> Analysis · 0a47be728781_

~/packetpursuit $ cat /intel/analyses/0a47be728781.../report.md

typeanalysisfamilyquasarconfidencehighcreated2026-06-07updated2026-06-07dotnetratmalware-familyc2persistencecollectiondefense-evasiondiscoveryexecutionmitre-attck
SHA-256: 0a47be7287819c40071eef9e3a88157647b9c79918f5975ff5ee27f7e0250abb

quasar: 0a47be72 — Sibling build of v1.4.1.0, March 2023

Executive Summary — A second unobfuscated build of the open-source Quasar RAT (v1.4.1.0), compiled the same minute as sibling 0347df42 (Sun Mar 12 16:16:39 2023 UTC). Identical assembly metadata, embedded libraries, and capability fingerprint; only the output filename (Client-built.exe) differs. High-confidence family attribution. No new TTPs vs. the 0347df42 sibling. Static-only (no CAPE detonation).

What It Is

  • File: Client-built.exe, 3.3 MB (3,266,048 bytes) ^[file.txt]
  • Format: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, 3 sections ^[file.txt]
  • Compiler / toolchain: .NET Framework CIL, linker v8.0, compiled Sun Mar 12 16:16:39 2023 UTC ^[pefile.txt] ^[rabin2-info.txt:11]
  • Assembly version: 1.4.1.0 ^[pefile.txt:233] ^[exiftool.json:46]
  • Version info: FileDescription Quasar Client, ProductName Quasar, Copyright Copyright © MaxXor 2023, OriginalFilename Client.exe ^[exiftool.json:38-44]
  • Signed: No ^[rabin2-info.txt:27]
  • Packed / obfuscated: None. Entropy of .text section 6.08. ^[pefile.txt:92]
  • Dynamic analysis: Skipped — no CAPE Windows guest available. ^[dynamic-analysis.md]

Family attribution is high-confidence: Quasar.Common, Version=1.4.1.0 ^[strings.txt:101], Quasar Client version-info ^[exiftool.json:38], and capa capability bundle matching the known Quasar profile. This is a stock build, not a fork.

Build / RE

Identical to sibling 0347df42 in every toolchain observable:

  • Language: C# (.NET Framework 4.x), CIL PE32 ^[file.txt]
  • Linker: .NET 8.0 (pefile MajorLinkerVersion 0x8) ^[pefile.txt:45]
  • Libraries: BouncyCastle.Crypto v1.9.0.0 ^[strings.txt:97], protobuf-net v2.4.0.0 ^[strings.txt:100], Gma.System.MouseKeyHook v5.6.130.0 ^[strings.txt:99]
  • No packer: No ConfuserEx, SmartAssembly, Xenocode, or UPX. .text entropy 6.08 (typical for unobfuscated CIL). ^[pefile.txt:92]
  • No anti-analysis: No anti-VM, anti-debug, sandbox gates, sleep loops, or WMI/CPUID checks identified in strings or capa. ^[capa.txt]
  • Code quality: Stock open-source. Full namespace strings unobfuscated. No control-flow flattening or string encryption.
  • Signing: Unsigned. ^[rabin2-info.txt:27]
  • Embedded resources: Standard .NET manifest + version resources. No encrypted RCData or bitmap stego carriers. ^[pefile.txt:257]
  • FLOSS: Invocation failed with --no flag collision; unnecessary anyway. ^[floss.txt]

Deploy / ATT&CK

Static capability fingerprint is identical to 0347df42. No new TTPs.

Tactic Technique Evidence
Collection T1056.001 Input Capture::Keylogging Gma.System.MouseKeyHook, capa log keystrokes via polling ^[strings.txt:99] ^[capa.txt]
Collection T1213 Data from Information Repositories capa gather chrome based browser login information ^[capa.txt]
Credential Access T1555.003 Credentials from Web Browsers Quasar.Client.Recovery.Browsers, GetPasswordsResponse ^[strings.txt:12406] ^[strings.txt:6061]
Defense Evasion T1027 Obfuscated Files or Information Not applicable — unobfuscated. Capa flags this generically. ^[capa.txt]
Defense Evasion T1140 Deobfuscate/Decode Files or Information Base64 decode/encode routines in capa ^[capa.txt]
Defense Evasion T1562 Impair Defenses Generic capa hit; no specific defence-impairment logic observed. ^[capa.txt]
Discovery T1010 Application Window Discovery capa enumerate gui resources ^[capa.txt]
Discovery T1082 System Information Discovery GetSystemInfoResponse, OS version, geo-location capa hits ^[capa.txt]
Discovery T1083 File and Directory Discovery GetDirectoryResponse, GetDrivesResponse ^[strings.txt:6076] ^[strings.txt:6063]
Discovery T1057 Process Discovery GetProcessesResponse, GetProcessesByName ^[strings.txt:6062] ^[strings.txt:5403]
Execution T1047 Windows Management Instrumentation capa reference WMI statements (5 matches) ^[capa.txt]
Execution T1129 Shared Modules Quasar.Common.Messages serialized command dispatch ^[capa.txt]
Persistence T1053.005 Scheduled Task/Job::Scheduled Task capa schedule task via schtasks (2 matches) ^[capa.txt]
Persistence (Registry Run keys) LocalMachineRun, CurrentUserRunOnce, DoStartupItemAdd ^[strings.txt:9302] ^[strings.txt:4632] ^[strings.txt:3817]

C2: Protobuf-net serialized TCP channel. No hardcoded host/port/password in plaintext strings — injected at build time. Not recoverable statically. ^[capa.txt]

Persistence: Registry Run keys + scheduled tasks. Startup items use generic names (Client, Windows Update) per builder config. ^[strings.txt:3817] ^[capa.txt]

Lateral movement / exfil: No lateral-movement capabilities observed (no SMB, PsExec, WMI lateral movement). Exfil via the C2 channel only.

Sibling Delta

Attribute 0347df42 0a47be72
SHA-256 prefix 0347df42 0a47be72
Filename nungcac.exe Client-built.exe
Compile timestamp Sun Mar 12 16:16:39 2023 Sun Mar 12 16:16:39 2023
Assembly version 1.4.1.0 1.4.1.0
Size 3,266,048 bytes 3,266,048 bytes
ssdeep 49152:zvme821/... 49152:zvme821/... (identical)
Capabilities Identical Identical

Conclusion: These are two independent builds from the same Quasar builder session or immediate re-build, configured with different output filenames. No functional delta.

How To Mess With It

Same as sibling 0347df42 — clone the public repo, build v1.4.1 in Release mode, compare capa fingerprints. The identical ssdeep confirms the builder produces deterministic output for unmodified source.

Deployable Signatures

No new signatures required — use the existing Quasar YARA and Sigma rules deployed for the 0347df42 sibling.