DollRAT / "Lilly's RAT V8" — QuasarRAT Custom Variant with ngrok C2 Tunneling

Classification: Remote Access Trojan (RAT) Family: QuasarRAT v1.4.1 (custom build) First Seen: 2026-03-14 11:08:58 UTC Threat Level: HIGH C2 Status: ACTIVE at time of analysis

---

Executive Summary

DollRAT (internally named "Lilly's RAT V8" by its developer "C.U.M Software Inc.") is a full-featured Remote Access Trojan built on the open-source QuasarRAT v1.4.1 framework with significant modifications:

1. Custom branding and obfuscation: The binary is protected with ConfuserEx, making static analysis difficult. Type names are replaced with Unicode garbage characters.
2. ngrok-tunneled C2: The malware operator routes all C2 traffic through ngrok's TCP tunneling service (0.tcp.eu.ngrok.io:18107), effectively hiding their real IP behind AWS Frankfurt infrastructure. The C2 port was confirmed LIVE during analysis.
3. Comprehensive credential harvesting: Targets 8 browsers, FileZilla, WinSCP, and Internet Explorer credential storage.
4. Keylogging with HTML exfiltration: Captures keystrokes with window context and saves as HTML-formatted logs.
5. ConfuserEx obfuscation: C2 host/port strings are encrypted at runtime using ConfuserEx string protection, making static extraction of the C2 address impossible without emulation.

The sample was submitted to malware repositories as "DollRAT.exe" by reporter "burger403" on the same day it was first seen, suggesting this is a fresh deployment or newly built sample.

---

Sample Metadata

Field	Value
SHA256	58a901e3e5abc71192df4ae0f8e2928de0a3c1f2ee438f39c75142967f6ffc1f
SHA1	9061a2bf539ab290b9bfdabafba82ea9849361e9
MD5	ba198835c37707d77ed34a5265ac958d
File Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly
File Size	3,365,376 bytes (3.2 MB)
First Seen	2026-03-14 11:08:58 UTC
Reporter	burger403
Tags	exe, QuasarRAT
VT Detections	~51% (MSIL_Troj.BTX.gen)
Threat Score	100/100 (Hybrid Analysis)

---

Static Analysis

PE Header and Structure

Machine:    0x014C (Intel 80386)
Sections:   3 (.text, .rsrc, .reloc)
PE Type:    PE32 (32-bit)
Subsystem:  GUI (Windows application)
CLR Header: Present (.NET assembly)
CLR Version: v4.0.30319
.NET Framework Target: 4.5.2

Assembly Information

Assembly Name:    Client
Assembly Version: 1.4.1.0
Module Name:      Client
Module GUID (MVID): 60f5dce2-4de4-4c86-aa69-383ebe2f504c

Version Resource (PE Resources)

Field	Value
ProductName	Lilly's RAT V8
CompanyName	C.U.M Software Inc.
InternalName	win_d0ll_tool
FileVersion	1.0.0.10
ProductVersion	1.0.0.10

This custom branding is embedded in the PE .rsrc section, revealing the threat actor's self-assigned product name and the tool's lineage ("V8" implies prior versions).

.NET Dependencies (ILRepack-merged)

The binary uses ILRepack to merge multiple assemblies into a single PE:

Assembly	Version	Purpose
Client (QuasarRAT)	1.4.1.0	Core RAT functionality
Quasar.Common	1.4.1.0	Shared RAT data structures
BouncyCastle.Crypto	1.9.0.0	AES-256/RSA-2048 encryption
protobuf-net	2.4.0.0	Protocol serialization
Gma.System.MouseKeyHook	5.6.130.0	Keylogger hook

Obfuscation Analysis

The binary is protected with ConfuserEx with the following protections applied:

• Name Obfuscation: TypeDef names replaced with Unicode garbage characters (e.g., ♨랺ᘊﹿ༪ꌡ弲鮨恼棻ꓼ) while method logic is preserved
• String Protection: C2 host, port, mutex, installation path, and other configuration strings are encrypted using XOR/AES with a key derived from the module token. These strings are decrypted at runtime only.
• Result: The C2 host/port cannot be extracted statically; behavioral analysis (sandbox) is required. The C2 was identified through sandbox execution records from Hybrid Analysis.

