user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Backdoor:MSIL/Quasar!atmn
Backdoor:MSIL/Quasar!atmn - Windows Defender threat signature analysis

Backdoor:MSIL/Quasar!atmn - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Backdoor:MSIL/Quasar!atmn
Classification:
Type:Backdoor
Platform:MSIL
Family:Quasar
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!atmn
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Backdoor - Provides unauthorized remote access for .NET (Microsoft Intermediate Language) platform, family Quasar

Summary:

This is a concrete detection of Quasar RAT, a well-known .NET-based backdoor. This malware provides attackers with complete remote control over the infected system, allowing for data exfiltration, command execution, and establishing persistent access. The technical evidence points to the use of system utilities (PowerShell, Rundll32) and process hooking to maintain its foothold and evade detection.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: 00f1da323b1e36d3d24e3a06378dec95306971fdb7f1e1a760b079db39b96365
00f1da323b1e36d3d24e3a06378dec95306971fdb7f1e1a760b079db39b96365
28/05/2026
VirusTotalDownload Sample
Filename: 007c13a26d76a1281519960109bbf040ebdf5c497b00d4ffe0d0ac417cd8d33b
007c13a26d76a1281519960109bbf040ebdf5c497b00d4ffe0d0ac417cd8d33b
28/05/2026
VirusTotalDownload Sample
Filename: 0464caa1c45cb753db25a95a30ce0b6814650b6f839a07cf8c2afdc143de7216
0464caa1c45cb753db25a95a30ce0b6814650b6f839a07cf8c2afdc143de7216
28/05/2026
VirusTotalDownload Sample
Filename: Client-built.exe
0a47be7287819c40071eef9e3a88157647b9c79918f5975ff5ee27f7e0250abb
22/05/2026
VirusTotalDownload Sample
Filename: nungcac.exe
0347df42837474af34bf984b151e6d34bc46c02082ce01a36296d384a1244e52
22/05/2026
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the affected machine from the network to prevent lateral movement. Use your security software to remove the threat. Investigate for persistence mechanisms (e.g., scheduled tasks, registry keys) and change all user and service account passwords associated with the machine. Consider re-imaging the system from a known-good source.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 14/11/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$