{
	"id": "c87bf52a-0c9b-4393-a731-13bec09d8ba7",
	"created_at": "2026-04-06T00:18:36.726939Z",
	"updated_at": "2026-04-10T03:30:33.834791Z",
	"deleted_at": null,
	"sha1_hash": "323a43f6d51068f8c15c103b93297bc498a1e12f",
	"title": "QuasarRAT's Dual DLL Sideloading Technique",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1950428,
	"plain_text": "QuasarRAT's Dual DLL Sideloading Technique\r\nBy Tejaswini Sandapolla\r\nPublished: 2023-10-20 · Archived: 2026-04-05 23:16:57 UTC\r\nCoauthored by Karthickkumar Kathiresan of Uptycs Threat Research Team\r\nIn a sophisticated twist to the traditional sideloading tactics, the Quasar RAT introduces a novel dual DLL\r\nsideloading technique, ingeniously utilizing two commonly trusted Microsoft files: \"ctfmon.exe\" and \"calc.exe.\"\r\nSuch a method not only leverages the inherent trust these files enjoy within the Windows ecosystem but also\r\npresents an increased challenge to threat detection mechanisms. This article dives deep into the meticulous design\r\nand execution of these sideloading techniques, illustrating how they stealthily introduce, deploy, and run malicious\r\npayloads under the radar.\r\nQuasarRAT, also known as CinaRAT or Yggdrasil, is a lightweight remote administration tool written in C#. This\r\ntool is openly accessible as a GitHub project. This tool is capable of various functions such as gathering system\r\ndata, running applications, transferring files, recording keystrokes, taking screenshots or camera captures,\r\nrecovering system passwords, and overseeing operations like File Manager, Startup Manager, Remote Desktop,\r\nand executing shell commands.\r\nWindows users, system administrators, and cybersecurity professionals need to be on high alert. The use of\r\nlegitimate processes to cloak malicious activities helps them bypass traditional security measures. Hence, the need\r\nfor advanced threat detection and response mechanisms becomes paramount. \r\nQuasarRAT sideloading execution: a closer look at the technique\r\nGiven the prevalence of sideloading techniques in malware campaigns, it's vital to understand their mechanisms to\r\ndefend against them effectively. The case of QuasarRAT provides an insightful example.\r\nHistorical context:\r\nIn 2022, we detected the Qbot malware employing a DLL sideloading attack using \"calc.exe.\" Such tactics are not\r\nnew but seeing them evolve and get adopted by other malware strains shows the adaptability of threat actors. Now,\r\nin 2023, a strikingly parallel method in two phases has been observed with the QuasarRAT malware.\r\nStep-by-step breakdown:\r\n1.  Initial contact and execution:\r\nThe threat actor begins by employing DLL side-loading techniques. Interestingly, they opted for two distinct\r\nMicrosoft files for their attack: \"ctfmon.exe\" and \"calc.exe.\"\r\nIn the initial phase, the attacker harnesses \"ctfmon.exe,\" which is an authentic Microsoft file. By doing so,\r\nthey load a malicious DLL which, to the untrained eye, would seem benign because of its disguised name.\r\nhttps://www.uptycs.com/blog/quasar-rat\r\nPage 1 of 12\n\nUpon execution of the \"ctfmon.exe\" binary, the stage is set as the attacker acquires a 'stage 1' payload. This\r\ninitial payload is crucial, acting as the gateway for the subsequent malicious actions.\r\n2.  Payload release:\r\nThis 'stage 1' payload plays a dual role. It is responsible for releasing both the legitimate \"calc.exe\" file and the\r\nmalevolent DLL into the system.\r\n3. Second phase of attack:\r\nAt this juncture, the threat actor brings into play the \"calc.exe\" file, which in this context, isn't just a simple\r\ncalculator application. Alongside \"calc.exe,\" the malicious DLL is also set into motion.\r\nOn executing \"calc.exe,\" the malicious DLL is triggered. This action culminates in the infiltration of the\r\n\"QuasarRAT\" payload into the computer’s memory, reflecting the attacker's adeptness at circumventing\r\nsecurity mechanisms.\r\n4. Process hollowing:\r\nWith the \"QuasarRAT\" payload now residing in the computer’s memory, the payload employs a technique known\r\nas 'process hollowing.' Here, it embeds itself into a legitimate system process, further camouflaging its malicious\r\nintentions and making detection more challenging.\r\nFigure 1 depicts the QuasarRAT workflow.