Skip to content

S0262 QuasarRAT

QuasarRAT is an open-source, remote access tool that is publicly available on GitHub. QuasarRAT is developed in the C# language. 3 4

Item Value
ID S0262
Associated Names xRAT
Version 1.3
Created 17 October 2018
Last Modified 06 April 2022
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
xRAT 21

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell QuasarRAT can launch a remote shell to execute commands on the victim’s machine.3
enterprise T1555 Credentials from Password Stores QuasarRAT can obtain passwords from common FTP clients.34
enterprise T1555.003 Credentials from Web Browsers QuasarRAT can obtain passwords from common web browsers.34
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography QuasarRAT uses AES to encrypt network communication.34
enterprise T1105 Ingress Tool Transfer QuasarRAT can download files to the victim’s machine and execute them.34
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging QuasarRAT has a built-in keylogger.34
enterprise T1112 Modify Registry QuasarRAT has a command to edit the Registry on the victim’s machine.3
enterprise T1090 Proxy QuasarRAT can communicate over a reverse proxy using SOCKS5.34
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol QuasarRAT has a module for performing remote desktop access.34
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task QuasarRAT contains a .NET wrapper DLL for creating and managing scheduled tasks for maintaining persistence upon reboot.4
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing A QuasarRAT .dll file is digitally signed by a certificate from AirVPN.4
enterprise T1082 System Information Discovery QuasarRAT has a command to gather system information from the victim’s machine.3
enterprise T1552 Unsecured Credentials -
enterprise T1552.001 Credentials In Files QuasarRAT can obtain passwords from FTP clients.34
enterprise T1125 Video Capture QuasarRAT can perform webcam viewing.34

Groups That Use This Software

ID Name References
G0078 Gorgon Group 5
G0140 LazyScripter 6
G0040 Patchwork 24
G0045 menuPass 781
G0135 BackdoorDiplomacy 9


Back to top