search

Technical Analysis of a Multi‑Stage Batch Loader Delivering QuasarRAT

Nov 30, 2025

hashtag
Executive Summary

A batch script circulating on X shared by the user @smica83arrow-up-right and described as a “fully undetectable” sample originating from Algeria was obtained and subjected to a multi‑stage analysis. The script was heavily obfuscated and unusually large for a batch file (~2 MB), containing an embedded Base64 payload that decrypted into two additional executables.

The infection chain consists of three stages:

  • Stage 0 (Batch Script): Deobfuscates and executes a PowerShell loader, which decrypts and decompresses two embedded .NET payloads delivered via reflective loading.

  • Stage 1 (tmp-bstub.exe): A small, unobfuscated .NET binary responsible solely for implementing a hardware‑breakpoint‑based AMSI bypass.

  • Stage 2 (tmp_stub.exe): A packed .NET loader featuring EDR unhooking, ETW patching, AV‑specific bypass logic, dual persistence mechanisms (Startup VBS + Registry Run key), and in‑memory decryption/loading of the final payload.

  • Stage 3 (payload.exe): Identified via YARA as QuasarRAT, a widely abused open‑source RAT providing remote control, surveillance, data theft, credential extraction, command execution, and full system management capabilities. This sample connects to 160.187.1.213:4782, an IP registered in Hanoi City, Vietnam.

Overall, the sample demonstrates a layered execution chain with multiple evasion mechanisms, culminating in a fully functional remote access trojan.

hashtag
Infection Chain

hashtag
Key Findings

Fully Undetectable Batch Loader Identified

  • A large, heavily obfuscated batch script was discovered circulating online. Despite appearing as junk data, it concealed a multistage malware loader capable of executing PowerShell code and embedded payloads entirely in memory.

Multi‑Stage Malware Chain The malware operates through four distinct stages, each responsible for a different part of the infection process:

  • Stage 0: Obfuscated batch script acting as the initial dropper

  • Stage 1: AMSI bypass component

  • Stage 2: Unhooker, persistence engine, and payload loader

  • Stage 3: Final payload (QuasarRAT)

  • Advanced Defensive Evasion Techniques The malware incorporates several sophisticated evasion strategies:

    • Hardware‑breakpoint‑based AMSI bypass

      • DLL unhooking to remove EDR/AV user‑mode hooks

      • ETW (Event Tracing for Windows) patching, disabling telemetry

      • AV‑specific detection logic with fallback bypass routines

  • Dual Persistence Mechanisms The loader establishes two independent persistence methods:

    • Startup folder VBS launcher

    • Registry Run key executing a hidden VBS script This ensures the malware survives reboots and attempts at removal.

  • In‑Memory Payload Decryption and Execution The stage 2 loader decrypts an embedded resource using hardcoded AES parameters, decompresses it, and loads it reflectively in memory, avoiding disk‑based detection.

  • Final Payload Identified as QuasarRAT YARA detection confirms the final binary is QuasarRAT, a well‑known open‑source RAT frequently abused in cybercrime. It provides extensive remote‑control capabilities including:

    • Keylogging, screen capture, file operations

    • Credential theft

    • Remote shell execution

    • Webcam/audio capture

    • System profiling and process control

  • Active Command‑and‑Control Server Detected The sample communicates with a live C2 endpoint at: 160.187.1.213:4782 The IP belongs to infrastructure located in Hanoi, Vietnam, suggesting the attacker is leveraging Vietnamese hosting services.

hashtag
Technical Analysis

hashtag
Stage 0- crypted942636.txt

The file is unusually large for a batch script (~2 MB). Most of the content consists of junk data, primarily lines beginning with ::: a common batch‑scripting comment style.

After extensive deobfuscation (several Python scripts plus manual cleanup), the script is shown to spawn a PowerShell process and pipe a second‑stage script into it. Even after cleanup, the PowerShell code retains some obfuscation (e.g., XOR‑based string reconstruction).

Huge Junk Code

One line in the junk block stands out: it is missing a semicolon and contains a significantly longer chunk of data. This appears intentional. Upon inspection, it is a large Base64‑encoded blob.

Huge Blob of Base64-encoded Data

Near the end of the script, heavy obfuscation is present.

