# Stealthy Quasar Evolving to Lead the RAT Race

#### By Viren Chaudhari


-----

### Table of Contents

###### 3  Executive Summary

 4 Key Research Findings

 4 Who Should Read this Report?

 5 The Evolution Quasar RAT’s
 Source Code

 9 Quasar RAT Configuration

 12 Technical Analysis

12 Execution

13 Discovery

20 Persistence

21 Privilege Escalation

22 Credential Access

25 Defense Evasion

26 Remote Shell and File Execution

27 Lateral Movement

28 Impact: Shutdown/Reboot Systems


###### 28 Quasar RAT Detections

 43 Conclusion

 44 ATT&CK Mapping

 45 IOCs — Indicator of Compromise
 for Quasar RAT

 45 About Qualys


-----

### Executive Summary

###### The Qualys Threat Research Team continues to inform enterprise cybersecurity teams

 of emerging threats that could impact their business. These reports summarize individual

 threat exploits and provide practical recommendations for protecting against them.

 As a result of our threat intelligence mandate, we have analyzed Quasar RAT which has

 been widely leveraged by multiple threat actor groups targeting both government and

 private organizations in Southeast Asia and other geographies.

 Quasar RAT (aka: CinaRAT, Yggdrasil) is an open-source remote access trojan (RAT) that

 has been widely adopted by bad actors due to its powerful techniques. Quasar RAT has

 been behind multiple attack campaigns by advanced persistent threat (APT) groups and

 most recently, a Chinese threat group APT10 was observed using it for targeted attacks.

 This RAT is written in the C# programming

 language. Its capabilities include capturing
 The purposes of this research
 screenshots, recording webcam video, reversing

 report are multi-fold:
 proxy settings, editing registry entries, spying

 on the user actions, keylogging, and stealing 1. To examine the evolution
 of the Quasar RAT payload
 passwords. Nasty stuff.


-----

### Key Research Findings

9 Quasar RAT is a full featured remote administration tool that has been open source since at least 2014

9 The .NET executable has its communication encrypted through HTTPS which uses a TLS1.2 protocol

9 Quasar RAT features provide techniques related to persistence, injection, and defense mechanisms

9 The RAT has been actively leveraged by various APT groups such as APT10 to achieve its malicious objectives

### Who Should Read this Report?

The details of this report can be used by SOC analysts, threat hunting teams, cyberthreat intelligence analysts,
and digital forensics teams. The purpose is to understand how Quasar RAT behaves and how to defend against
related attacks.


-----

### The Evolution Quasar RAT’s Source Code

The timeline for Quasar RAT associated exploits are as follows:


-----

Quasar RAT was initially released in 2014 as “xRAT”. In 2015, the developers of the RAT renamed it “Quasar” so
the malicious software could be distinguished from the original program. The RAT first came to light in 2017,
[when the Gaza Cybergang group used it along with the Downeks downloader. The group had introduced an](https://unit42.paloaltonetworks.com/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/)
obfuscator and a packer to hide the source code of the RAT and its server.

In 2018, Quasar RAT introduced a feature where the .NET wrapper DLL was used to create scheduled tasks on
Windows systems. This feature was utilized by the Patchwork APT group while targeting primarily U.S. think tanks.

[APT10 is known for leveraging Quasar RAT. In 2019, the group modified its version to include the SharpSploit](https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-)
.NET post-exploitation library. This framework extends the Mimikatz open source malware program, which can
steal passwords from target machines. The SharpSploit function is mainly used to extract passwords from the
compromised system using Mimikatz’s capabilities (see figure 1).

_Figure 1: Sharpsploit with Mimikatz capabilities_


-----

[Similarly in 2020, APT10 used Quasar RAT along with the novel Backdoor.Hartip tool, which is used for](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage)
surveillance of a victim’s systems with the help of a DLL side-loading technique.

