This article presents a reproducible, Docker-packaged Jupyter Notebook workflow that leverages pythonnet and dnlib to statically extract QuasarRAT’s configuration from .NET assemblies, handling both unobfuscated and obfuscated builds. It explains locating .cctor/Aes256/Settings in IL, recovering AES-256/PBKDF2 cryptographic parameters (salt, key, IV), and automating decryption of embedded strings with a Python extractor; full code is available in the Sekoia.io Community repository. #QuasarRAT #dnlib
Keypoints
- The lab environment is reproducible: Docker-packaged Jupyter Notebook configured with pythonnet, dnlib, dnSpy/ILSpy and PE manipulation libraries to support development of an automated extractor.
- QuasarRAT is an open-source .NET RAT (originally xRAT) widely abused by threat actors for remote administration features such as C2, file management, remote desktop, keylogging and command execution.
- Static .NET IL analysis is central: configuration values are stored as static fields and initialized in the class static constructor (.cctor), enabling extraction by pairing ldstr and stsfld instructions.
- The unobfuscated extraction locates Config.Settings and reads HOSTS by scanning the .cctor IL instructions for ldstr followed by stsfld to retrieve string constants.
- Obfuscated builds are handled by locating the Aes256 class, extracting the hardcoded salt (via ldtoken/InitialiseArray/FieldRVA), finding the PBKDF2-derived AES key, enumerating encrypted fields and decrypting them with the recovered key/salt/IV.
- Several generic helper routines are reusable across samples: search for crypto provider instantiations (AesCryptoServiceProvider), cross-reference searchers, field extraction from structures, and heuristics to identify the decryption routine by call-count analysis.
- Limitations include packed executables, non-AES algorithms or custom runtime loaders; future work could add dynamic tracing and deobfuscation pipeline integration; full extractor code is hosted in the Sekoia.io Community Git repository.
MITRE Techniques
- [T1027 ] Obfuscated Files or Information – The article describes an obfuscated QuasarRAT build and use of generic .NET obfuscators: (‘This build employs a generic .NET obfuscator, many tools are available on GitHub such as .NET-Obfuscator, obfuscar.’).
- [T1140 ] Deobfuscate/Decode Files or Information – The extractor decodes/decrypts runtime-encrypted configuration strings (AES/PBKDF2) to reveal plaintext settings: (‘decrypt its settings at runtime’ and ‘Decrypt each string using the derived AES key and salt.’).
- [T1059.001 ] Command and Scripting Interpreter: PowerShell – The article recommends PowerShell Reflection for probing assemblies and deobfuscation without a debugger: (‘PowerShell’s Reflection capabilities can load a .NET assembly, then access its members or invoke its methods directly from the command line.’).
- [T1071 ] Application Layer Protocol – The focus on extracting the Command-and-Control server entry (HOSTS) highlights C2 communications as a RAT capability: (‘the Command-and-Control server entry stored in the Settings class member HOSTS.’).
- [T1056.001 ] Input Capture: Keylogging – QuasarRAT capabilities include keylogging, which enables input capture on compromised hosts: (‘features such as … keylogging’).
- [T1113 ] Screen Capture – QuasarRAT supports remote desktop viewing, corresponding to screen capture capability used by remote access tools: (‘remote desktop viewing’).
Indicators of Compromise
- [File hash ] QuasarRAT sample build – SHA-256: 4ef44bf6815e78603aec5b480f43fa26d883897c88ced763565e912c38ac9639
- [Domain/URL ] Hosted utility/resource referenced in notebook environment – https://t7f4e9n3.delivery.rocketcdn.me/workspace/utils/dnlib.dll
- [File name ] Libraries and binaries referenced – dnlib.dll, dnSpy (decompiler tool) and MALWARE_PE_PATH (sample placeholder)
- [Repository / Project ] Source and tools mentioned – QuasarRAT (xRAT) GitHub repo, .NET-Obfuscator, obfuscar (GitHub projects) and the Sekoia.io Community Git repository (extractor code).