{
	"id": "977d7eb9-0c59-4c3f-bec0-2455b932a739",
	"created_at": "2026-04-06T00:10:38.304767Z",
	"updated_at": "2026-04-10T13:13:02.040446Z",
	"deleted_at": null,
	"sha1_hash": "202cd69f70e6f21571c76ef66967bf2a30d35121",
	"title": "How To Track Quasar Rat C2 Infrastructure Using TLS Certificates",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1914769,
	"plain_text": "How To Track Quasar Rat C2 Infrastructure Using TLS\r\nCertificates\r\nBy Matthew\r\nPublished: 2023-05-15 · Archived: 2026-04-05 20:13:49 UTC\r\nThis analysis will cover the extraction of Quasar configuration via Dnspy. We'll then use this information to pivot\r\nto additional servers utilising Shodan and Censys. In total, 64 additional servers will be identified.\r\nA full list of the 64 Quasar servers can be found at the end of this post.\r\nAn overview of this post\r\nObtaining the initial sample\r\nOverview of the unpacking process\r\nLocating and extracting Quasar configuration using Dnspy\r\nAnalysis of Quasar Configuration\r\nBuilding Shodan Queries\r\nAnalysis of identified servers\r\nCross-referencing detection rates with VirusTotal\r\nIdentifying additional servers using Censys\r\nComplete list of identified servers.\r\nSample\r\nThe malware sample was obtained from Malware Bazaar and is available here.\r\nSHA256:78eb982abdfb385ac2e0c9a640856077379355f16e29788456a6551c166b00fe\r\nWe'll leave the bulk of Quasar unpacking for another post. This is a high-level summary of the process that we\r\nused.\r\nUnzip the file using the password infected\r\nIdentify high-entropy using detect-it-easy\r\nCheck strings and observe multiple references to ZwWriteVirtualMemory and InstallUtil.exe\r\nAssume entropy=Loader ,\r\nAssume InstallUtil.exe = Injection Target\r\nExecute malware inside the Virtual Machine\r\nUtilise Process Hacker to observe new spawns of installutil.exe\r\nUse Process Hacker to observe .NET assemblies loaded into Installutil.exe\r\nUtilising DnSpy to dump .NET assemblies. Obtain Quasar RAT.\r\nLoad Quasar into Dnspy. Browse to Entry Point.\r\nhttps://embee-research.ghost.io/hunting-quasar-rat-shodan\r\nPage 1 of 15\n\nObserve the config initialization function. Set breakpoints and create a watch window.\r\nObtain Configuration.\r\nFollowing the steps above will identify the following code. Portions of the code have been renamed for\r\nreadability.\r\nEach of the GClass65.string_8 values reference a value that have been encrypted using AES and then encoded\r\nusing base64.\r\nThe AES decryption code can be seen below.\r\nAs well as a reference to additional base64 encoding, on top of the initial AES encryption.\r\nhttps://embee-research.ghost.io/hunting-quasar-rat-shodan\r\nPage 2 of 15\n\nBy setting appropriate breakpoints and watch windows. The configuration can be obtained with minimal analysis\r\nof the encryption.\r\nAnalysis of the Quasar Configuration\r\nThe most interesting components of the configuration are the (likely) c2 of 217.196[.]96.37:5678 , as well as\r\nthe x509 Certificate used for SSL/TLS communications.\r\nAn x509 certificate forms part of the public-key component of TLS communications performed\r\nbetween a client and server. The certificate contains valuable information about who is \"endorsing\" the\r\ncommunications, and who exactly is being endorsed\r\nThere are some detailed writeups with much better explanations from Sectigo and Wikipedia.