[As of this writing, the most recent campaign was called ‘Operation Cache Panda APT’ which struck in February](https://medium.com/cycraft/smokescreen-supply-chain-attack-targets-taiwan-financial-sector-a-deeper-look-8acf290ddb96)
2022. That exploit used a technique called reflective code loading to run malicious code on the victim’s systems
and to install Quasar RAT to have persistent and remote access to the system using reverse RDP tunnels.

[The sample associated with the campaign (MD5: 03b88fd80414edeabaaa6bb55d1d09fc) is packed by the](https://www.virustotal.com/gui/file/e16fe53a057b8beb144a101759b65c691d27c21aa7897d3b809668c20c5e05be)
Netz .NET Framework packer (fig. 2). The packer decompresses the resource and utilizes reflection to load the
assembly, find its entry point, and invoke it (fig. 3). Therefore, using reflective code loading, the server loads the
assembly of the client to find the functions and passwords (figs. 4, 5).

_Figure 2: The packer after de-compilation_

_Figure 3: The resource is found and InvokeApp function is called_


-----

_Figure 4: The assembly object is found by decompressing the resource and loading it with reflection_

_Figure 5: The entry point is found and invoked_

Quasar RAT has been leveraged in the past by many hacking groups including APT33, Dropping Elephant, Stone
Panda, and The Gorgon Group.


-----

## Quasar RAT Configuration

The Quasar RAT framework is available on Github, and contains all the instructions for creating a client payload.

Within the Qualys Research Team’s lab environment, we installed a Quasar RAT server on “the attacker’s” virtual

machine and allowed the server to generate the Quasar client payload. We then transferred it to “the victim’s”

virtual machine, which had the Qualys Cloud Agent installed along with our Multi-Vector EDR cloud service enabled.

Now let’s look at the client configuration which was set up on our server:

First, as a part of the Basic Settings section (fig. 6), the customer tag must be edited with relevant details

(e.g., Victim01).

_Figure 6: Quasar RAT server Basic Settings_

In the Connection Settings section (fig. 7), the local IP and port can be configured, to initiate a connection with

the Quasar RAT Client.

_Figure 7: Quasar RAT server Connection Settings_


-----

The Installation Settings gives a facility to decide where the client payload will be dropped during execution,
e.g., AppData folder/directory (fig. 8).

_Figure 8: Quasar RAT server Installation Settings_

The Assembly Settings section can be used to further obfuscate the payload by updating its properties and
assigning it an icon file (fig. 9).

_Figure 9: Quasar RAT server Assembly Settings_


-----

The Monitoring Settings section provides the Quasar Client with the ability to keylog and hide the log directory (fig. 10).

_Figure 10: Quasar RAT server Monitoring Settings_

Then, the Quasar RAT client payload is generated in the last step — Client-built.exe — which must be run on the
target machine.

Generally, attackers will deliver the payload onto the victim’s machine via phishing, remote service exploitation,
or some other malware technique. Once the victim executes the .exe file, a remote session is established on the
Quasar RAT server (fig. 11).

_Figure 11: Quasar RAT server connected to target machine_


-----

### Technical Analysis of a Quasar RAT Campaign

The malware campaign has been divided into different phases of attack chain which includes:

##### Execution

After execution on the victim’s system, the Quasar RAT client payload (client-build.exe) drops the actual Quasar
RAT payload (“mal.exe”) in the directory path:

###### C:\Users\admin\AppData\Roaming\SubDir\

An entry is made at the Quasar RAT server on the attacker’s machine that states the victim’s different
parameters such as host name, user privilege, payload version, country, OS, etc. (fig. 12).

_Figure 12: Quasar Server displaying RAT version, account type, country, etc._

The configuration of Quasar is stored in the Settings object. The configuration can be changed based on
the attacker’s preference of encryption key, mutex, directory, etc. The code for the Quasar RAT payload
configuration is generated per the configurations set by the attacker (fig. 13).