Obfuscation

After extensive deobfuscation (several Python scripts plus manual cleanup), the script is shown to spawn a PowerShell process and pipe a second‑stage script into it. Even after cleanup, the PowerShell code retains some obfuscation (XOR‑based string reconstruction).

Obfuscated PowershellScript

After decoding all string obfuscation, the complete deobfuscated PowerShell script is provided below.

Deobfuscated Powershell Script.

PowerShell script performs the following actions:

  1. Reads the batch file it was executed from.

  2. Searches for the line containing the large Base64 blob.

  3. Splits the blob into two payloads using \\ as a delimiter.

  4. Base64‑decodes, AES‑decrypts, and decompresses both payloads.

  5. Loads both payloads reflectively (in‑memory .NET) and executes them.

I modified the script to dump both extracted payloads to disk for further analysis.

hashtag
Stage 1- tmp-bstub.exe

The first payload (tmp-bstub.exe) is small (~10.5 KB), not packed, and shows no signs of obfuscation.

die.exe

Static analysis with dnSpy reveals a call to Program.HardwareBreakpointAmsiPatch.Bypass(). This function implements an AMSI bypass using a hardware breakpoint–based hooking technique

Main()

The Bypass() function implements an AMSI bypass using a hardware-breakpoint-based hooking technique. It manually resolves module and function addresses, loads AMSI if not present, retrieves the address of AmsiScanBuffer, and sets up a modified CPU context to redirect execution to an internal handler method. This allows the malware to suppress AMSI scanning results without modifying AMSI’s code directly, providing a stealthier alternative to traditional inline patching.

Bypass()

This stage solely patches AMSI.

hashtag
Stage 2- tmp_stub.exe

Initial triage with Detect It Easy indicates that this binary is packed.

die.exe

Reviewing the Main() method shows that the executable performs several preparatory steps prior to loading the final payload. The first major operation is unhooking critical Windows DLLs to evade EDR monitoring.

Main()

The Unhook function does the following:-

  • Resolves Windows Api's manually to avoid using normal imports that security tools can easily monitor.

  • Checks process architecture so it can load the correct clean DLL copy (System32 vs SysWOW64).

  • Finds the loaded DLL in memory, which may have been hooked by EDR/AV to intercept sensitive calls.

  • Opens and memory-maps a clean on-disk version of the same DLL to obtain an unmodified reference copy.

  • Parses the PE header to locate the .text section, since this section contains executable code and is where security products typically place their user-mode hooks.

  • Uses VirtualProtect to make the in-memory .text writable, allowing the malware to overwrite security-installed hooks.

  • Copies the clean .text section over the hooked one using memcpy, effectively removing all user-mode monitoring hooks.

  • Restores original memory protections to reduce suspicion and avoid detection by integrity checks.

  • Closes file mappings and handles to leave minimal traces and fully complete the unhooking process.

Up-Next the binary performs targeted antivirus detection by inspecting loaded modules for known AV DLL names.

Detect and Bypass AV

AV Detection Mechanism (DetectAntivirus())

  • Iterates through Process.GetCurrentProcess().Modules.

  • Compares each module name against a hardcoded list of AV‑specific DLLs:

    • aswamsi.dll → Avast

    • atcuf64.dll → Bitdefender

    • (others also included viewable in the image)

If a match is found, the function returns the detected AV name, which is then used to choose a bypass routine.

DetectAntivirus()

Most AV cases fall back to the default bypass, which invokes PatchEDR(true, true);

ExecuteDefaultBypass()

  • The function PatchEDR() does the following:

    • Initially looks up ntdll.dll and resolves EtwEventWrite and NtTraceEvent, two functions used by Windows/EDR for event tracing.

    • It overwrites the first byte of each function with 0xC3 (RET), forcing them to immediately return.

    • This disables ETW event logging, reducing EDR visibility and helping the malware hide its activity.

PatchEDR()

After bypassing security controls, the malware sets up dual persistence.

It first validates three conditions:

  • Console title is not empty

  • The file exists on disk

  • The file is not already located within the designated startup folder

If all are met, the malware proceeds.

  1. Generates five random strings used for directory/file names.

  2. Constructs paths:

  3. If text8 does not exist, the malware creates it and sets it as hidden.

  4. Copies itself into this directory as a BAT file, marking the file hidden.

Copying itself to a bat file

The malware then builds:

  1. A VBS script in Startup folder:

  2. A second hidden VBS script in the hidden directory:

Both VBS scripts execute the BAT loader.