\r\nTypically we have ignored x509 certificates. But today will be a little bit different.\r\nThe x509 certificate contains a subject and issuer value of Quasar Server CA .\r\nOf particular note is that the x509 certificate was initially encrypted by the malware. This is an indication that it\r\ncontains something valuable that could hinder the malware if revealed and appropriately analysed.\r\nGenerally, we would stop my analysis here as the C2 was successfully found.\r\nToday we will take this one step further, based on some infrastructure-hunting posts from @MichalKoczwara .\r\nhttps://embee-research.ghost.io/hunting-quasar-rat-shodan\r\nPage 3 of 15\n\nYou can find such posts here and here.\r\nHow to Build a Shodan Query for Quasar\r\nTo take my analysis further, we decided to utilise the issuer information of Quasar Server CA to identify\r\nadditional Quasar servers.\r\nShodan.io was my first choice for this investigation.\r\nTo utilise the information, we first had to build a valid query for Shodan. This was able to be done using filters list\r\nfrom the main shodan.io site.\r\nThe filter ssl.cert.subject.cn seemed the most appropriate. ssl.cert.issuer.cn would also work well and\r\nproduce the same results in my analysis.\r\nhttps://embee-research.ghost.io/hunting-quasar-rat-shodan\r\nPage 4 of 15\n\nhttps://embee-research.ghost.io/hunting-quasar-rat-shodan\r\nPage 5 of 15\n\nThis resulted in an initial query of ssl.cert.subject.cn:\"Quasar Server CA\"\r\nThis query revealed 15 servers running with the subject common name of Quasar Server CA\r\nThese 15 servers were geographically dispersed and primarily across China, Hong Kong and Germany. The ports\r\nused also vary and include 1337 .\r\nExpanding the search to hone in on port 1337 .\r\nhttps://embee-research.ghost.io/hunting-quasar-rat-shodan\r\nPage 6 of 15\n\nThe second server of 164.92[.]184.73 had 0/86 detections on VirusTotal. The other had only 1/87 as of\r\n2023/05/15. More information on VT detection can be found later in this article.\r\nThe servers are mostly running on cloud hosting providers. Including Hetzner, DigitalOcean and China Unicom.\r\nhttps://embee-research.ghost.io/hunting-quasar-rat-shodan\r\nPage 7 of 15\n\nChina Unicom is pretty interesting.\r\nAnother overview of the countries can be seen here.\r\nhttps://embee-research.ghost.io/hunting-quasar-rat-shodan\r\nPage 8 of 15\n\nExporting the Full list\r\nThe rest of the shodan.io data was not extremely interesting and the associated jarm/ja3s values did not reveal\r\nmuch. So we decided to export the list of servers and check the rest against VirusTotal.\r\nA full list of the servers can be seen here.\r\n2[.]133[.]130[.]23\r\n27[.]11[.]235[.]246\r\n42[.]192[.]132[.]19\r\n43[.]240[.]48[.]46\r\n43[.]244[.]89[.]152\r\n45[.]32[.]106[.]94\r\n49[.]12[.]46[.]139\r\n59[.]26[.]93[.]6\r\n80[.]168[.]201[.]195\r\n81[.]19[.]141[.]35\r\n102[.]116[.]6[.]203\r\n139[.]46[.]12[.]49\r\n144[.]168[.]46[.]50\r\n152[.]89[.]244[.]43\r\n164[.]92[.]184[.]73\r\n180[.]235[.]137[.]45\r\n195[.]201[.]168[.]80\r\n198[.]244[.]160[.]119\r\nAnalysing Detections Using Virustotal\r\nViewing the servers within VirusTotal, we can again see one of the servers running port 1337 has 0/86 detection.