_Figure 13: ode analysis shows Quasar RAT configuration profile_


-----

The Quasar RAT payload tries to contact the attacker’s server to notify that a new computer has been
compromised successfully. This command & control (C2) domain list is stored in a dynamic object variable
named hostsManager. The RAT communicates with the C2 server using the TCP port 4782, and every
communication will be encrypted through HTTPS. The communication uses a proprietary protocol TLS1.2 (fig. 14).

_Figure 14: Code analysis of the Quasar RAT payload shows TLS encryption_

##### Discovery

Quasar RAT can discover hardware and software configuration details of the remote victim (fig. 15).

_Figure 15. Quasar RAT host discovery_


-----

The Quasar RAT code demonstrates the WindowsPrincipal class, which provides methods to check whether a
user exists within Windows user groups, including checking for built-in roles, such as the administrator role (fig. 16).

_Figure 16: Source code for defining user role_

The code analysis also gives details to locate the geolocation of the system by using ip-api.com (fig. 17).

_Figure 17: Source code to find geolocation of victim_


-----

In order to get a public IP address, the authors of the Quasar RAT have used the api.ipify.org browser add-on
to integrate with the RAT server or any malicious infrastructure, and thereby to hide its private IP (fig. 18). The
source code analysis gave details related to username, hostname (fig. 19), LAN IP Address (fig. 20), Mac address
(fig. 21), antivirus, firewall details, and more.

_Figure 18: RAT Code to get Public IP_

_Figure 19: RAT code to get Hostname_

_Figure 20: C# code for LAN IP address_

_Figure 21: C# code to get Mac address_


-----

The authors of Quasar RAT have utilized the “ManagementObjectSearcher” class to query all the antivirus (AV)
names and firewall details (fig. 22). AV details are determined using Windows Management Instrumentation
(WMI) making a connection to the root\SecurityCenter or root\SecurityCenter2 namespace and then querying
for the AntiVirusProduct WMI class. Similarly, WMI is used to determine if a third-party firewall is installed, using
the FirewallProduct class (fig. 23).

The Quasar RAT payload can look for BIOS infrastructure (fig. 24), hostname (fig. 25), hard disk space (fig. 26),
GPU details (fig. 27) and more using WMI.

_Figure 22: WMI used for querying antivirus details_

_Figure 23: WMI used for querying firewall details_

_Figure 24: WMI used for querying BIOS details_


-----

_Figure 25: WMI used for querying CPU Name_

_Figure 26: WMI used for querying physical memory_

_Figure 27: WMI used for querying GPU details_


-----

Quasar RAT has some more discovery modules which help the attacker to map the target host.

**Task Manager: This module is like a process management program. The cyber-criminal can access Task**
Manager to start/end processes and then add programs that run automatically on system startup (fig. 28).

_Figure 28: Task Manager module of Quasar RAT_

**File Manager: This module helps the attacker to access/delete files on the victim’s machine, and can download**
files from it (fig. 29).

_Figure 29: File Manager module of Quasar RAT_


-----

**Registry Editor: This module helps the attacker to change, add, or delete registries (fig.30).**

_Figure 30: Quasar RAT server Registry Editor module_

**TCP connection: This module serves as a monitoring tool for connections over the network. Both incoming and**
outgoing connections, routing tables, port listening, and usage statistics are monitored (fig. 31).

_Figure 31: TCP Connection module of Quasar RAT_


-----

##### Persistence

To achieve persistence, Quasar RAT uses two methods (fig. 32):

1. **Scheduled tasks—If the Quasar RAT client process has acquired administrator privileges, the client payload**

will generate a scheduled task via schtasks. The name of the scheduled task is based on the configuration in
the client builder. Usually, the schedule task runs after the user logs on and executes with the highest level
of privilege.

