QuasarRAT - How to Remove

Last updated: 2026-04-01

QuasarRAT Incident Response Guide

Incident Triage Steps

Within the first 30 minutes, your priority is to determine the scope of the incident and confirm QuasarRAT activity. This malware typically operates as a client-server remote access trojan, granting attackers persistent control over infected systems.

1. Confirm the Initial Alert and Identify Patient Zero

  • Review the alert source. Was it an EDR alert, a suspicious network connection, or user-reported anomalous behavior?
  • Immediately identify the first known compromised system (patient zero). QuasarRAT often spreads via phishing attachments (e.g., malicious documents), fake software installers, or by leveraging existing remote access tools.
  • Check the system’s recent process execution logs for known QuasarRAT payload names, which are often benign-sounding (e.g., svchost.exe, explorer.exe, chrome.exe) but run from unusual directories like %AppData%, %LocalAppData%, or %Temp%.

2. Assess Scope and Identify Affected Systems

  • Endpoint Query: Use your EDR solution or endpoint management platform to search all systems for the following QuasarRAT indicators:
    • Processes with the Mutex {QuasarRAT-*} or {Quasar-*}.
    • Files in user profile directories with names like client.bin, server.exe, or random alphanumeric names with .exe or .dll extensions.
    • Unusual outbound network connections on ports commonly used by QuasarRAT, such as TCP 4782, 8080, or other high-numbered ports.
  • Network Analysis: Query your SIEM or firewall logs for outbound connections from internal hosts to suspicious external IPs or domains. Look for beaconing behavior (regular, periodic connections) which is a hallmark of QuasarRAT’s C2 communication.

3. Determine Data Exfiltration QuasarRAT has extensive data theft capabilities. In the triage phase, look for signs of:

  • Large or Suspicious Outbound Transfers: Check proxy, firewall, or NetFlow logs for unexpected large uploads (especially of compressed archives like .zip or .rar) from the infected host(s) to external IPs.
  • Key Functionality Abuse: The malware can perform keylogging, take screenshots, and steal credentials from browsers and FTP clients. While harder to spot in triage, look for processes accessing sensitive files (like browser login data files) or the creation of screenshot files in temp directories.
  • Lateral Movement Attempts: Review logs for SMB connections (\host\C$) or WMI/PowerShell executions originating from the infected host targeting other internal systems, indicating the attacker is expanding their foothold.

Evidence Collection

Before taking any containment or eradication actions, preserve the following evidence for forensic analysis.

  • Volatile Memory: Acquire a full memory dump from infected systems using a trusted memory forensic tool. QuasarRAT’s configuration, such as the C2 server address and port, is often decrypted in memory.
  • Disk Images: If a severe compromise is suspected, consider creating a forensic disk image of key systems, especially the patient zero host.
  • Process and Network Artifacts:
    • Collect a detailed process listing with command-line arguments, focusing on processes running from user writable locations.
    • Export full netstat or equivalent socket connection lists.
    • Collect prefetch files on Windows systems, which may show the execution path of the QuasarRAT binary.
  • QuasarRAT-Specific Artifacts:
    • Files: Preserve the malware binary itself and any associated files (DLLs, configuration files). Common locations include:
      • %AppData%\
      • %LocalAppData%\Temp\
      • %ProgramData%\
      • C:\Windows\System32\ (for disguised instances)
    • Registry: Export registry hives related to persistence. QuasarRAT commonly uses:
      • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
      • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
      • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    • Logs: Preserve Windows Event Logs (especially Security, System, and Application), firewall logs, and any application logs from security tools showing the initial detection or related events.

Containment Procedures

Act to isolate the threat and prevent further damage while preserving evidence.

  1. Network Containment:

    • Segment Affected Hosts: Immediately quarantine infected systems at the network level using NAC (Network Access Control) policies or firewall rules to block all inbound/outbound traffic except that required for your forensic investigation.
    • Block C2 Communication: Update perimeter and internal firewall rules, and if possible, DNS filtering policies, to block communication with the identified QuasarRAT Command and Control (C2) IP addresses and domains. Be aware that attackers may quickly switch C2 infrastructure.

  2. Credential Security:

    • Reset Compromised Credentials: Force password resets for any local or domain user accounts that were active on the infected systems. Assume that any credentials entered or stored on those systems may have been harvested by the RAT’s keylogger or credential stealer module.
    • Review Privileged Accounts: Scrutinize any domain administrator or other high-privilege accounts that were used on the compromised hosts. Consider resetting these as a precaution and review their recent activity logs.

  3. Host-Level Containment:

    • If immediate disconnection is not possible, terminate the identified QuasarRAT processes via your EDR console or remotely using administrative tools. Note that the malware may have persistence mechanisms that will restart it.
    • Do not delete files or clean the registry at this stage; focus on stopping execution and network communication.

Eradication and Recovery

This phase involves complete removal and restoration of affected systems.

  1. Complete Removal: Follow the detailed, step-by-step procedures in the dedicated QuasarRAT Removal Guide. This guide provides per-system instructions for:

    • Terminating malicious processes.
    • Removing all associated files from the filesystem.
    • Deleting persistence mechanisms in the registry, scheduled tasks, and service entries.
    • Cleaning up any artifacts left in temporary directories.

  2. System Restoration:

    • For critically important systems or where you suspect deep rootkit functionality, the most secure action is to wipe and rebuild from known-clean, golden image backups.
    • Restore from Backups: Only restore data files from backups created before the estimated date of infection. Do not restore executable files or system binaries from these backups.
    • Before returning a rebuilt or cleaned system to the network, apply all relevant OS and application security patches that were missing and may have been part of the initial attack vector.

  3. Verification of Clean State:

    • Before declaring a system recovered, perform a final validation scan using updated anti-malware tools and your EDR platform.
    • Re-check for the specific IOCs (Indicators of Compromise) used in the triage phase, ensuring no traces of the malware or its network connections remain.
    • Monitor the system closely for several days for any signs of recurring malicious activity.

Lessons Learned Checklist

After containment and eradication, conduct a formal review to improve security posture.

  • Initial Infection Vector:
    • How did QuasarRAT initially enter the environment? (e.g., Phishing email, drive-by download, compromised software)
    • What user, system, or process executed the initial payload?
  • Control Failures:
    • Prevention: Why did perimeter defenses (email filtering, web gateways) fail to block the initial payload? Were executable attachments allowed?
    • Detection: Why wasn’t the initial execution or C2 beaconing detected sooner? Review gaps in EDR rules, SIEM alerts, and network monitoring. Refer to the QuasarRAT Detection Guide for tuning ideas.
    • Persistence: Were changes to Run keys or scheduled tasks logged? Were these logs being monitored?
  • Response Gaps:
    • Was the incident response plan followed effectively? Were evidence collection steps clear?
    • Was communication with stakeholders timely and accurate?
  • Improvement Actions:
    • Technical: Implement application allowlisting to prevent execution from %AppData% and %Temp%. Harden endpoints by disabling unnecessary macros and scripting engines. Enhance network monitoring for beaconing traffic to non-standard ports.
    • Policy/Training: Update phishing awareness training based on the lure used. Review and update software installation policies to prevent “fake installer” attacks.
    • Process: Update IR playbooks with specific QuasarRAT IOCs and procedures. Schedule regular drills for RAT incidents.

For more background on this threat, see the QuasarRAT Overview.

Related

← QuasarRAT Overview Removal Guide How to Detect Protection Guide IOCs Samples All Families