\r\nFigure 1 – QuasarRAT execution flow\r\nTechnical analysis\r\nWe first verified the ISO file and after a successful extraction, we obtained three separate files:\r\n1. eBill-997358806.exe - Legitimate windows file, actual name is CTFMON.EXE \r\nhttps://www.uptycs.com/blog/quasar-rat\r\nPage 2 of 12\n\n2. monitor.ini -    Legitimate windows file, actual name is (MsCtfMonitor.DLL) \r\n3. MsCtfMonitor.dll - Malicious Dll\r\nFigure 2 depicts the Process flow of the new QuasarRAT.\r\nFigure 2 – QuasarRAT process tree\r\nWhen the binary file \"eBill-997358806.exe\" is run, it initiates the loading of a file titled \"MsCtfMonitor.dll\"\r\n (name masqueraded) via dll side loading technique, within which malicious code is concealed.\r\nWithin the \"MsCtfMonitor.dll\" file, there exists a resource section containing encrypted data. \r\nThe resource section (RCDATA:400) has encrypted data of size 5AC00 hex bytes.\r\nFigure 3 – Resource section of MsCtfMonitor.dll containing encrypted data\r\nThis data is accessed via a sequence of APIs as seen in Figure 4.\r\nFigure 4 –\r\nLoading of resources\r\nTo decrypt the data, the key size is F2 hex bytes and Systemfunction032 API is used to decrypt the encrypted\r\ndata. This is an undocumented API that indirectly calls BCryptGeneratesymmetrickey, CryptEncrypt, and\r\nhttps://www.uptycs.com/blog/quasar-rat\r\nPage 3 of 12\n\nCryptDestroyKey to decrypt data by RC4 where the key is also stored in .rsrc section (RCDATA: 401)\r\nFigure 5– Resource section of MsCtfMonitor.dll containing decryption key\r\nAfter decryption, the resource data is decrypted and give’s PE file which is stage 1 \"FileDownloader.exe.\"\r\nFigure 6– Decrypted data\r\nThis PE File is then injected into Regasm.exe by the following sequence of API : CreateProcess,\r\nGetThreadContext, ReadProcessMemory, VirtualAllocEx and WriteProcessMemory, GetThreadContext,\r\nSetThreadContext and ResumeThread.\r\nhttps://www.uptycs.com/blog/quasar-rat\r\nPage 4 of 12\n\nFigure 7 – Stage 1 payload in the memory of RegAsm\r\nIn Figure 7 we can observe the presence of the stage 1 payload within the memory of the RegAsm process.\r\nStage 1: FileDownloader.exe\r\nThe stage 1 payload is a 64-bit MSIL binary file, which includes a resource section containing three binaries\r\nstored in a zip archive format. \r\nFigure 8 – Resource section of stage 1\r\nThe stage 1 payload is equipped with code to unzip this archive successfully, depositing all the files into the Public\r\nPictures folder.\r\nThe following files are placed in the Public Pictures folder:\r\nhttps://www.uptycs.com/blog/quasar-rat\r\nPage 5 of 12\n\n1. Calc.exe - Legitimate windows file\r\n2. Secure32.dll - Malicious DLL\r\n3. Winsecu32.dll - Legitimate windows file\r\nStage 2: Calc.exe\r\nNext, \"Calc.exe\" was run using the command \"c:\\Users\\Public\\Pictures\\Calc.exe /quit.\"\r\n\"/quit\" serves as an argument or parameter for the Calculator executable, instructing it to open and promptly close\r\nupon launch.\r\nWhen you run calc.exe, it loads a malicious DLL named \"Secure32.dll.\" again via Dll-side loading technique. This\r\nDLL contains an encrypted resource section.\r\nFigure 9 -  Resource section of Secure32.dll containing encrypted data\r\nThis resource data is accessed via a sequence of APIs like previous method mentioned as in the stage 1 (Figure 4)\r\nTo decrypt the data, Key size is 2F hex bytes and Systemfunction32 API is used to decrypt the encrypted data\r\nsame as in the first case which again gives a PE file. \r\nhttps://www.uptycs.com/blog/quasar-rat\r\nPage 6 of 12\n\nFigure 10 - Decrypted data\r\nThis PE File is now injected into memory space Regasm.exe via process hollowing. The API sequence followed is\r\nthe same as in stage 1. But here, while calling VirtualAllocEx, the default memory address of regasm.exe\r\n(0x400000) is explicitly passed to hollow the regasm.exe and replace it with the malicious PE file.\r\nFigure 11 - Call to VirtualAllocEx where RDX = 0X400000 is passed\r\nFinal payload\r\nBy getting the dump of the above region(Figure 11),  we can analyze that this PE file is an MSIL executable\r\nobfuscated by Smart assembly.  \r\nLooking at the copyright of the file as \"Copyright © MaxXor 2020\", it looks like it might be inspired by open-source Quasar RAT by MaxXor.\r\nAfter deobfuscating, we can see commands executed in the function names which include keylogging, file\r\ntransfer, shell execute, etc.