Technical blog by Stephan Berger (@malmoeb)

dfir.ch

This technical guide demonstrates how to detect and hunt AsyncRAT and QuasarRAT infections in enterprise environments. It covers multiple detection methods including identifying default C2 ports (6606, 7707, 8808 for AsyncRAT; 4782 for QuasarRAT), hunting for persistence mechanisms through scheduled tasks and registry run keys, detecting mutex patterns, and analyzing dropped DLL files. The guide includes practical examples using Velociraptor for threat hunting, regex patterns for mutex detection, and analysis of real-world samples from ThreatFox. It emphasizes that many attackers use default configurations, making these RATs detectable despite being well-known threats.

Hunting AsyncRAT & QuasarRAT