Backdoor:MSIL/Quasar!rfn - ThreatCheck.sh

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat Backdoor:MSIL/Quasar!rfn

Backdoor:MSIL/Quasar!rfn - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: Backdoor:MSIL/Quasar!rfn

Classification:

Type:Backdoor

Platform:MSIL

Family:Quasar

Detection Type:Concrete

Known malware family with identified signatures

Suffix:!rfn

Specific ransomware family name

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Backdoor - Provides unauthorized remote access for .NET (Microsoft Intermediate Language) platform, family Quasar

Summary:

This is a concrete detection of Backdoor:MSIL/Quasar!rfn, a variant of the well-known Quasar Remote Access Trojan (RAT). This malware grants attackers extensive control over the compromised system, including capabilities for screen capture, remote command execution, file management, and exfiltration of credentials from web browsers and FTP clients. Its ability to upload and execute further payloads, combined with its data exfiltration and C2 communication mechanisms (like URL shorteners), makes it a highly potent threat.

Severity:

Critical

VDM Static Detection:

Relevant strings associated with this threat:
 - descreveabc (PEHSTR_EXT)
 - \Remote\QuasarRAT-master (PEHSTR_EXT)
 - descreve (PEHSTR_EXT)
 - xClient.Core. (PEHSTR_EXT)
 - DoUploadAndExecute (PEHSTR_EXT)
 - \QuasarRAT-master\ (PEHSTR_EXT)
 - xClient.Core.Recovery.Browsers (PEHSTR_EXT)
 - xClient.Core.Recovery.FtpClients (PEHSTR_EXT)
 - QuasarRAT-master (PEHSTR)
 - CaptureScreen (PEHSTR)
 - HandleDoUploadAndExecute (PEHSTR)
 - XData Source=WTFBEE-PC\SQLEXSERVER (PEHSTR_EXT)
 - select name From sys.databases (PEHSTR_EXT)
 - tinyurl.com (PEHSTR_EXT)
 - api.bit.ly (PEHSTR_EXT)
 - nomcomp (PEHSTR_EXT)
 - Quasar.Client. (PEHSTR_EXT)
 - QuasarClient (PEHSTR_EXT)
 - xClient.Core (PEHSTR_EXT)
 - DoShellExecute (PEHSTR_EXT)
 - \AppData\ (PEHSTR_EXT)
 - .proj (PEHSTR_EXT)
 - http://joxi.ru/ (PEHSTR_EXT)
 -  .proj (PEHSTR_EXT)
 - DESCryptoServiceProvider (PEHSTR_EXT)
 - System.Security.Cryptography.X509Certificates (PEHSTR_EXT)
 - Client.Tests (PEHSTR_EXT)
 - compIBM&& (PEHSTR_EXT)
 - 108.anonfiles.com/D9h3P3Pex2/e0f0a67c-1647857705/ino (PEHSTR_EXT)
 - claim.Resource (PEHSTR_EXT)
 - xClient.Properties.Resources.resources (PEHSTR_EXT)
 - HttpWebRequest (PEHSTR_EXT)
 - HttpWebResponse (PEHSTR_EXT)
 - -.+Ar (PEHSTR_EXT)
 - ccsqs.exe (PEHSTR_EXT)
 - EvX.Common.DNS (PEHSTR_EXT)
 - BetterCall.Models (PEHSTR_EXT)
 - get_updateBat (PEHSTR_EXT)
 - System.Net.WebClient (PEHSTR_EXT)
 - USERNAME.zip (PEHSTR_EXT)
 - api.telegram.org/bot5651243701 (PEHSTR_EXT)
 - garrettdetectors.sk (PEHSTR_EXT)
 - APPDATA\ot.exe (PEHSTR_EXT)
 - WindowsFormsApp1.Properties.Resources.resource (PEHSTR_EXT)
 - server1.Resources.resources (PEHSTR_EXT)
 - server1.exe (PEHSTR_EXT)
 - rat\rat (PEHSTR_EXT)
 - SinemaOtomasyonVize.exe (PEHSTR_EXT)
 - InitCommonControls (PEHSTR_EXT)
 - uerijnq.Resources.resources (PEHSTR_EXT)
 - serv.Resources.resources (PEHSTR_EXT)
 - SmartAssembly.HouseOfCards (PEHSTR_EXT)
 - GetExecutingAssembly (PEHSTR_EXT)
 - jSphndkg (PEHSTR_EXT)
 - github.com-1ecc6299db9ec823 (PEHSTR_EXT)
 - payload.exe (PEHSTR_EXT)
 - eser.Client.Properties (PEHSTR_EXT)
 - set_UseShellExecute (PEHSTR_EXT)
 - http://spoofer.sytes.net/ (PEHSTR_EXT)
