user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Backdoor:MSIL/Quasar!pz
Backdoor:MSIL/Quasar!pz - Windows Defender threat signature analysis

Backdoor:MSIL/Quasar!pz - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Backdoor:MSIL/Quasar!pz
Classification:
Type:Backdoor
Platform:MSIL
Family:Quasar
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!pz
Packed or compressed to evade detection
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Backdoor - Provides unauthorized remote access for .NET (Microsoft Intermediate Language) platform, family Quasar

Summary:

This is a concrete detection of Quasar RAT, an open-source .NET-based backdoor. This malware provides an attacker with complete remote control over the infected system, enabling them to execute commands, steal credentials and data, capture the screen, and download/execute additional payloads.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - descreveabc (PEHSTR_EXT)
 - \Remote\QuasarRAT-master (PEHSTR_EXT)
 - descreve (PEHSTR_EXT)
 - xClient.Core. (PEHSTR_EXT)
 - DoUploadAndExecute (PEHSTR_EXT)
 - \QuasarRAT-master\ (PEHSTR_EXT)
 - xClient.Core.Recovery.Browsers (PEHSTR_EXT)
 - xClient.Core.Recovery.FtpClients (PEHSTR_EXT)
 - QuasarRAT-master (PEHSTR)
 - CaptureScreen (PEHSTR)
 - HandleDoUploadAndExecute (PEHSTR)
 - XData Source=WTFBEE-PC\SQLEXSERVER (PEHSTR_EXT)
 - select name From sys.databases (PEHSTR_EXT)
 - tinyurl.com (PEHSTR_EXT)
 - api.bit.ly (PEHSTR_EXT)
 - nomcomp (PEHSTR_EXT)
 - Quasar.Client. (PEHSTR_EXT)
 - QuasarClient (PEHSTR_EXT)
 - xClient.Core (PEHSTR_EXT)
 - DoShellExecute (PEHSTR_EXT)
 - \AppData\ (PEHSTR_EXT)
 - .proj (PEHSTR_EXT)
 - http://joxi.ru/ (PEHSTR_EXT)
 -  .proj (PEHSTR_EXT)
 - DESCryptoServiceProvider (PEHSTR_EXT)
 - System.Security.Cryptography.X509Certificates (PEHSTR_EXT)
 - Client.Tests (PEHSTR_EXT)
 - compIBM&& (PEHSTR_EXT)
 - 108.anonfiles.com/D9h3P3Pex2/e0f0a67c-1647857705/ino (PEHSTR_EXT)
 - claim.Resource (PEHSTR_EXT)
 - xClient.Properties.Resources.resources (PEHSTR_EXT)
 - HttpWebRequest (PEHSTR_EXT)
 - HttpWebResponse (PEHSTR_EXT)
 - -.+Ar (PEHSTR_EXT)
 - ccsqs.exe (PEHSTR_EXT)
 - EvX.Common.DNS (PEHSTR_EXT)
 - BetterCall.Models (PEHSTR_EXT)
 - get_updateBat (PEHSTR_EXT)
 - System.Net.WebClient (PEHSTR_EXT)
 - USERNAME.zip (PEHSTR_EXT)
 - api.telegram.org/bot5651243701 (PEHSTR_EXT)
 - garrettdetectors.sk (PEHSTR_EXT)
 - APPDATA\ot.exe (PEHSTR_EXT)
 - WindowsFormsApp1.Properties.Resources.resource (PEHSTR_EXT)
 - server1.Resources.resources (PEHSTR_EXT)
 - server1.exe (PEHSTR_EXT)
 - rat\rat (PEHSTR_EXT)
 - SinemaOtomasyonVize.exe (PEHSTR_EXT)
 - InitCommonControls (PEHSTR_EXT)
 - uerijnq.Resources.resources (PEHSTR_EXT)
 - serv.Resources.resources (PEHSTR_EXT)
 - SmartAssembly.HouseOfCards (PEHSTR_EXT)
 - GetExecutingAssembly (PEHSTR_EXT)
 - jSphndkg (PEHSTR_EXT)
 - github.com-1ecc6299db9ec823 (PEHSTR_EXT)
 - payload.exe (PEHSTR_EXT)
 - eser.Client.Properties (PEHSTR_EXT)
 - set_UseShellExecute (PEHSTR_EXT)
 - http://spoofer.sytes.net/ (PEHSTR_EXT)
 - Checking if user is admin... (PEHSTR_EXT)
 - start C:\Windows\System32\IME (PEHSTR_EXT)
 - Starting spoofer... (PEHSTR_EXT)
 - Registry entries were spoofed. (PEHSTR_EXT)
 - Removed any trace files found. (PEHSTR_EXT)
 - ConsoleApplication.pdb (PEHSTR_EXT)
