QuasarRAT Detection and Analysis Guide

Behavioral Indicators

QuasarRAT exhibits several distinct runtime behaviors that can be detected through process monitoring and API call analysis. Upon execution, the malware typically injects itself into legitimate processes, commonly targeting explorer.exe, svchost.exe, or other system processes to evade detection. The injection is often performed via process hollowing or DLL injection techniques.

Monitor for processes that spawn child processes and then quickly exit, particularly if the parent process is a common user application like a web browser or document viewer. QuasarRAT often uses this technique to establish persistence while minimizing its footprint. The malware will attempt to disable security software by terminating processes related to antivirus and EDR solutions, and may attempt to modify Windows Defender settings via PowerShell commands or registry modifications.

Credential access patterns include dumping credentials from the Local Security Authority Subsystem Service (LSASS) using techniques like Mimikatz-style extraction or direct memory reading. QuasarRAT may also scrape credentials from web browsers, email clients, and FTP applications stored on the system. Look for unusual access to credential storage locations, particularly by processes that don’t normally access these resources. The malware will also attempt to log keystrokes via keyboard hooks and capture clipboard data through regular polling of clipboard contents.

Network Indicators

QuasarRAT communicates with its command and control (C2) servers primarily over TCP, though some variants may use HTTP or HTTPS for blending with normal web traffic. The default port is often 4782, but this is configurable by the attacker. Beaconing intervals typically range from 30 seconds to 5 minutes, with some variants implementing jitter to avoid predictable patterns.

DNS queries often follow a pattern of requesting subdomains with random strings or encoded data, which may resolve to dynamic DNS services or compromised legitimate domains. The malware may use domain generation algorithms (DGAs) as a fallback communication method if primary C2 servers are unavailable. Look for regular outbound connections to uncommon TLDs or newly registered domains.

Data exfiltration occurs in chunks, often compressed and encrypted before transmission. The malware may use base64 encoding or XOR encryption with a single-byte key for basic obfuscation. Command and control traffic typically follows a specific structure: a preamble (often “QUASAR” or similar identifier), followed by the client identifier, command type, and payload. Network monitoring should look for these patterns in packet payloads, particularly in traffic to non-standard ports from processes that don’t normally generate network activity.

File System Artifacts

QuasarRAT typically installs itself in user-writable directories to avoid requiring administrative privileges. Common installation paths include:

• %APPDATA%[Random Folder Name][Random Executable Name].exe
• %LOCALAPPDATA%[Legitimate-Sounding Folder][System-Sounding Name].exe
• %TEMP%[Random String].exe

The malware often uses file names that mimic legitimate system processes or software, such as “chrome_update.exe”, “java_updater.exe”, or “svchost_helper.exe”. File sizes typically range from 200KB to 1.5MB for unpacked samples, though packed variants may be smaller. The malware may create additional files in the same directory for configuration, logs, or captured data.

Look for executable files with recent timestamps in user application data folders, particularly if they have digital signatures that don’t validate or lack signatures entirely. QuasarRAT may also create hidden files or directories, so checking for attributes beyond normal file listings is recommended. The malware sometimes uses NTFS alternate data streams to hide components or configuration data.

Registry and Persistence Mechanisms

QuasarRAT employs multiple persistence mechanisms to survive system reboots. The most common method is through Run registry keys:

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• HKLM\Software\Microsoft\Windows\CurrentVersion\Run

The malware may create entries with benign-sounding names like “Google Update” or “Windows Defender Notification” pointing to its executable path. Some variants use the “RunOnce” keys for execution during specific system events.

Scheduled tasks are another common persistence method, with tasks often named to blend with legitimate system tasks. Look for tasks created with random names or names mimicking legitimate software updates. The tasks typically trigger on system startup, user login, or at regular intervals.

Service installation is used in variants that obtain administrative privileges, creating services with display names like “Windows Update Assistant” or “Network Configuration Manager”. These services are often configured for automatic startup and may be set to restart on failure.

QuasarRAT may also use file association hijacking, particularly for commonly opened file types like .txt or .lnk files, to re-execute when users open these file types. Registry modifications for COM object hijacking have also been observed in some variants, though this is less common.

YARA Rule Guidance

When developing YARA rules for QuasarRAT detection, focus on both static strings and structural characteristics. The malware often contains hardcoded strings related to its functionality, including:

• Command identifiers like “DownloadAndExecute”, “UploadFile”, “ReverseProxy”
• Configuration markers such as “MUTEX”, “PASSWORD”, “ENCRYPTIONKEY”
• Error messages and logging strings that may appear in plaintext
• API function names that are dynamically resolved, often in specific sequences

Look for embedded resources, particularly icons and version information that may contain specific patterns. QuasarRAT samples often include version information with specific company names or product names that remain consistent across variants. The malware’s import table typically includes specific combinations of DLLs and functions related to network communication, process injection, and persistence establishment.

Byte patterns to consider include the structure of the configuration block, which often begins at specific offsets and contains fields of predictable sizes for C2 addresses, ports, and campaign identifiers. Some variants use specific XOR keys or encryption routines that leave identifiable patterns in the binary. The malware’s entry point often contains specific sequences of instructions related to anti-analysis checks or environment detection.

For current samples and additional technical details, refer to the QuasarRAT samples. For updated indicators of compromise, check the QuasarRAT IOCs. For general information about this malware family, see the QuasarRAT overview.