\r\nhttps://embee-research.ghost.io/hunting-quasar-rat-shodan\r\nPage 9 of 15\n\nThe other Quasar server running 1337 has only 1/87 detections.\r\nIn total, there were 9 servers with 0 detections as of 2023-05-15. A few of these are listed below.\r\nhttps://embee-research.ghost.io/hunting-quasar-rat-shodan\r\nPage 10 of 15\n\nFull List of VirusTotal Detections\r\nThis is a full list of the detection rates as of 2023-05-15 .\r\n2.133.130.23 - VT 3/87\r\n27.11.235.246 - VT 0/86\r\n42.192.132.19 - VT 1/87\r\n43.240.48.46 - VT 0/86\r\n43.244.89.152 - VT 0/86\r\n45.32.106.94 - VT 3/87\r\n49.12.46.139 - VT 0/86\r\n59.26.93.6 - VT 12/87\r\n80.168.201.195 - VT 0/86\r\n81.19.141.35 - VT 1/87\r\n102.116.6.203 - VT 0/86\r\n139.46.12.49 - VT 0/86\r\n144.168.46.50 - VT 1/87\r\n152.89.244.43 - VT 2/87\r\n164.92.184.73 - VT 0/86\r\n180.235.137.45 - VT 2/87\r\n195.201.168.80 - VT 1/87\r\n198.244.160.119 - VT 0/86\r\nBonus Analysis Using Censys\r\nhttps://embee-research.ghost.io/hunting-quasar-rat-shodan\r\nPage 11 of 15\n\nUsing Censys we were able to identify another 46 servers. We have not checked these against VirusTotal. You are\r\nwelcome to do so using the full list of servers at the end of this post.\r\nservices.tls.certificates.leaf_data.subject.common_name: \"Quasar Server CA\"\r\nConclusion\r\nSo it turns out malware analysis can get far more interesting beyond just C2 extraction. With minimal additional\r\nanalysis, you can pivot to additional C2 infrastructure.\r\nIt's possible that some of these servers are not \"malicious\" per se, but we see no valid reason for using a Quasar\r\ncertificate for communications. I'll assume they are all malware until notified otherwise.\r\nSign up for Embee Research\r\nMalware Analysis and Threat Intelligence Research\r\nNo spam. Unsubscribe anytime.\r\nComplete List of Quasar Infrastructure\r\nThe complete list of 64 Quasar servers.\r\nservices.tls.certificates.leaf_data.subject.common_name: \"Quasar Server CA\"\r\n102[.]116[.]6[.]203\r\n111[.]90[.]148[.]240\r\n139[.]180[.]219[.]18\r\n139[.]46[.]12[.]49\r\n14[.]225[.]204[.]247\r\n14[.]225[.]254[.]32\r\nhttps://embee-research.ghost.io/hunting-quasar-rat-shodan\r\nPage 12 of 15\n\n144[.]168[.]46[.]50\r\n146[.]70[.]113[.]150\r\n146[.]70[.]172[.]107\r\n147[.]182[.]226[.]65\r\n152[.]89[.]244[.]43\r\n164[.]92[.]184[.]73\r\n172[.]174[.]58[.]11\r\n180[.]235[.]137[.]45\r\n185[.]219[.]134[.]204\r\n185[.]235[.]128[.]46\r\n185[.]80[.]128[.]131\r\n188[.]173[.]86[.]162\r\n194[.]55[.]224[.]25\r\n194[.]58[.]188[.]72\r\n195[.]201[.]168[.]80\r\n198[.]244[.]160[.]119\r\n2[.]133[.]130[.]23\r\n20[.]123[.]197[.]130\r\n20[.]231[.]104[.]157\r\n207[.]32[.]218[.]112\r\n209[.]25[.]142[.]223\r\n212[.]227[.]45[.]37\r\n212[.]90[.]103[.]114\r\n222[.]106[.]112[.]206\r\n27[.]11[.]235[.]246\r\n3[.]121[.]208[.]125\r\n3[.]71[.]116[.]67\r\n34[.]96[.]240[.]37\r\n42[.]192[.]132[.]19\r\n43[.]154[.]232[.]190\r\n43[.]240[.]48[.]46\r\n43[.]244[.]89[.]152\r\n45[.]12[.]213[.]244\r\n45[.]32[.]106[.]94\r\n45[.]80[.]158[.]187\r\n45[.]88[.]107[.]55\r\n47[.]242[.]113[.]51\r\n47[.]242[.]167[.]217\r\n47[.]243[.]141[.]95\r\n47[.]243[.]172[.]172\r\n49[.]12[.]46[.]139\r\n51[.]75[.]52[.]3\r\n52[.]204[.]66[.]30\r\n59[.]26[.]93[.]6\r\n61[.]4[.]115[.]124\r\n61[.]4[.]115[.]99\r\n70[.]176[.]21[.]36\r\nhttps://embee-research.ghost.io/hunting-quasar-rat-shodan\r\nPage 