Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

QuasarRAT

QuasarRAT is an open-source, remote access tool that is publicly available on GitHub. QuasarRAT is developed in the C# language. [1] [2]

ID: S0262
Aliases: QuasarRAT, xRAT
Type: TOOL
Platforms: Windows

Version: 1.0

Alias Descriptions

NameDescription
QuasarRAT[1] [2] [3]
xRAT[3]

Techniques Used

DomainIDNameUse
EnterpriseT1116Code SigningA QuasarRAT .dll file is digitally signed by a certificate from AirVPN.[2]
EnterpriseT1059Command-Line InterfaceQuasarRAT can launch a remote shell to execute commands on the victim’s machine.[1]
EnterpriseT1090Connection ProxyQuasarRAT can communicate over a reverse proxy using SOCKS5.[1][2]
EnterpriseT1003Credential DumpingQuasarRAT can obtain passwords from common browsers and FTP clients.[1][2]
EnterpriseT1081Credentials in FilesQuasarRAT can obtain passwords from common browsers and FTP clients.[1][2]
EnterpriseT1056Input CaptureQuasarRAT has a built-in keylogger.[1][2]
EnterpriseT1036MasqueradingQuasarRAT has dropped binaries as files named microsoft_network.exe and crome.exe.[2]
EnterpriseT1112Modify RegistryQuasarRAT has a command to edit the Registry on the victim’s machine.[1]
EnterpriseT1076Remote Desktop ProtocolQuasarRAT has a module for performing remote desktop access.[1][2]
EnterpriseT1105Remote File CopyQuasarRAT can download files to the victim’s machine and execute them.[1][2]
EnterpriseT1053Scheduled TaskQuasarRAT contains a .NET wrapper DLL for creating and managing scheduled tasks for maintaining persistence upon reboot.[2]
EnterpriseT1032Standard Cryptographic ProtocolQuasarRAT uses AES to encrypt network communication.[1][2]
EnterpriseT1082System Information DiscoveryQuasarRAT has a command to gather system information from the victim’s machine.[1]
EnterpriseT1125Video CaptureQuasarRAT can perform webcam viewing.[1][2]

Groups

Groups that use this software:

Gorgon Group
Patchwork

References