Startup Persistence

Then it achieves persistence by using the CurrentVersion\Run registry method, it adds a new entry with a random-name and a wscript.exe command which executes the C:\Users\<user>\AppData\Local\Microsoft\Windows\<random>\randomName.vbs

So Dual Persistence, ones from startup folder and ones from CurrentVersion\Run registry key.

Registry Based Persistence

Then the malware proceeds to get a embedded resource from its resource section named payload.exe which is then aes-decrypted with hardcoded base64 key and IV , then uncompressed/decompressed.

Checked on for many arguments to run the payload with, calls a custom method CallInternalCLRFunction("Load", typeof(Assembly)) to load the assembly from the byte array directly into memory (in-memory .NET reflectively loaded assembly)

Once loaded, it retrieves the assembly’s EntryPoint , tries to invoke with argments present, if it fails invokes without arguments.

As DetectItEasy indicated that it has modified .cctor i decided to take a look and there's a simple architecture check based on IntPtr.Size and initializes a CRYPT_ID this appears to be a “67 meme” reference, likely indicating a young or meme‑aware developer.

67.

I made a Python script to replicate the AES decryption and decompression process so the payload could be extracted manually as payload.exe.

hashtag
Stage 3- payload.exe

A preliminary inspection using Detect It Easy shows that payload.exe is packed, obfuscated, and contains multiple anti‑analysis techniques, indicating an effort to hinder static and dynamic analysis.

die.exe

Running the sample through YARA rules obtained from YaraHQ (YaraForge)arrow-up-right identifies the binary as QuasarRAT, a well‑known .NET‑based remote access trojan.

yara64.exe

QuasarRAT is an open‑source remote administration tool written in C#. While legitimate in origin, it has been widely adopted for malicious campaigns due to its robust feature set and modular architecture. Threat actors frequently deploy it to maintain long‑term remote control over compromised systems.

Communication & Control

  • Uses encrypted communication to avoid simple traffic inspection

  • Provides stable command-and-control with heartbeat checks

  • Supports managing multiple infected systems at once

Surveillance & Monitoring

  • Real-time remote desktop viewing and control

  • Screenshot capture on demand or at timed intervals

  • Keylogging for recording typed input

  • Clipboard monitoring to capture copied text

Camera & Audio Capture

  • Webcam snapshot capture

  • Low-frame-rate stealth video capture (variant-dependent)

  • Microphone audio recording for room surveillance

File System Operations

  • Browsing of files and directories

  • Uploading and downloading files in compressed form

  • Silent deletion, modification, renaming, or execution of files

Credential & Data Extraction

  • Extracts saved browser passwords and cookies

  • Retrieves stored Wi-Fi credentials

  • Reads certain Windows credential store items

  • Collects session details useful for privilege escalation

System Profiling & Control

  • Gathers full hardware and OS profiling information

  • Identifies installed software and domain/AD details

  • Enumerates running processes and services

  • Allows starting or terminating processes

  • Can reboot, shut down, or lock the system

Command Execution & Registry Interaction

  • Built-in remote command shell for executing arbitrary commands

  • Can run scripts or internal tools silently

  • Supports reading, editing, or deleting registry entries

The analyzed sample communicates with the following C2 endpoint 160.187.1.213:4782

This IP is registered in Hanoi City, Vietnam, suggesting the infrastructure provider is located there.

hashtag
IOC's

Indicator
Value

crypted942636.txt

5183a83563c0569ac61eafa420a434d4bee4ccc436e2e75f59c7167d86e251b6

tmp_bstub.exe

2b63e5934e1b1e61feea24adf54e1b5ecb8d9be264d9d66c7db838e2265bfc3e

tmp_stub.exe

e2e1dd34b3fadd7c003dfadce1b1fdbc72be74b5234429f015306567f835b38e

payload.exe

04ebb06a463cfbc77e30de37ae1fc28fb61bab147d8cc90ad8f6158830f46b78

QuasarRat Server IP & Port

160.187.1.213:4782

PreviousSilverFox APT Campaign Targeting Chinese-Speaking Users via Trojanized WPS Office InstallerNextInvestigation of Turkish-Sourced EagleRAT and AsyncRAT Malware Activity

Last updated