2. **Registry keys—If the client process does not have administrator privileges, the scheduled task will only add a**

registry value. That registry value is added to the following key:

###### HKCU\Software\Microsoft\Windows\CurrentVersion\Run

_Figure 32: The code snippet shows schtask being created by Quasar RAT client or run key added in the registry_


-----

##### Privilege Escalation

Quasar RAT client escalates its privileges by launching a command prompt (cmd.exe) as an administrator. The
elevated command prompt then relaunches the Quasar RAT client. The client now has the parent process
running with elevated privileges (fig. 33). During this course, a User Account Control window pops up on the
target machine (fig. 34). The pop-up window displays the process of running the command prompt as the
administrator (fig. 35).

_Figure 33: Code snipped RAT trying to escalate privileges_

_Figure 34: UAC window for privilege escalation of process cmd.exe_

_Figure 35: Admin privilege gained by Quasar RAT server_


-----

##### Credential Access

Quasar RAT C# program has the capability of stealing credentials from different entities. The stolen data from
the target host is saved into a text file — Passwords.txt — by the attacker. The RAT server has the Password
Recovery (fig. 36) module for stealing credentials.

Quasar RAT can steal:

9 Saved password from browsers (fig. 37) like Chrome (fig. 38), Microsoft Edge (fig. 39), Opera, Mozilla, etc.

9 Information from ftp servers such as FileZilla, WinSCP (fig. 40), etc.

_Figure 36: Password Recovery module of Quasar RAT_

_Figure 37: Password Dump module for different browsers_


-----

_Figure 38: Password Dump module for Chrome_

_Figure 39: Password Dump module for Edge_

_Figure 40: Password Reader module for WinSCP_


-----

Quasar RAT also operates as a keylogger (fig. 41). The feature saves logs as HTML files, where each of them contains
information about the application in which the input was performed, and a record of the keys pressed (fig. 42).

_Figure 41: Keylogger feature of Quasar RAT_

_Figure 42: Code analysis of the Keylogger module_


-----

##### Defense Evasion

Quasar RAT uses a process hollowing technique that could be determined by analyzing the source code (figs.
43, 44), which had Windows APIs such as WriteProcessMemory, VirtualAlloc and VirtualProtect included (fig. 45).

_Figure 43: Some Windows APIs found in the obfuscated code_

_Figure 44: Some Windows APIs found in the un-obfuscated code_

_Figure 45: Windows API calls_

The Quasar RAT payload calls NtUnmapViewOfSection, which is exported from ntdll.dll. The API will specifically
un-map the memory region at that base address from the target process’s virtual memory. Essentially, the
image of the executable of the original process will be cleared.

The payload uses GetProcAddress in order to get the address of NtUnmapViewOfSection. The Windows API is
then used to dump the payload (i.e. VirtualAllocEx, NtUnmapViewOfSection, and WriteProcessMemory).

Quasar RAT uses SetThreadContextto redirect the remote process to run the malicious thread.


-----

##### Remote Shell and File Execution

Quasar RAT has the capability to create a remote shell to the target host and execute arbitrary commands
(fig. 46). Another feature is ‘remote execution’ which can help the attacker to download files to the victim’s
machine and then execute them (fig. 47).

_Figure 46: Remote shell feature of Quasar RAT_

_Figure 47: Remote Execute module of Quasar RAT_


-----

##### Lateral Movement

One of the interesting features of Quasar RAT is its remote desktop. Remote desktop allows the attacker to
take control of the host screen (fig. 48). The feature includes a regulator with which the picture quality can be
changed. One can also enable or disable the transmission of control signals.

_Figure 48: Remote desktop feature of Quasar RAT_


-----

##### Impact: Shutdown/Reboot Systems

[According to MITRE, “Impact” is the measure of how the adversary is trying to manipulate, interrupt, or destroy](https://attack.mitre.org/tactics/TA0040/)
your systems and data. Quasar RAT can execute commands to shut down, reboot, or hibernate a remote victim
machine (figs. 49, 50).

**shutdown /s /t 0 – Shutdown**

**shutdown /r /t 0 – Reboot**

_Figure 49: Quasar RAT actions menu to shut down, restart, and standby_

_Figure 50: Code snippet for shut down, restart, and standby_


-----

### Quasar RAT Detections

With the objective of detecting Quasar RAT techniques, we emulated some of the scenarios associated with the
RAT campaigns in our research lab.