13 of 15\n\n73[.]90[.]120[.]173\r\n77[.]34[.]128[.]25\r\n80[.]168[.]201[.]195\r\n81[.]19[.]141[.]35\r\n85[.]31[.]45[.]38\r\n91[.]192[.]100[.]36\r\n222[.]106[.]112[.]206\r\nComplete List with Port Numbers\r\n102[.]116[.]6[.]203:8009\r\n108[.]160[.]136[.]232:8088\r\n111[.]90[.]148[.]240:8088\r\n116[.]36[.]143[.]105:8888\r\n139[.]180[.]219[.]18:8088\r\n14[.]225[.]204[.]247:6060\r\n14[.]225[.]254[.]32:9090\r\n144[.]168[.]46[.]50:9000\r\n146[.]70[.]113[.]150:8443\r\n146[.]70[.]172[.]107:55442\r\n147[.]182[.]226[.]65:9702\r\n152[.]89[.]244[.]43:443\r\n164[.]92[.]184[.]73:1337\r\n180[.]235[.]137[.]45:9443\r\n180[.]235[.]137[.]45:9443\r\n185[.]219[.]134[.]204:54321\r\n185[.]219[.]176[.]42:1337\r\n185[.]235[.]128[.]46:4022\r\n185[.]80[.]128[.]131:12121\r\n188[.]173[.]86[.]162:4873\r\n194[.]55[.]224[.]25:25\r\n194[.]58[.]188[.]72:8543\r\n195[.]201[.]168[.]80:1337\r\n195[.]201[.]168[.]80:1337\r\n198[.]244[.]160[.]119:443\r\n2[.]133[.]130[.]23:443\r\n2[.]133[.]130[.]23:443\r\n20[.]123[.]197[.]130:8080\r\n20[.]231[.]104[.]157:6666\r\n207[.]32[.]218[.]112:4782\r\n209[.]25[.]142[.]223:23508\r\n212[.]227[.]45[.]37:80\r\n212[.]23[.]222[.]42:7331\r\n212[.]90[.]103[.]114:5431\r\n222[.]106[.]112[.]206:1297\r\n27[.]11[.]235[.]246:8089\r\nhttps://embee-research.ghost.io/hunting-quasar-rat-shodan\r\nPage 14 of 15\n\n3[.]121[.]208[.]125:1337\r\n3[.]71[.]116[.]67:4567\r\n34[.]96[.]240[.]37:6443\r\n42[.]192[.]132[.]19:8443\r\n43[.]154[.]232[.]190:8442\r\n43[.]240[.]48[.]46:443\r\n45[.]12[.]213[.]244:4499\r\n45[.]32[.]106[.]94:8080\r\n45[.]32[.]106[.]94:8081\r\n45[.]32[.]110[.]240:8080\r\n45[.]80[.]158[.]187:3577\r\n45[.]88[.]107[.]55:4499\r\n47[.]242[.]113[.]51:8442\r\n47[.]242[.]167[.]217:12199\r\n47[.]243[.]141[.]95:5672\r\n47[.]243[.]172[.]172:16099\r\n49[.]12[.]46[.]139:443\r\n52[.]204[.]66[.]30:443\r\n59[.]26[.]93[.]6:443\r\n61[.]4[.]115[.]124:6699\r\n61[.]4[.]115[.]99:6699\r\n70[.]176[.]21[.]36:7331\r\n74[.]207[.]237[.]228:8877\r\n77[.]34[.]128[.]25:8080\r\n81[.]19[.]141[.]35:443\r\n81[.]19[.]141[.]35:443\r\n85[.]31[.]45[.]38:6969\r\n91[.]192[.]100[.]36:8084\r\nSource: https://embee-research.ghost.io/hunting-quasar-rat-shodan\r\nhttps://embee-research.ghost.io/hunting-quasar-rat-shodan\r\nPage 15 of 15\n\nThe other Quasar server running https://embee-research.ghost.io/hunting-quasar-rat-shodan 1337 has only 1/87 detections.  \nIn total, there were 9 servers with 0 detections as of 2023-05-15. A few of these are listed below.\n   Page 10 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://embee-research.ghost.io/hunting-quasar-rat-shodan"
	],
	"report_names": [
		"hunting-quasar-rat-shodan"
	],
	"threat_actors": [],
	"ts_created_at": 1775434238,
	"ts_updated_at": 1775826782,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/202cd69f70e6f21571c76ef66967bf2a30d35121.pdf",
		"text": "https://archive.orkl.eu/202cd69f70e6f21571c76ef66967bf2a30d35121.txt",
		"img": "https://archive.orkl.eu/202cd69f70e6f21571c76ef66967bf2a30d35121.jpg"
	}
}