typeentityfamilyquasarconfidencehighcreated2026-06-06updated2026-06-07dotnetratmalware-familyc2persistencecollectiondiscoveryexecutiondefense-evasionmitre-attck

Quasar

Open-source .NET remote-access trojan (RAT) by MaxXor. Public on GitHub since ~2014. Modular client–server architecture with a builder GUI. Often seen in commodity trojan campaigns with little or no modification beyond C2 host/port configuration.

Build Stack Typically Observed

Language: C# (.NET Framework 4.5.2 – 4.8)
Target: PE32 CIL executable (sometimes AnyCPU)
Linker: .NET 8.0 (from pefile MajorLinkerVersion field) ^[raw/analyses/0347df428374/0347df42report.md]
Libraries: protobuf-net (MessagePack-style TCP framing), BouncyCastle.Crypto v1.9 (TLS + cert handling), Gma.System.MouseKeyHook v5.6 (global keyboard hooking)
No packer; no obfuscation on stock builds. Community variants sometimes packed with ConfuserEx or dotfuscator.
Version resources: Quasar Client, Quasar, Copyright © MaxXor YYYY, OriginalFilename: Client.exe

Deploy / TTPs Typically Observed

C2: Protobuf-net serialized TCP channel. No hardcoded credentials in client binary; injected at build time. Default builder ports vary by campaign.
Persistence: Registry Run keys (HKLM / HKCU) or schtasks scheduled tasks. ^[raw/analyses/0347df428374/0347df42report.md]
Collection: Keylogging, screenshot capture, webcam capture, clipboard monitoring, browser credential recovery (Chrome/Chromium-based), WiFi password recovery, file manager.
Execution: Remote shell via DoShellExecute, file upload/download, reverse proxy (SOCKS-like tunneling), process kill, restart, shutdown.
Discovery: System info, geo-location, process list, network interfaces, drives, registry enumeration, WMI queries.
Evasion: Stock builds have none. Modified variants may add anti-VM or sleep gates.
Registry abuse: Run keys are manipulated with generic names like Client or Windows Update rather than Quasar. ^[raw/analyses/0347df428374/0347df42report.md]

Variants / Aliases

No known aliases in the wild other than "Quasar" itself. Builder allows operators to rename the output file, so on-disk names vary (nungcac.exe, svchost.exe, etc.).
Sibling SHA-256s in corpus (no deep reports yet):
- 24010dbf184c266f0f730e8be8b15e1401eddf2d72f33e5d5eab65b43942127b
- 007c13a26d76a1281519960109bbf040ebdf5c497b00d4ffe0d0ac417cd8d33b
- 62f608d61b28702ca4adadd574f3761c79860bd08da402e3129ab19176f7da9a
- 4deebf56cf37840df28dcc8cbaaff10223300a0834f564aff2b89d3875abd900
- 77193b76e7142383c2fb8f4c92891fa8eb0dd0f50ed206532ebd0abb93da9bc9

Capabilities

tls-c2-protobuf-tcp
registry-Run-persistence
scheduled-task-persistence
keylogging-global-hooks
screenshot-capture
webcam-capture
remote-shell-execution
file-manager-upload-download
reverse-proxy-socks
browser-credential-recovery-chrome
clipboard-hijack
process-enumeration-termination
system-information-discovery
wmi-queries
geo-location-query
anti-evasion-none-stock-builds

protobuf-net-asymmetric-client-rat-protocol — MessagePack-style framed TCP protocol observed across AsyncRAT and Quasar.
dotnet-manifest-resource-decryption — .NET payload carriers (not applicable here but common in obfuscated .NET malware).

Notable Analyses

0347df42 — Version 1.4.1.0 unobfuscated build, March 2023. Full static deep-dive. No CAPE detonation.
0a47be72 — Identical sibling build (Client-built.exe), same timestamp and ssdeep. No new TTPs.

> Family · Quasar_