user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Backdoor:MSIL/Quasar!atmn
Backdoor:MSIL/Quasar!atmn - Windows Defender threat signature analysis

Backdoor:MSIL/Quasar!atmn - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Backdoor:MSIL/Quasar!atmn
Classification:
Type:Backdoor
Platform:MSIL
Family:Quasar
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!atmn
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Backdoor - Provides unauthorized remote access for .NET (Microsoft Intermediate Language) platform, family Quasar

Summary:

This is a concrete detection of Quasar RAT, a well-known .NET-based backdoor. This malware provides attackers with complete remote control over the infected system, allowing for data exfiltration, command execution, and establishing persistent access. The technical evidence points to the use of system utilities (PowerShell, Rundll32) and process hooking to maintain its foothold and evade detection.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: Client-built.exe
3677cb257e0a44363a98879ab3570f48114f35cc10e340a861aae098dac34df3
11/12/2025
VirusTotalDownload Sample
Filename: 1.1.1.1.exe
4836401b560c601de78fea1467813078d4829863c6b41f0019ea79080f30381c
10/12/2025
VirusTotalDownload Sample
Filename: 1.1.1.1_update.exe
fc10f366564e61290add3a2002142b7a6f24c5a434ed1201d671b32d8ef9f84b
09/12/2025
VirusTotalDownload Sample
Filename: Client.exe
bed0d15d8fdecc0f9ef6d51cf68e2bbe494ff77ac87d9e0315728268a8676488
09/12/2025
VirusTotalDownload Sample
Filename: Client-built.exe
7ac7c084a9d8bece07ebde3c286502f79ebe298da2421b5d48b5452bd0a879e5
07/12/2025
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the affected machine from the network to prevent lateral movement. Use your security software to remove the threat. Investigate for persistence mechanisms (e.g., scheduled tasks, registry keys) and change all user and service account passwords associated with the machine. Consider re-imaging the system from a known-good source.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 14/11/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$