Skip to content

S0262 QuasarRAT

QuasarRAT is an open-source, remote access tool that has been publicly available on GitHub since at least 2014. QuasarRAT is developed in the C# language.34

Item Value
ID S0262
Associated Names xRAT
Version 2.0
Created 17 October 2018
Last Modified 02 August 2022
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
xRAT 21

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control
QuasarRAT can generate a UAC pop-up Window to prompt the target user to run a command as the administrator.5
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder If the QuasarRAT client process does not have administrator privileges it will add a registry key to HKCU\Software\Microsoft\Windows\CurrentVersion\Run for persistence.35
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell QuasarRAT can launch a remote shell to execute commands on the victim’s machine.35
enterprise T1555 Credentials from Password Stores QuasarRAT can obtain passwords from common FTP clients.34
enterprise T1555.003 Credentials from Web Browsers QuasarRAT can obtain passwords from common web browsers.34
enterprise T1005 Data from Local System QuasarRAT can retrieve files from compromised client machines.5
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography QuasarRAT uses AES with a hardcoded pre-shared key to encrypt network communication.345
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories
QuasarRAT has the ability to set file attributes to “hidden” to hide files from the compromised user’s view in Windows File Explorer.5
enterprise T1564.003 Hidden Window QuasarRAT can hide process windows and make web requests invisible to the compromised user. Requests marked as invisible have been sent with user-agent string Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A though QuasarRAT can only be run on Windows systems.5
enterprise T1105 Ingress Tool Transfer QuasarRAT can download files to the victim’s machine and execute them.34
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging QuasarRAT has a built-in keylogger.34
enterprise T1112 Modify Registry QuasarRAT has a command to edit the Registry on the victim’s machine.35
enterprise T1095 Non-Application Layer Protocol QuasarRAT can use TCP for C2 communication.5
enterprise T1571 Non-Standard Port QuasarRAT can use port 4782 on the compromised host for TCP callbacks.5
enterprise T1090 Proxy QuasarRAT can communicate over a reverse proxy using SOCKS5.34
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol QuasarRAT has a module for performing remote desktop access.34
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task QuasarRAT contains a .NET wrapper DLL for creating and managing scheduled tasks for maintaining persistence upon reboot.45
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing A QuasarRAT .dll file is digitally signed by a certificate from AirVPN.4
enterprise T1082 System Information Discovery QuasarRAT can gather system information from the victim’s machine including the OS type.3
enterprise T1614 System Location Discovery QuasarRAT can determine the country a victim host is located in.5
enterprise T1016 System Network Configuration Discovery QuasarRAT has the ability to enumerate the Wide Area Network (WAN) IP through requests to ip-api[.]com, freegeoip[.]net, or api[.]ipify[.]org observed with user-agent string Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0.5
enterprise T1033 System Owner/User Discovery QuasarRAT can enumerate the username and account type.5
enterprise T1552 Unsecured Credentials -
enterprise T1552.001 Credentials In Files QuasarRAT can obtain passwords from FTP clients.34
enterprise T1125 Video Capture QuasarRAT can perform webcam viewing.34

Groups That Use This Software

ID Name References
G0078 Gorgon Group 6
G0135 BackdoorDiplomacy 7
G0040 Patchwork 24
G0140 LazyScripter 8
G0045 menuPass 9101