**Yara Detection of Quasar RAT: The RAT “mal.exe” payload is dropped in the directory path:**

###### C:\Users\admin\AppData\Roaming\SubDir\

[Qualys Multi-Vector EDR armed with YARA scanning successfully detected the Quasar RAT (fig. 51) with a threat](https://www.qualys.com/apps/endpoint-detection-response/)
score of 9/10. The process tree exhibits client-build.exe accessing mal.exe (fig. 52).

_Figure 51: Qualys Multi-Vector EDR detection: File creation of mal.exe_

_Figure 52: Qualys Multi-Vector EDR detection: Client-build.exe executing mal.exe as part of process tree_


-----

**Detection of Network Connection: Quasar RAT communication can be detected where the RAT’s mal.exe is**
connecting to multiple IP addresses and port numbers (fig. 53) as well as through an uncommon TCP port 4782
(fig. 54).

_Figure 53: Qualys Multi-Vector EDR detection: Process tree of mal.exe connecting to different IP addresses_
_and port numbers_

_Figure 54: Qualys Multi-Vector EDR detection: C2 server connection on TCP port 4782_


-----

**Detection of Persistence: Quasar RAT’s persistence mechanism can be detected where the registry value and**
data are added under the registry key (fig. 55):

###### HKCU\Software\Microsoft\Windows\CurrentVersion\Run

The other way that Quasar creates persistence is by adding a scheduled task. This makes schtasks another
detection parameter (fig. 56).

###### schtasks create /tn “Java Update” /sc ONLOGON /tr “C:\Users\admin\AppData\Roaming\Sub­

 Dir\mal.exe” /rl HIGHEST /f

_Figure 55: Qualys Multi-Vector EDR detection: Registry Key used to create persistence_

_Figure 56: Qualys Multi-Vector EDR detection: Schtask used to create persistence via admin privileges_


-----

**Detection of Privilege Escalation: Quasar RAT escalates its privileges by launching a command prompt — cmd.**
exe — as an administrator. Qualys Multi-Vector EDR detects and displays the process cmd.exe running with
elevation (fig. 57), as well as the process tree where mal.exe is trying to access the cmd.exe process (fig. 58).

_Figure 57: Qualys Multi-Vector EDR detection: Cmd.exe accessed with elevated privileges_

_Figure 58: Qualys Multi-Vector EDR detection: Process tree of mal.exe executing cmd.exe_


-----

**Detection of Modification of System Processes: The attacker can kill a particular process using the task**
manager feature of Quasar RAT. Figure 59 below shows Notepad++.exe as one of the processes running in
the target machine. If the attacker kills the notepad++.exe process, then Qualys Multi-Vector EDR detects this
activity as follows:

9 Notepad++.exe process termination event on the EDR console (fig. 60)

9 Process tree for explorer.exe accessing notepad++.exe to terminate it (fig. 61)

_Figure 59: Task manager module used to kill Notepad++.exe process_

_Figure 60: Qualys Multi-Vector EDR detection: Notepad++.exe process termination event_


-----

_Figure 61: Qualys Multi-Vector EDR detection: Explorer.exe accessing Notepad++.exe process to terminate it_

**Detection of File Modification: The attacker can edit a particular file on the target host using the file manager**
feature of Quasar RAT. Figure 62 below shows adfind.exe is one of the files available on the target machine. If
the attacker deletes adfind, then detection of this activity using Qualys Multi-Vector EDR is as follows:

9 Adfind.exe file deletion event (fig. 63)

9 As a part of the process tree, mal.exe accessing adfind.exe to delete the file (fig. 64)

_Figure 62: File Manager module used to delete a adfind.exe file_


-----

_Figure 63: Qualys Multi-Vector EDR detection: Adfind.exe file deletion event_

_Figure 64: Mal.exe deleting adfind.exe file as a part of process tree_


-----

**Detection of Registry Modification: Let’s consider a scenario where the attacker may try to permanently**
disable antivirus, by setting the DisableAntiSpyware registry key to 1 in HKLM\SOFTWARE\Policies\
###### Microsoft\Windows Defender utilizing the registry editor feature of Quasar RAT.

