QuasarRecovery is a read-only configuration recovery tool for built Quasar client binaries.
It parses a .NET executable with dnlib, locates the obfuscated Quasar Settings class, extracts encrypted configuration fields, and decrypts them using Quasar’s AES-256 configuration encryption format.
- Read-only static analysis
- Does not execute the selected binary
- Supports obfuscated Quasar client builds
- Extracts raw encrypted config values
- Decrypts Quasar AES-256 protected settings
- Recovers hosts/IP and port
- Recovers version, tag, mutex, install name, startup key, and log directory
- Detects embedded server certificate field
- Exports recovered results as JSON
- Hosts / C2 address
- Version
- Reconnect delay
- Install directory
- Install filename
- Mutex
- Startup key
- Tag
- Log directory name
- Install enabled
- Startup enabled
- Logger enabled
- Hide file
- Hide log directory
- Hide install subdirectory
- Unattended mode
- Encryption key
- Server signature, raw/encrypted
- Server certificate, raw/encrypted
Quasar stores most client configuration values as encrypted Base64 strings.
QuasarRecovery finds the encrypted values inside the binary, identifies the SHA1-like encryption key, then uses the same AES-256 + HMAC-SHA256 format used by Quasar to decrypt the configuration.
Encrypted format:
[ HMAC-SHA256 | IV | AES-CBC ciphertext ]