This analysis will cover the extraction of Quasar configuration via Dnspy. We'll then use this information to pivot to additional servers utilising Shodan and Censys. In total, 64 additional servers will be identified.

A full list of the 64 Quasar servers can be found at the end of this post.

An overview of this post

  • Obtaining the initial sample
  • Overview of the unpacking process
  • Locating and extracting Quasar configuration using Dnspy
  • Analysis of Quasar Configuration
  • Building Shodan Queries
  • Analysis of identified servers
  • Cross-referencing detection rates with VirusTotal
  • Identifying additional servers using Censys
  • Complete list of identified servers.


The malware sample was obtained from Malware Bazaar and is available here.



I'll leave the bulk of Quasar unpacking for another post. This is a high-level summary of the process that I used.

  • Unzip the file using the password infected
  • Identify high-entropy using detect-it-easy
  • Check strings and observe multiple references to ZwWriteVirtualMemory and InstallUtil.exe
  • Assume entropy=Loader,
  • Assume InstallUtil.exe = Injection Target
  • Execute malware inside the Virtual Machine
  • Utilise Process Hacker to observe new spawns of installutil.exe
  • Use Process Hacker to observe .NET assemblies loaded into Installutil.exe
  • Utilising DnSpy to dump .NET assemblies. Obtain Quasar RAT.
  • Load Quasar into Dnspy. Browse to Entry Point.
  • Observe the config initialization function. Set breakpoints and create a watch window.
  • Obtain Configuration.

Extracting Configuration From Quasar Rat

Following the steps above will identify the following code. Portions of the code have been renamed for readability.

Each of the GClass65.string_8 values reference a value that has been encrypted using AES and then encoded using base64.

The AES decryption code can be seen below.

As well as a reference to additional base64 encoding, on top of the initial AES encryption.

By setting appropriate breakpoints and watch windows. The configuration can be obtained with minimal analysis of the encryption.

Analysis of the Quasar Configuration

The most interesting components of the configuration are the (likely) c2 of 217.196[.]96.37:5678 , as well as the x509 Certificate used for SSL/TLS communications.

An x509 certificate forms part of the public-key component of TLS communications performed between a client and server. The certificate contains valuable information about who is "endorsing" the communications, and who exactly is being endorsed
There are some detailed writeups with much better explanations from Sectigo and Wikipedia.

Typically I have ignored x509 certificates. But today will be a little bit different.

The x509 certificate contains a subject and issuer value of Quasar Server CA.

Of particular note is that the x509 certificate was initially encrypted by the malware. This is an indication that it contains something valuable that could hinder the malware if revealed and appropriately analysed.

Generally, I would stop my analysis here as the C2 was successfully found.

Today I will take this one step further, based on some infrastructure-hunting posts from @MichalKoczwara .

You can find such posts here and here.

How to Build a Shodan Query for Quasar

To take my analysis further, I decided to utilise the issuer information of Quasar Server CA to identify additional Quasar servers. was my first choice for this investigation.

To utilise the information, I first had to build a valid query for Shodan. This was able to be done using filters list from the main site.

The filter seemed the most appropriate. would also work well and produce the same results in my analysis.

This resulted in an initial query of"Quasar Server CA"

This query revealed 15 servers running with the subject common name of Quasar Server CA

These 15 servers were geographically dispersed and primarily across China, Hong Kong and Germany. The ports used also vary and include 1337.

Expanding the search to hone in on port 1337.

The second server of 164.92[.]184.73 had 0/86 detections on VirusTotal. The other had only 1/87 as of 2023/05/15. More information on VT detection can be found later in this article.

The servers are mostly running on cloud hosting providers. Including Hetzner, DigitalOcean and China Unicom.

China Unicom is pretty interesting.

Another overview of the countries can be seen here.

Exporting the Full list

The rest of the data was not extremely interesting and the associated jarm/ja3s values did not reveal much.

So I decided to export the list of servers and check the rest against VirusTotal.

A full list of the servers can be seen here.


Analysing Detections Using Virustotal

Viewing the servers within VirusTotal, we can again see one of the servers running port 1337 has 0/86 detection.

The other Quasar server running 1337 has only 1/87 detections.

In total, there were 9 servers with 0 detections as of 2023-05-15. A few of these are listed below.

Full List of VirusTotal Detections

This is a full list of the detection rates as of 2023-05-15. - VT 3/87 - VT 0/86 - VT 1/87 - VT 0/86 - VT 0/86 - VT 3/87 - VT 0/86 - VT 12/87 - VT 0/86 - VT 1/87 - VT 0/86 - VT 0/86 - VT 1/87 - VT 2/87 - VT 0/86 - VT 2/87 - VT 1/87 - VT 0/86

Bonus Analysis Using Censys

Using Censys I was able to identify another 46 servers. I have not checked these against VirusTotal. You are welcome to do so using the full list of servers at the end of this post.

services.tls.certificates.leaf_data.subject.common_name: "Quasar Server CA"


So it turns out malware analysis can get far more interesting beyond just C2 extraction. With minimal additional analysis, you can pivot to additional C2 infrastructure.

It's possible that some of these servers are not "malicious" per se, but I see no valid reason for using a Quasar certificate for communications. I'll assume they are all malware until notified otherwise.

Complete List of Quasar Infrastructure

The complete list of 64 Quasar servers.

services.tls.certificates.leaf_data.subject.common_name: "Quasar Server CA"

Complete List with Port Numbers
The link has been copied!