\r\nhttps://www.uptycs.com/blog/quasar-rat\r\nPage 7 of 12\n\nFigure 12 - Quasar\r\nRAT commands like keylogging, file transfer, etc.\r\nIt also drops a .bat script to create the restart batch file in the %Temp% directory which is executed and runs chcp \r\n65001 \u0026\u0026 ping -n 10 localhost.\r\nhttps://www.uptycs.com/blog/quasar-rat\r\nPage 8 of 12\n\nFigure 13 - .bat file\r\nThe RAT creates a socket connection to CNC (3[.]94[.]91[.]208 \u003e\u003e ec2-3-94-91-208[.]compute-1[.]amazonaws.com) where it sends the victim's info such as IP, Country code etc.\r\nFigure 14 -  Collects victim's PC information\r\nAfter deobfuscating more content, we can see strings related to Quasar RAT such as Quasar Server etc. \r\nFigure 15 -  Quasar RAT related strings inside Regasm.exe memory\r\nWe can see a lot of base64 content also in the memory which on decoding gives various strings such as:\r\nhttps://www.uptycs.com/blog/quasar-rat\r\nPage 9 of 12\n\nSELECT * FROM Win32_OperatingSystem WHERE Primary='true'\r\nSELECT * FROM Win32_BaseBoard\r\nSELECT * FROM FirewallProduct\r\nSELECT * FROM Win32_Processor\r\nSELECT * FROM AntivirusProduct\r\nBy looking at the above strings we can understand that then the RAT is querying for the AntiVirusProduct and\r\nFirewall WMI class. The Quasar RAT payload also looks for BIOS infrastructure, GPU details, hostname , etc.\r\nQuasar RAT is an open-source remote access trojan (RAT) that has been widely used by threat actors due to its\r\npowerful techniques.  Quasar RAT capabilities include Keylogging, stealing passwords, taking screenshots,\r\nreverse proxy, Downloading  and uploading files etc. We can see in the below figure Reverse proxy functionalities\r\ninside our final payload.\r\nFigure 16 -  Reverse proxy functionalities\r\nThe malware also establishes a persistent entry within the Windows registry.\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsCalculator\r\n“c:\\Users\\Public\\Pictures\\Calc.exe /quit”\r\nUptycs XDR coverage\r\nIn addition to having YARA built in and being armed with other advanced detection capabilities, Uptycs XDR\r\nusers can easily scan for QuasarRAT. XDR contextual detection provides important details about identified\r\nmalware. Users can navigate to the toolkit data section in the detection screen, and then click a detected item to\r\nreveal its profile.\r\nhttps://www.uptycs.com/blog/quasar-rat\r\nPage 10 of 12\n\nFigure 17 - Uptycs Detection\r\nPrecautions\r\nKeep software and operating systems up to date \r\nBe wary of dubious emails, links, or attachments. Avoid revealing personal details or engaging with\r\nunfamiliar links.\r\nImplement behavioral analysis tools to identify unusual activities and potential threats.\r\nTrain employees and individuals to recognize suspicious activities and avoid running unfamiliar files or\r\nexecuting unknown commands.\r\nDevelop and enforce strong security policies within your organization.\r\nUtilize advanced endpoint security solutions to detect and block suspicious activity at the device level.\r\nCollaborate with cybersecurity experts and share threat information within your industry or community to\r\nstay informed about evolving threats.\r\nIOC\r\nFile Name Md5\r\nISO e4eb623a0f675960acb002d225c6f1d6\r\nhttps://www.uptycs.com/blog/quasar-rat\r\nPage 11 of 12\n\neBill-997358806.exe B625C18E177D5BEB5A6F6432CCF46FB3\r\nmonitor.ini 7074832F0EFB8A2130B1935EAE5A90D6\r\nMsCtfMonitor.dll B0DB6ADA5B81E42AADB82032CBC5FD60\r\nStage 1/ FileDownloader.exe 32DE5C2E0BA35CEAC3C515FA767E42BF\r\nCalc.exe 5da8c98136d98dfec4716edd79c7145f\r\nSecure32.dll d07e4afd8f26f3e2ce4560e08b7278fb\r\nWinsecu32.dll f11c63cb70a726f1f0b6accd5934e83\r\nFinal Payload/Remotify Client 532AF2DB4C10352B2199724D528F535F\r\nURL\r\n3[.]94[.]91[.]208 ec2-3-94-91-208[.]compute-1[.]amazonaws.com\r\nThanks to the Threat Hunting Team of Uptycs for sharing the IOC.\r\nSource: https://www.uptycs.com/blog/quasar-rat\r\nhttps://www.uptycs.com/blog/quasar-rat\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.uptycs.com/blog/quasar-rat"
	],
	"report_names": [
		"quasar-rat"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434716,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/323a43f6d51068f8c15c103b93297bc498a1e12f.pdf",
		"text": "https://archive.orkl.eu/323a43f6d51068f8c15c103b93297bc498a1e12f.txt",
		"img": "https://archive.orkl.eu/323a43f6d51068f8c15c103b93297bc498a1e12f.jpg"
	}
}