Enums" ascii wide
        $version1 = "Quasar Client" wide
        $version2 = "Copyright © MaxXor" wide
        $pb_net = "protobuf-net, Version=" ascii wide
        $bc_crypto = "BouncyCastle.Crypto, Version=" ascii wide
        $mousehook = "Gma.System.MouseKeyHook, Version=" ascii wide
        $msg_doshell = "DoShellExecute" ascii wide
        $msg_startupadd = "DoStartupItemAdd" ascii wide
        $msg_getpasswords = "GetPasswords" ascii wide
    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of ($quasar_*) and
        3 of ($version*, $pb_net, $bc_crypto, $mousehook) and
        2 of ($msg_*)
}

Sigma rule

title: Quasar RAT Client Execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|contains: 'Client.exe'
        - OriginalFileName: 'Client.exe'
    selection_pe:
        - Product: 'Quasar'
        - Description: 'Quasar Client'
    selection_mutex:
        CommandLine|contains: 'Quasar'
    selection_dll_load:
        - ImageLoaded|contains:
            - 'Gma.System.MouseKeyHook'
            - 'protobuf-net'
            - 'BouncyCastle.Crypto'
    selection_network:
        Initiated: true
        DestinationPort:
            - 4782
            - 4783
            - 4784
            - 4785
        UserAgent|contains: 'Quasar'
    condition: 1 of selection_*
falsepositives:
    - Legitimate Quasar remote administration tool use (rare in enterprise; correlate with approved software inventory)
level: high

IOC list

Behavioral fingerprint

This binary is an unobfuscated .NET Framework PE32 executable claiming to be "Quasar Client" by "MaxXor". On execution it will load Gma.System.MouseKeyHook for global keyboard capture, initialise a protobuf-net TCP transport layer, and open outbound TCP connections to an operator-configured C2 server. It enumerates the local system (processes, drives, registry, network interfaces), logs keystrokes, captures screenshots and webcam frames, and supports remote shell execution and file-manager operations. Persistence is established via registry Run keys or scheduled tasks. No sandbox evasion, no anti-debug, and no packing is present — a stock open-source RAT build.

Detection Signatures

capa → MITRE ATT&CK mapping (static-only, no runtime confirmation from CAPE):

References

• Open-source project: https://github.com/quasar/Quasar (MaxXor)
• Artifact ID: 640a9413-3451-441b-a123-7547327c5d2b
• Source: OpenCTI → MalwareBazaar
• Family page: quasar

Provenance

• This report synthesized from static analysis outputs in raw/analyses/0347df42837474af34bf984b151e6d34bc46c02082ce01a36296d384a1244e52/:
  • file.txt, pefile.txt, exiftool.json, rabin2-info.txt — build metadata and version info
  • strings.txt — unobfuscated .NET namespace and message-type enumeration
  • capa.txt — capability detection and ATT&CK mapping (static scope)
  • binwalk.txt — embedded crypto constants (AES S-Box, SHA256, Base64 table) from BouncyCastle
  • floss.txt — command-line invocation failure; no decoded strings needed
  • dynamic-analysis.md — CAPE skipped (no Windows guest)
• Tools: file v5.44, pefile 2023.2.7, ExifTool 12.76, radare2 5.9.2, capa v8.0.1, flare-floss (failed invocation), binwalk 2.3.2