Qualys Multi-Vector EDR detects registry changes as follows:

9 Mal.exe accessing the specific registry HKLM\SOFTWARE\Policies\Microsoft\Windows Defender

(fig. 65)

9 Registry write event with MITRE ATT&CK #T1562 – Impair Defenses: Disable or Modify Tools – tagged (fig. 66)

_Figure 65: Qualys Multi-Vector EDR detection: Process tree of mal.exe trying to access Windows Defender registry_

_Figure 66: Qualys Multi-Vector EDR detection: Registry write event with MITRE tagging_


-----

**Detection of Modifications of Network connections: There are multiple connections established by**
different processes in the target host, as shown in figure 67. Using the TCP connection module, the attacker
may terminate the connection for the process svchost.exe with local IP 10.113.107.202:7680 => remote IP
10.113.107.227:14400. Qualys Multi-Vector EDR detected this as:

9 10.113.107.227:14400 connection is closed/terminated by svchost.exe process (figs. 68, 69, 70)

_Figure 67: TCP connection module used for terminating svchost connection_

_Figure 68: Qualys Multi-Vector EDR detection: Svchost closed connection event log_

_Figure 69: Qualys Multi-Vector EDR detection: Closed connection event details_


-----

_Figure 70: Qualys Multi-Vector EDR detection: Closed connection through svchost_

**Detection of Remote Shell: Let’s imagine a scenario where the attacker might run any arbitrary command into**
the target host using remote shell. For example, the attacker runs the systeminfo command to get details such
OS name, version, configuration, and more using remote shell (fig. 71).

_Figure 71: Systeminfo command run through remote shell_


-----

**As shown in figure 72, Qualys Multi-Vector EDR detects and observes that:**

9 mal.exe => cmd.exe => systeminfo.exe, as a part of the process tree (fig. 73)

_Figure 72: Qualys Multi-Vector EDR event for systeminfo_

_Figure 73: Qualys Multi-Vector EDR detection: The remote shell process tree_


-----

**Detection for Remote Execution: The attacker can upload any file into the target host and execute it using**
remote execution. For example, the attacker has remotely uploaded Psinfo, a command-line tool that gathers
key information, on the victim’s machine (fig. 74). The file gets renamed and dropped in file directory:
###### C:\Users\admin\AppData\Local\Temp\

Then Psinfo is executed through mal.exe.

_Figure 74: File Psinfo being uploaded through Remote Execution module_

Qualys Multi-Vector EDR detects and observes:

9 The file creation event of “Psinfo” disguised as “MawkDIxdwKC5.exe” in the file directory C:\Users\admin\

AppData\Local\Temp\ (figs. 75, 76)

9 Mal.exe executing the MawkDIxdwKC5.exe process, which is suspicious, as a part of the EDR process tree

(fig. 77)

_Figure 75: Qualys Multi-Vector EDR detection: Psinfo tool renamed and dropped in specific directory_


-----

_Figure 76: Qualys Multi-Vector EDR detection: Psinfo file creation event_

_Figure 77: Qualys Multi-Vector EDR detection: Mal.exe masquerading, trying to access psinfo_


-----

**Detection of Shutdown, Reboot, or Standby: Qualys Multi-Vector EDR detection of Quasar RAT executing**
commands to shut down, reboot, or hibernate a remote victim’s machine is shown in figures 78 and 79.

_Figure 78: Qualys Multi-Vector EDR detection of shutdown command_

_Figure 79: Qualys Multi-Vector EDR detection: Mal.exe trying to execute shutdown.exe_


-----

### Conclusion

The Qualys Research Team has observed that the authors of Quasar RAT have evolved the malware over a time,
have made multiple changes to its communication protocols, and introduced new evasive defense techniques.

