Family Matters from Quasar to Pulsar
I was looking for my next journey into malware analysis and decided I wanted to try something a bit more complex. So, I decided to take a look at Quasar Rat. It’s a .net based RAT that is a bit more complicated than AsyncRAT and is typically highly obfuscated. Quasar RAT seemed to have been favored by Advanced Persistent Threats (APT) based out of China for awhile.
According to an article by Huntress Quasar RAT was used by APT10, a state sponsored group based out of China. The article goes on to explain that parts of APT10 ended up being indicted in 2018 by the U.S. Department of Justice. This made me interested in who or why is still using it today and possibly exposing their infrastructure, lets see what we can find out.
Finding the sample
As usual getting malware from the internet is never difficult. By using MalwareBazaar’s search syntax signature:QuasarRAT I pulled up all the posted malware with the QuasarRAT signature. The results were sorted by most recently posted so I decided to choose the first one that showed up and just go for it.
Take Caution When Downloading From Any Site That Hosts Malware as These Are Live Samples
An Initial look
Detect It Easy (DIE) confirms that it is a .net application, and mentions that the data is packed with high entropy (randomness) in the initial scan.
DIE will also provides a visualization of just how packed or obfuscated an application is via a graph for entropy ranging from 0-8 and packing percentage near the top.
93%! Well, I did say I wanted something more obfuscated and complex.
Lets take a look at PEStudio to see if some of the imports can tell me anything.
…5. There are only 5 flagged imports. And they don’t seem to be anything that outstanding. I mean, GetCurrentThread could possibly be something, but not likely on its own. I looked up the MiniDump api and it could be used for credential theft or information gathering, but the low amount of imports definitely means heavy obfuscation or that import calls are built during runtime.
Diving in
Ok, lets throw this thing into dnSpy and see just how complicated this thing is.
It’s not just obfuscated but also in Chinese…
I wanted to find something that can deobfuscate this for me so I can at least start figuring things out. I have heard of De4dot for deobfuscation and found that it was already part of FlareVM so decided to have De4dot take a look.
De4dot came back with “Detected Unknown Obfuscator”, but this may be due to the use of Chinese.
I did some more research into other .net deobfuscation tools and came across another .net deobfuscator and unpacker NETReactorSlayer. After checking for NETReactorSlayer I saw it was already installed! I really need to go through all the installed tools on FlareVM, but honestly who has the time for that.
Alright lets see what this thing can do, I checked all options and threw in the malware because why not.
Once NETReactorSlayer was done it produced a deobfuscated version of the exe with _Slayed appended to it(I renamed that one to just _QuasarRat_slayed.exe). It also unpacked a slew of dlls it must use at runtime which explains the low amount of imports seen earlier in PeStudio.
Looking at the sample again in dnSpy it is no longer in Chinese, but still obfuscated.
I wondered why the namespaces and classes were still gibberish after NetReactorSlayer had deobfuscated and unpacked it. Potentially code virtualization? Basically code virtualization converts your code into randomized instructions that are interpreted at runtime. This technique seems to be extremely difficult to reverse and most people just go with the crazy names or change them as they come across them.
If you want to know more about code virtualization you can look here.
As you may have noticed in one of the earlier screenshots there are a lot of namespaces in this application.
Luckily, I know just were to start: the entry point.
Now based off of my previous experiences with malware I knew that early on it needs to decrypt its configuration so it can act on them and continue functioning. Although I couldn’t really read what the names of the classes were, I did what I would call “walking”. I simply went down the entry point class by class until one led me to a list of items being decrypted. And thats exactly where class e4VF3YgDwO0iB led me.
I have been in this situation before and knew exactly what to do, set a break point.
With the breakpoint set I hit debug(F5), opened the static fields window, and there it was. Instantly what looks like a C2 IP with port number, the name and location of where the malware runs from once executed, along with other configuration settings.
We will see what all we can do with this info soon, but now I want to move on to see what all this thing is trying to do. After running up to the break point all the unpacked dlls are also loaded. One that stuck out to me was called Pulsar.Common.dll. Once expanded, it looks like all the malicious functions of this malware come from this single dll.
Looking at these namespaces you can clearly see that this thing is capable of just about everything in the book. It’s gathering info, changing registry keys, and doing what looks like possible ransomware tactics in Pulsar.Common.Messages.FunStuff.
Pulsar
I was interested in why this Quasar RAT was exclusively using this Pulsar dll to perform just about any and everything that you can think of when it comes to malware. I did some digging and found out that Pulsar RAT belongs to the Quasar RAT family and first appeared in early 2025; meaning the sample I found is a fairly newly crafted RAT! While I was poking around on the internet for more info I came across this gem of an article where researchers at ThreatMon got ahold of a PulsarRAT builder. Based off what they found what I am dealing with has got to be a Pulsar RAT.
Some of the mentioned functions of the Pulsar RAT match the namespaces in my Pulsar dll.
Also the client tag during configuration and the scheme of the mutex confirms what I found was also the mutex.
Seems like the wallpaper change and hiding the taskbar was not part of a ransomware function, just to cause distraction and confusion.
Some CTI
Now lets see just where this C2 is going and if we can cause them some issues. Using good ole Shodan it looks like the IP address points to a VPS hosting service so, most likely the threat actor isn’t actually located in St. Louis.
Searching the C2s IP in virus total shows only 13 out of 94 vendors have marked it malicious with only one comment mentioning Quasar RAT.
I also voted and commented on Virus Total so hopefully it will bring a little more awareness to the C2 infrastructure.
They grow up so fast
From initially thinking this was old malware being reborn to finding out that it was a much younger variant of its predecessor,malware continues to keep me on my toes. You think, “oh this is a run of the mill RAT resurfacing” and then it ends up being something new built from something old. From the heavy obfuscation to the use of Chinese I thought this was going to be a Quasar RAT through and through. Especially with the earlier references to the Chinese APT group. I get it unpacked and BAM! A recently built variant of Quasar RAT that is probably keeping the Quasar family trending to this day.
My next adventure may be another .Net app or a generic PE I am not sure yet as I am still learning assembly and how to properly analyze generic PE malware. If I go with another .Net app I will do more with renaming namespaces and classes for better readability as I feel like this is something I need to form a habit around.
IOCs
MITRE ATT&CK and Malware Behavior Catalog
brought to you by Mandiant Capa
Hashes:
| Sample SHA256 hash: | acf4e409f279deff4fde7ea4457d2a3a126d7602d32058188727c60318a8086d |
| Sample SHA3-384 hash: | 7bb52877a0cac41a94767815d46b24af983a3b40c876e65d2780fc5d88520d01b54a56450de841a994457b0910fa73f3 |
| Sample SHA1 hash: | 9aa046c32f4fa02f169402d85675480d65f524c0 |
| Sample MD5 hash: | 6892e8230226a3353d942af64acc52a0 |
| C2: | 212(.)28(.)186(.)94 : 4782 |
| Install Exe | svchost.exe |
| Install Path | AppData\Roaming\Logs |
| Mutex | 5c4f7a32-2d43-4837-8229-89a7ff9c84ba |
| Pulsar.dll SHA256 | 1c1a49dc957ade033bd60dca58db3cc2221bd71bab7a20ab4f5009e98f13ff29 |