Derin Analiz - QuasarRAT v1.4.0 | Tehdit: KRITIK

Dosya Kimligi

SHA2563b16f98ebdbe6b3a333a0908d6eec33c754ba9028935fe17b8b02d9975b4616f
Boyut452,096 byte (441 KB) PE32 GUI x86 .NET
SurumQuasarRAT v1.4.0 (Quasar.Common Version=1.4.0.0)

QuasarRAT v1.4.0 Tam Istemci

QUASAR RAT: Quasar.Client Version 1.4.0 - acik kaynak RAT, tam istemci derlemesi!
Quasar.Client (v1.4.0.0)\nQuasar.Client.Config         <- yapılandırma modülü\nQuasar.Client.Extensions     <- istemci uzantıları\nQuasar.Client.Helper         <- yardımcı araçlar\nQuasar.Client.IO             <- dosya I/O\nQuasar.Client.IpGeoLocation  <- IP coğrafi konum\nQuasar.Client.Logging        <- günlük modülü\nQuasar.Client.Messages       <- C2 mesaj protokolü\nQuasar.Client.Networking     <- ağ modülü\nQuasar.Client.Recovery       <- kimlik bilgisi kurtarma\nQuasar.Client.Recovery.Browsers <- tarayıcı şifre kurtarma

Credential Recovery Modulleri

ChromePassReader    <- Chrome Login Data + Chromium şifreleri\nFirefoxPassReader   <- Firefox NSS/PK11SDR şifre çözme\nYandexPassReader    <- Yandex Browser Ya Passman Data\nDecryptIePassword   <- Internet Explorer\nWinSCPDecrypt       <- WinSCP oturum şifreleri (registry)\nFileZillaPassReader <- FileZilla recentservers.xml\nChromiumDecryptor   <- AES-GCM + DPAPI modern Chrome şifreleme

Keylogger: MouseKeyHook

PGma.System.MouseKeyHook v5.6.130\nadd_MouseClick / add_MouseDoubleClick\nadd_MouseDown / add_MouseUp / add_MouseMove\nadd_MouseDragStarted / add_MouseDragFinished\n=> SetWindowsHookEx ile global fare+klavye izleme\n\nProtobuf-net v2.4.0 -> C2 ile ikili protokol iletişimi

Ek Moduller + Persistence

schtasks.exe    <- zamanlanmış görev ile kalıcılık\nQuasar.Client.IpGeoLocation:\n  GET https://api.ipify.org/           <- harici IP tespiti\n  GET https://tools.keycdn.com/geo.json <- coğrafi konum\n\navicap32.dll    <- webcam yakalama (opsiyonel modül)\nGetSavedCookies <- tarayıcı çerezi hırsızlığı

IOC

SHA2563b16f98ebdbe6b3a333a0908d6eec33c754ba9028935fe17b8b02d9975b4616f
RATQuasarRAT v1.4.0 (Quasar.Client + Quasar.Common)
KeyloggerPGma.System.MouseKeyHook v5.6.130
TarayiciChrome, Firefox, Yandex, IE, WinSCP, FileZilla
Persistenceschtasks.exe ile zamanlanmis gorev

QuasarRAT — Malware Profile

QuasarRAT acik kaynak uzaktan erisim araci. v1.4.0 istemcisi Quasar.Client.Recovery ile Chrome/Firefox/Edge/Yandex/WinSCP/FileZilla kimlik bilgilerini kurtarir. PGma.System.MouseKeyHook ile fare+klavye izlemesi yapar. Protobuf-net ile sifreli C2 iletisimi saglar. schtasks ile kalicilik.

Malware Type
RAT
Programming Language
C#/.NET
C2 Protocol
TCP/SSL
Target Systems
Windows
Also Known As (AKA)
xRAT

Technical Details

C# .NET, TLS/SSL sifreleme, TCP varsayilan port 4782, Remote Desktop, Process Manager, File Browser, Password Recovery, Reverse Proxy (SOCKS5), Keylogger, Registry Editor

Capabilities & Behavior

Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması

IOC List (1 indicators)

IOC — QuasarRAT
# SHA256 3b16f98ebdbe6b3a333a0908d6eec33c754ba9028935fe17b8b02d9975b4616f
TypeValueNote
sha256 3b16f98ebdbe6b3a333a0908d6eec33c754ba9028935fe17b8b02d9975b4616f

C2 Servers (5 recorded servers for this family)

Address Type Port Protocol Status Country
api.ipify.org domain 443 HTTPS active &mdash;
ipwho.is domain 443 HTTPS active &mdash;
hitclub.paris domain &mdash; HTTP active &mdash;
77.91.124.165 ip 4782 TCP inactive &mdash;
192.210.179.210 ip 4782 TCP inactive US

C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.

Tags
quasar-rat-v1-4-0-open-source-ratquasar-client-recovery-browsersmousekeyhook-pgma-v5-6-keyloggeryandex-pass-reader-recoveryfirefox-pk11sdr-pass-readerwinscp-decrypt-registryfilezilla-recentservers-recoveryie-decrypt-passwordschtasks-persistenceprotobuf-net-v2-4-binary-protocolchromiumdecryptor-aes-gcm-dpapiapi-ipify-org-geolocation-check