user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Backdoor:MSIL/Quasar.GG!MTB
Backdoor:MSIL/Quasar.GG!MTB - Windows Defender threat signature analysis

Backdoor:MSIL/Quasar.GG!MTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Backdoor:MSIL/Quasar.GG!MTB
Classification:
Type:Backdoor
Platform:MSIL
Family:Quasar
Detection Type:Concrete
Known malware family with identified signatures
Variant:GG
Specific signature variant within the malware family
Suffix:!MTB
Detected via machine learning and behavioral analysis
Detection Method:Behavioral
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Backdoor - Provides unauthorized remote access for .NET (Microsoft Intermediate Language) platform, family Quasar

Summary:

This detection identifies the Quasar Remote Administration Tool (RAT), a backdoor that gives an attacker full control over the infected system. Its capabilities include keylogging, credential theft, remote command execution, and establishing a reverse proxy for further network intrusion.

Severity:
Medium
VDM Static Detection:
Relevant strings associated with this threat:
 - Quasar.Client. (PEHSTR_EXT)
 - QuasarClient (PEHSTR_EXT)
 - xClient.Core (PEHSTR_EXT)
 - keylogger (PEHSTR_EXT)
 - ENABLELOGGER (PEHSTR_EXT)
 - DoShellExecute (PEHSTR_EXT)
YARA Rule:
rule Backdoor_MSIL_Quasar_GG_2147772079_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:MSIL/Quasar.GG!MTB"
        threat_id = "2147772079"
        type = "Backdoor"
        platform = "MSIL: .NET intermediate language scripts"
        family = "Quasar"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "16"
        strings_accuracy = "High"
    strings:
        $x_10_1 = "Quasar.Client." ascii //weight: 10
        $x_1_2 = "Payload" ascii //weight: 1
        $x_1_3 = "MouseKeyHook" ascii //weight: 1
        $x_1_4 = "login" ascii //weight: 1
        $x_1_5 = "password" ascii //weight: 1
        $x_1_6 = "PK11SDR_Decrypt" ascii //weight: 1
        $x_1_7 = "WinSCPDecrypt" ascii //weight: 1
        $x_1_8 = "EncryptedPassword" ascii //weight: 1
        $x_1_9 = "Shutdown" ascii //weight: 1
        $x_1_10 = "ReverseProxy" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (
            ((1 of ($x_10_*) and 6 of ($x_1_*))) or
            (all of ($x*))
        )
}
Known malware which is associated with this threat:
Filename: Client.exe
fac79110f89632dd781e18a2c7a546512b25be68fd0be7ed03ed2adde4bd6237
23/11/2025
VirusTotalDownload Sample
Filename: Client.exe
ebc830ab4ada04893c99e4f4d9efa8edc9aab88e84d082b89f55051a7cceb043
23/11/2025
VirusTotalDownload Sample
Filename: Client.exe
ed786856ea42e754fae065fe0059d509cb137d9525f6be38158367406ba31c87
23/11/2025
VirusTotalDownload Sample
Filename: Client.exe
f1f65883c03e68ceff270b8cd6ab4daa300a07aa8f235baa0b5e20df6d43b618
23/11/2025
VirusTotalDownload Sample
Filename: Client.exe
f1fe3f793ad91f0be6a2574b98423ad51e5d38eb226be004c1004478d5d8c386
23/11/2025
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the affected machine from the network. Use a fully updated EDR or antivirus tool to perform a full system scan and remove the threat. Investigate for persistence mechanisms, reset all user and system passwords, and review logs for signs of lateral movement or data exfiltration.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 23/11/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$