QuasarRAT Removal and Recovery Guide

Signs of Infection

QuasarRAT infection manifests through several identifiable artifacts and behaviors. On the file system, check for suspicious executables, often with generic or misspelled names mimicking legitimate software, in user profile directories (%AppData%, %LocalAppData%, %Temp%) or the root of the C: drive. Common observed filenames include variations like updater.exe, servicehost.exe, or java.exe in atypical locations. The malware frequently creates a configuration or data file in the same directory, often with a .bin or .dat extension.

Process behavior is a key indicator. Look for a running process with the aforementioned suspicious names that exhibits unusual network activity, connects to external IP addresses on high ports (e.g., 4782, 5555, or other non-standard ports), and may spawn or inject into other processes like explorer.exe or svchost.exe. In memory, the process may attempt to evade detection by using process hollowing.

Network signs include persistent, beaconing traffic from the infected host to a command-and-control (C2) server. This traffic often uses a custom protocol over TCP and may be encrypted. Connections are made to IP addresses or domains that are newly registered, have a low reputation score, or use dynamic DNS services. Look for failed connection attempts if the C2 server is down, which may appear as repeated outbound SYN packets to the same external IP and port.

For the most current and specific indicators, review the Current QuasarRAT IOCs.

Immediate Containment Steps

Within the first 15 minutes of detection, take these steps to limit damage and prevent lateral movement.

1. Network Isolation: Immediately disconnect the infected host from the network. If possible, use network access control (NAC) or switch port management to quarantine the device at the network layer. If the host is critical and cannot be taken offline, implement strict host-based firewall rules to block all inbound/outbound traffic except that required for your remote management tools.
2. Process Termination: Identify the malicious process using your EDR console or task manager. Note its PID and full image path. Terminate the process. Be prepared for potential persistence mechanisms to restart it; this is a temporary measure for containment.
3. Credential Security: Assume credentials on the infected host are compromised. Immediately rotate passwords for any privileged accounts (local administrator, domain admin) that were logged into or used on that system. If the host is part of a domain, consider resetting the computer account password as well. Review authentication logs from your SIEM platform for suspicious lateral movement attempts originating from the host in the hours prior to detection.
4. Initial Triage: Capture a forensic snapshot if possible. This includes saving the memory dump of the malicious process (before termination), copying suspicious files from disk, and exporting relevant registry hives and system logs.

Manual Removal Process

Follow this step-by-step procedure to manually eradicate QuasarRAT. Perform these steps in safe mode or from a clean, trusted environment if possible.

1. Terminate Malicious Processes:

   • Open the system’s task manager or a command-line process viewer.
   • Identify the suspicious process(es) noted during detection. Look for mismatches between the process name and its file location or publisher.
   • Right-click and select “End Process Tree” to terminate it and any child processes.

2. Delete Persistence Mechanisms:

   • Open the system registry editor with administrative privileges.
   • Navigate to and inspect common auto-start locations:
     • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
     • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
     • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
   • Look for entries pointing to the path of the malicious executable. Delete any suspicious entries.
   • Check for scheduled tasks. Open the task scheduler and review tasks for suspicious names or actions that launch the malicious file. Delete any associated tasks.
   • Check for service-based persistence. Open the services management console (services.msc) and look for services with unusual names, descriptions, or binary paths pointing to the malware’s location. Note the service name, stop it, and set its startup type to “Disabled.” Do not delete the service yet until the file is removed in the next step.

3. Remove Dropped Files:

   • Navigate to the file paths identified for the malicious executable and its configuration/data files.
   • Common locations include:
     • C:\Users\[Username]\AppData\Roaming\[Malware Folder]\
     • C:\Users\[Username]\AppData\Local\[Malware Folder]\
     • C:\ProgramData\[Malware Folder]\
     • The system Temp directory.
   • Delete all associated files. If files are locked, use a bootable antivirus scanner or rename them before deletion after a system reboot.

4. Clean Registry Entries:

   • Return to the registry editor.
   • Search for (Ctrl+F) the file paths or unique strings related to the malware (e.g., part of its mutex name, C2 URL).
   • Carefully delete any keys or values found that are clearly related to the infection. Pay special attention to entries under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ for the service name you disabled earlier. You can now delete this service key.
   • Also check HKEY_CURRENT_USER\Software\ and HKEY_LOCAL_MACHINE\Software\ for folders named after the malware or its publisher.

Verifying Removal

After manual removal, confirm the host is clean.

1. System Scans: Perform a full system scan with your updated endpoint security solution. Use a dedicated anti-malware scanning tool for a second opinion. Scan all drives, focusing on the directories where the infection was present.
2. Log Analysis: Review system logs in your SIEM platform. Look for the absence of the previously identified malicious process creation events (Event ID 4688 on Windows) and failed service starts related to the deleted service. Check Windows Defender operational logs for any post-cleanup detections.
3. Network Monitoring: Reconnect the host to a monitored, isolated network segment. Use a network detection tool to monitor all outbound traffic for 24-48 hours. Confirm there are no more beaconing attempts to the known C2 IPs/domains or to new suspicious destinations. Look for the absence of the specific TCP port traffic associated with QuasarRAT.
4. Persistence Check: Re-examine the registry run keys, scheduled tasks, and service listings to ensure no remnants re-establish persistence. Tools that enumerate auto-start extensibility points (ASEPs) can be helpful for a comprehensive check.

Post-Removal Security Hardening

To prevent reinfection and improve resilience against similar threats:

1. Application Control: Implement application allowlisting policies via Group Policy or your EDR solution. Block execution from high-risk locations like user Temp and AppData directories for standard users, except for explicitly allowed, signed applications.
2. Network Segmentation: Enforce strict network segmentation and firewall policies. Use a network intrusion detection system (NIDS) to alert on and block traffic to known-bad IPs and domains. Restrict outbound connections from user workstations to only necessary ports and protocols.
3. Enhanced Monitoring: Create specific detection rules in your SIEM or EDR platform. Alert on processes making network connections that are spawned from explorer.exe or other user-interactive processes. Monitor for the creation of files with specific QuasarRAT hashes or patterns in user writable directories. Subscribe to threat intelligence feeds to update your blocklists with new QuasarRAT C2 indicators.
4. Policy Updates: Review and update acceptable use and software installation policies. Enforce the principle of least privilege; ensure standard user accounts cannot install software or modify critical system directories. Mandate and verify that all software, especially remote access tools, is obtained from official, verified sources. Conduct user awareness training focused on the risks of downloading and executing unknown software, which is a primary vector for RATs like Quasar.

For more information on QuasarRAT’s capabilities and current global detection rates, refer to the QuasarRAT Overview and Detection Rate pages.