QuasarRAT

QuasarRAT is an open-source, remote access tool that is publicly available on GitHub. QuasarRAT is developed in the C# language. [1] [2]

ID: S0262
Associated Software: xRAT
Type: TOOL
Platforms: Windows
Version: 1.1
Created: 17 October 2018
Last Modified: 28 March 2020

Associated Software Descriptions

Name Description
xRAT

[3]

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

QuasarRAT can launch a remote shell to execute commands on the victim’s machine.[1]

Enterprise T1555 Credentials from Password Stores

QuasarRAT can obtain passwords from common FTP clients.[1][2]

.003 Credentials from Web Browsers

QuasarRAT can obtain passwords from common web browsers.[1][2]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

QuasarRAT uses AES to encrypt network communication.[1][2]

Enterprise T1105 Ingress Tool Transfer

QuasarRAT can download files to the victim’s machine and execute them.[1][2]

Enterprise T1056 .001 Input Capture: Keylogging

QuasarRAT has a built-in keylogger.[1][2]

Enterprise T1112 Modify Registry

QuasarRAT has a command to edit the Registry on the victim’s machine.[1]

Enterprise T1090 Proxy

QuasarRAT can communicate over a reverse proxy using SOCKS5.[1][2]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

QuasarRAT has a module for performing remote desktop access.[1][2]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

QuasarRAT contains a .NET wrapper DLL for creating and managing scheduled tasks for maintaining persistence upon reboot.[2]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

A QuasarRAT .dll file is digitally signed by a certificate from AirVPN.[2]

Enterprise T1082 System Information Discovery

QuasarRAT has a command to gather system information from the victim’s machine.[1]

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

QuasarRAT can obtain passwords from FTP clients.[1][2]

Enterprise T1125 Video Capture

QuasarRAT can perform webcam viewing.[1][2]

Groups That Use This Software

ID Name References
G0078 Gorgon Group

[4]

G0040 Patchwork

[3][2]

G0045 menuPass

[5][6]

References