 - Checking if user is admin... (PEHSTR_EXT)
 - start C:\Windows\System32\IME (PEHSTR_EXT)
 - Starting spoofer... (PEHSTR_EXT)
 - Registry entries were spoofed. (PEHSTR_EXT)
 - Removed any trace files found. (PEHSTR_EXT)
 - ConsoleApplication.pdb (PEHSTR_EXT)
 - jkzjzwoaix.g.resources (PEHSTR_EXT)
 - System.Resources (PEHSTR_EXT)
 - orthodox.exe (PEHSTR_EXT)
 - SiMayService.Loader (PEHSTR_EXT)
 - http://spoofer.sytes.net (PEHSTR_EXT)
 - SOFTWARE\Policies\Microsoft\Windows Defender (PEHSTR_EXT)
 - Registy entrie(s) were spoofed. (PEHSTR_EXT)
 - github.com/3F/Conari (PEHSTR_EXT)
 - vbs.exe (PEHSTR_EXT)
 - Quasar Client (PEHSTR_EXT)
 - 1.4.0 (PEHSTR_EXT)
 - SAITMCalculator.exe (PEHSTR_EXT)
 - brave.g.resources (PEHSTR_EXT)
 - WindowsFormsApp95.Properties (PEHSTR_EXT)
 - SEEDCRACKER.g.resources (PEHSTR_EXT)
 - PowershellExecutorXorEncoded (PEHSTR_EXT)
 - GetExecutableBytesWithEncrypt (PEHSTR_EXT)
 - Remove-Item -Path $exePath -Force (PEHSTR_EXT)
 - currentDir\Fivem (PEHSTR_EXT)
 - bycrpfmanhdquerp.Resources (PEHSTR_EXT)
 - Client-built.exe (PEHSTR_EXT)
 - powershell.exe (PEHSTR_EXT)
 - a0749986.xsph.ru (PEHSTR_EXT)
 - Software\Policies\Microsoft\Windows\System (PEHSTR_EXT)
 - \ProgramData\def3.exe (PEHSTR_EXT)
 - \ProgramData\AkrosAC.exe (PEHSTR_EXT)
 - main.CrysisExperimental (PEHSTR_EXT)
 - main.DCRYSIS (PEHSTR_EXT)
 - Xtcs.Properties.Resources (PEHSTR_EXT)
 - Decompress (PEHSTR_EXT)
 - fghhfgjsffrfdfdfffdfdshfdsdfh (PEHSTR_EXT)
 - \Buffer\obj\Release\Michael.pdb (PEHSTR_EXT)
 - //cdn.discordapp.com/attachments/ (PEHSTR_EXT)
 - .bat (PEHSTR_EXT)
 - d&COMPUTERNAME (PEHSTR_EXT)
 - //discord.com/api/webhooks/ (PEHSTR_EXT)
 - AntiReverseTest\AntiReverse (PEHSTR_EXT)
 - start /b PowerShell.exe /c $process = Start-Process -FilePath (PEHSTR_EXT)
 - tempting to start ssvchost.exe (PEHSTR_EXT)
 - E:\hacktools (PEHSTR_EXT)
 - stageless\test\x64\Release\test.pdb (PEHSTR_EXT)
 - Black.Myth.Wukong.Trainer.V1.4.2-XiaoXing (PEHSTR_EXT)
 - server.Resources.resources (PEHSTR_EXT)
 - DllCanUnloadNow (PEHSTR_EXT)
 - http (PEHSTR_EXT)
 - d.exe (PEHSTR_EXT)
 - amsi.dll (PEHSTR_EXT)
 - 141.98.7.51/stub/Shell.exe (PEHSTR_EXT)
 - powershell -inputformat none -outputformat none -NonInteractive -Command (PEHSTR_EXT)
 - Add-MpPreference -ExclusionPath C:\Windows\PowerShell (PEHSTR_EXT)
 - Injection completed! (PEHSTR_EXT)
 - Process already elevated. (PEHSTR_EXT)
 - BQuasar.Client.Extensions. (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

Known malware which is associated with this threat:

Filename: 0f99c1e6d3335933698ac340629ad3c1.exe

0d9949646843d57838274a8dc7c102dcddee46c5d829652f742acc8602e930eb

31/01/2026

→VirusTotal ↓Download Sample

Remediation Steps:

Immediately isolate the affected system from the network. Perform a full system scan with updated antivirus/EDR and ensure the threat is completely removed. Thoroughly investigate for persistence mechanisms, lateral movement, and potential data exfiltration. Reset all user and administrative credentials that were present or used on the compromised system, and consider a full system reimage if the extent of compromise is unclear.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 31/01/2026. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

Backdoor:MSIL/Quasar!rfn - Windows Defender Threat Analysis