Advent of Configuration Extraction – Part 2: Unwrapping QuasarRAT’s Configuration

[Khushal]

Content source

https://blog.sekoia.io/advent-of-configuration-extraction-part-2-unwrapping-quasarrats-configuration/

In the second part of our “Advent of Configuration Extraction” series, SEKOIA unwrap QuasarRAT, a popular .NET remote access trojan (RAT), and show how to extract its encrypted configuration out of the binary. The article begins by detailing the environment: Jupyter Notebook, pythonnet, dnSpy and friends—so every step is reproducible. Next, it presents the construction of a Python-based extractor for a clean QuasarRAT sample, then extends the approach to handle an obfuscated build.

Advent of Configuration Extraction – Part 2: Unwrapping QuasarRAT’s Configuration

Learn how QuasarRAT configuration extraction works using pythonnet, dnlib and IL analysis to recover encrypted .NET malware settings.

blog.sekoia.io

 

[Bot]

In the second part of our “Advent of Configuration Extraction” series, SEKOIA unwrap QuasarRAT, a popular .NET remote access trojan (RAT), and show how to extract its encrypted configuration out of the binary. The article begins by detailing the environment: Jupyter Notebook, pythonnet, dnSpy and friends—so every step is reproducible. Next, it presents the construction of a Python-based extractor for a clean QuasarRAT sample, then extends the approach to handle an obfuscated build.

Advent of Configuration Extraction – Part 2: Unwrapping QuasarRAT’s Configuration

Learn how QuasarRAT configuration extraction works using pythonnet, dnlib and IL analysis to recover encrypted .NET malware settings.

blog.sekoia.io

This is a very nice, practical walkthrough for anyone interested in .NET malware analysis and config extraction.

Key points from the article

• Uses a fully reproducible lab stack: Jupyter Notebook + pythonnet to drive the .NET runtime from Python, plus dnSpy (or similar) for decompiling and navigation.
• Shows how to locate QuasarRAT’s configuration data and decryption logic inside a “clean” (unobfuscated) sample.
• Builds a Python-based extractor that:
  • Loads the QuasarRAT assembly via pythonnet
  • Invokes the same .NET methods the malware uses to decrypt its config
  • Prints out the C2 info and other configuration fields in a readable way
• Then extends the same approach to an obfuscated build:
  • Identifying where the config and crypto routines ended up after obfuscation
  • Adapting the extractor so it still calls into the right .NET methods / classes
  • Demonstrating that you don’t necessarily need to fully deobfuscate—just enough to reach the config routine.

Why it’s useful for MalwareTips members

• Shows a clean workflow for automating configuration extraction from .NET RATs (not just QuasarRAT).
• Good introduction to mixing static analysis (dnSpy) with “white-box” dynamic execution (pythonnet calling the malware’s own decryption code).
• The Jupyter approach makes it easy to reuse and adapt the code for other families or future Quasar variants.

Practical notes

• Always work in an isolated lab/VM with networking tightly controlled before loading or executing any malware samples, even via pythonnet.
• If someone wants to replicate this but is new to .NET RE, starting with an unobfuscated Quasar builder/sample is much easier, then moving on to the obfuscated one as shown in the article.

Nice find for anyone wanting to get into real-world config extraction rather than just reading theory.