The Quasar RAT source code is openly accessible, which gives hacker communities an advantage to easily
integrate and add new malware features. Hence, they have been using the readily available RAT framework for
launching cyber attacks — with little or no modification.

This research report has explained the various features and functions of Quasar RAT, how threat actor
groups are leveraging the RAT for launching attacks, and how Qualys Multi-Vector EDR helps in detecting and
eradicating this dirty rodent!


-----

### MITRE ATT&CK Mapping

9 Command and Sc+A2:B18ripting Interpreter: Windows Command Shell - T1059.003

9 Credentials from Web Browsers - T1555.003

9 Encrypted Channel: Symmetric Cryptography - T1573.001

9 Ingress Tool Transfer - T1105

9 Input Capture: Keylogging - T1056.001

9 Modify Registry - T1112

9 Remote Services: Remote Desktop Protocol - T1021.001

9 Scheduled Task/Job: Scheduled Task - T1053.005

9 System Information Discovery - T1082

9 Unsecured Credentials: Credentials In Files - T1552.001

9 Native API - T1106

9 Windows Management Instrumentation - T1047

9 Create or Modify System Process: Windows Service - T1543.003

9 Obfuscated Files or Information: Software Packing - T1027.002

9 Masquerading: Rename System Utilities - T1036.003

9 Process Injection: Process Hollowing - T1055.012

9 Virtualization/Sandbox Evasion: System Checks - T1497.001

9 Process Discovery - T1057

9 Software Discovery: Security Software Discovery - T1518.001

9 File and Directory Discovery - T1083

9 Query Registry - T1012

9 Input Capture - T1056

9 Screen Capture - T1113

9 Data from Local System - T1005

9 Standard Non-Application Layer Protocol - T1095

9 System Shutdown/Reboot - T1529

9 Video Capture - T1125


-----

### IOCs — Indicator of Compromise for Quasar RAT

##### MD5 Hashes

9 c1362ae0ed61ed13730b5bc423a6b771

9 b4bcf7088d6876a5e95b62cee9746139

9 6e0597bbae126c82d19e1ceaea50b75c

9 03b88fd80414edeabaaa6bb55d1d09fc

9 b894ab525964231c3c16feb0f2cbcffa

9 6b9112b4ee34e52e53104dbd538e04d3

9 7ffbc50f20e72676a31d318bc8f50483

9 483e02ec373ac4ce5676af185225d035

9 313ae2a853e0f47ef81040dc58247c88

9 7f9ec838f1906b3ac75a52babd2f77d6

9 2c98cc1306c8e50112e907afa22cfc06

9 fd4557a540e35948c0ff20f5b717d9bd

9 c0dc33123fcfe80ba419c1a7fb8e26d3

9 af0091faafe64b5d1ecdaf654c6b6282

9 1ce3d7e716ee9635bb0bea1623793e85

9 247d68ff4007bea6865af4783f7b15ab

9 b45ff49959f07f2465b83ca044d7c345

9 a1840646c8050d92c4f5140549711694

9 081b7bc6d5161210dc65068d36a6b87b

9 9ffbd9c5f170871b8dd14373a030d2e4

9 58179e91bf9385c939c159f8b8faad17

##### Domains

9 carlossosrepete.servecounterstrike.com

9 carsond5.hopto.org

##### IP Addresses

9 23.216.147.64

**About Qualys**

Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of disruptive cloud-based Security, Compliance and IT solutions with more than 10,000 subscription
customers worldwide, including a majority of the Forbes Global 100 and Fortune 100. Qualys helps organizations streamline and automate their security and
compliance solutions onto a single platform for greater agility, better business outcomes, and substantial cost savings. Qualys, Qualys VMDR® and the Qualys logo
are proprietary trademarks of Qualys, Inc. All other products or names may be trademarks of their respective companies.


-----