 - jkzjzwoaix.g.resources (PEHSTR_EXT)
 - System.Resources (PEHSTR_EXT)
 - orthodox.exe (PEHSTR_EXT)
 - SiMayService.Loader (PEHSTR_EXT)
 - http://spoofer.sytes.net (PEHSTR_EXT)
 - SOFTWARE\Policies\Microsoft\Windows Defender (PEHSTR_EXT)
 - Registy entrie(s) were spoofed. (PEHSTR_EXT)
 - github.com/3F/Conari (PEHSTR_EXT)
 - vbs.exe (PEHSTR_EXT)
 - Quasar Client (PEHSTR_EXT)
 - 1.4.0 (PEHSTR_EXT)
 - SAITMCalculator.exe (PEHSTR_EXT)
 - brave.g.resources (PEHSTR_EXT)
 - WindowsFormsApp95.Properties (PEHSTR_EXT)
 - SEEDCRACKER.g.resources (PEHSTR_EXT)
 - PowershellExecutorXorEncoded (PEHSTR_EXT)
 - GetExecutableBytesWithEncrypt (PEHSTR_EXT)
 - Remove-Item -Path $exePath -Force (PEHSTR_EXT)
 - currentDir\Fivem (PEHSTR_EXT)
 - bycrpfmanhdquerp.Resources (PEHSTR_EXT)
 - Client-built.exe (PEHSTR_EXT)
 - powershell.exe (PEHSTR_EXT)
 - a0749986.xsph.ru (PEHSTR_EXT)
 - Software\Policies\Microsoft\Windows\System (PEHSTR_EXT)
 - \ProgramData\def3.exe (PEHSTR_EXT)
 - \ProgramData\AkrosAC.exe (PEHSTR_EXT)
 - main.CrysisExperimental (PEHSTR_EXT)
 - main.DCRYSIS (PEHSTR_EXT)
 - Xtcs.Properties.Resources (PEHSTR_EXT)
 - Decompress (PEHSTR_EXT)
 - fghhfgjsffrfdfdfffdfdshfdsdfh (PEHSTR_EXT)
 - \Buffer\obj\Release\Michael.pdb (PEHSTR_EXT)
 - //cdn.discordapp.com/attachments/ (PEHSTR_EXT)
 - .bat (PEHSTR_EXT)
 - d&COMPUTERNAME (PEHSTR_EXT)
 - //discord.com/api/webhooks/ (PEHSTR_EXT)
 - AntiReverseTest\AntiReverse (PEHSTR_EXT)
 - start /b PowerShell.exe /c $process = Start-Process -FilePath (PEHSTR_EXT)
 - tempting to start ssvchost.exe (PEHSTR_EXT)
 - E:\hacktools (PEHSTR_EXT)
 - stageless\test\x64\Release\test.pdb (PEHSTR_EXT)
 - Black.Myth.Wukong.Trainer.V1.4.2-XiaoXing (PEHSTR_EXT)
 - server.Resources.resources (PEHSTR_EXT)
 - DllCanUnloadNow (PEHSTR_EXT)
 - http (PEHSTR_EXT)
 - d.exe (PEHSTR_EXT)
 - amsi.dll (PEHSTR_EXT)
 - 141.98.7.51/stub/Shell.exe (PEHSTR_EXT)
 - powershell -inputformat none -outputformat none -NonInteractive -Command (PEHSTR_EXT)
 - Add-MpPreference -ExclusionPath C:\Windows\PowerShell (PEHSTR_EXT)
 - Injection completed! (PEHSTR_EXT)
 - Process already elevated. (PEHSTR_EXT)
 - BQuasar.Client.Extensions. (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: Client-built.exe
92478c525daf58642a221dfda3782d6414d2040976fea242effffbdc854e813c
02/12/2025
VirusTotalDownload Sample
Filename: caf7254ae621cba9189e65295b25a272fe122e1ab2f3d05ec65dd0709b23d52e
caf7254ae621cba9189e65295b25a272fe122e1ab2f3d05ec65dd0709b23d52e
02/12/2025
VirusTotalDownload Sample
Filename: Client.exe
f41b3a1f74c14ef3556fede661d17121c215997f03db46b831e4b11d3d9b59df
23/11/2025
VirusTotalDownload Sample
Filename: Client.exe
f481413e72698abedeaec9f0aba4b3ec9af39839a7cca46959ad41efcfd91325
23/11/2025
VirusTotalDownload Sample
Filename: Client.exe
f4a0a365e6f6abe9956cf2f52ee5527b215774968e14fb9e2a02f015bc9bda50
23/11/2025
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the affected endpoint from the network. Due to the complete system access provided by this backdoor, the recommended action is to reimage the machine from a known-clean source. After reimaging, reset all user credentials that were present on the host.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 21/11/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$