Embedded Cryptographic Material

These values were extracted from the .NET #US (User String) heap:

AES-256 Session Key (base64, 96 bytes decoded):

fUx/kVA9+VH0kO3UloqruNEJDaN7kXthBirHCNCZ0WXpTGsukl7x4dnx8kLaXONeNUDpez
JogG1aYnlOIYHrs2w8jW0Z0bEPegYCIsq4thXARo+dRK+K9v1kB15oQc8W

RSA-2048 Public Key (base64, truncated):

pEYsQkbGd+Q/oh6rpMcMXpQSV1PzuPO74TRRPn31OAC6n/5li5OKJAp9HPOpRX+D/WOa6
92Y1N+moqbE2xvV506Eb5cy8LUCHdm5ZVtTBWoOz46r3uSslz+4DjbCB9eBlrn2E6WyNP
q5ZtwtbPkcBN4Fzg2uLGP1+FOoZEO1cUjOGeOZNeOmotHrnI/wsvO+1cu7WYu7Bwp9whV8
[...2348+ chars]

SHA1 Authentication String:

9A9909A14961BFE37DFE367EC55D07462B620E32

This is the SHA1 hash of the AES key, used in the Quasar RAT handshake for server authentication.

---

Capabilities

Credential Harvesting

Web Browsers (Chromium-based):

• Google Chrome: Google\Chrome\User Data\Default\Login Data
• Microsoft Edge: Microsoft\Edge\User Data\Default\Login Data
• Brave: BraveSoftware\Brave-Browser\User Data\Default\Login Data
• Opera: Opera Software\Opera Stable\Login Data
• Opera GX: Opera Software\Opera GX Stable\Login Data
• Yandex: Yandex\YandexBrowser\User Data\Default\Ya Passman Data

Web Browsers (Gecko-based):

• Mozilla Firefox: Mozilla\Firefox\Profiles\ — reads logins.json and signons.sqlite
  • Uses mozglue.dll + nss3.dll for NSS decryption (NSS_Init, PK11SDR_Decrypt)

Legacy Browsers:

• Internet Explorer: Software\Microsoft\Internet Explorer\IntelliForms\Storage2

FTP/SFTP Clients:

• FileZilla: {AppData}\FileZilla\recentservers.xml, sitemanager.xml
• WinSCP: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions (registry)

Keylogger

• Hook type: Global Windows keyboard hook via Gma.System.MouseKeyHook
• Log format: HTML file with window titles, timestamps, and keystrokes
• Timestamps: UTC-based, formatted as yyyy-MM-dd
• Special keys recorded: Return, Escape, Control, Shift, Alt, Win, Menu
• Log prefix template: <meta http-equiv='Content-Type' content='text/html; charset=utf-8' />Log created on [date] UTC
• URL logging: Records visited URLs via Visited Website events

Remote Control Features

Feature	Description
Remote Shell	cmd.exe sessions (/k START "" "<path>" & EXIT)
File Manager	Upload, download, delete, rename files/directories
Remote Desktop	Screen capture and streaming
Registry Editor	Full HKLM/HKCU/HKCR/HKU/HKCC registry access
Process Manager	List/kill processes, launch new processes
Startup Manager	Add/remove autostart entries
Reverse Proxy	TCP tunneling through victim machine
System Power	Shutdown (/s /t 0), Restart (/r /t 0)
Elevation	UAC bypass attempts via runas verb

Geolocation & Reconnaissance

On first connection, the client gathers:

WMI queries:
  SELECT * FROM Win32_OperatingSystem
  SELECT * FROM Win32_Processor
  SELECT Caption FROM Win32_OperatingSystem
  SELECT * FROM Win32_BIOS
  SELECT * FROM Win32_BaseBoard
  SELECT * FROM Win32_DisplayConfiguration
  Select * From Win32_ComputerSystem
  SELECT * FROM AntivirusProduct (root\SecurityCenter2)
  SELECT * FROM FirewallProduct (root\SecurityCenter2)

IP geolocation APIs:
  https://ipwho.is/ — returns hostname, country, country_code, continent_code, timezone
  https://api.ipify.org/ — WAN IP address

Data reported to C2:
  Username, PC Name, Domain Name, Host Name
  System Drive, System Directory, OS Version
  CPU, RAM, GPU
  MAC Address, LAN IP, WAN IP, ASN, ISP
  Country, Time Zone, Uptime
  Antivirus product, Firewall product
  PID of running client process

---

Infection Chain / Kill Chain

[Delivery]
    └─→ DollRAT.exe delivered to victim (method unknown; likely phishing/social engineering)

[Execution]
    └─→ Victim runs DollRAT.exe
        └─→ .NET CLR loads the merged ILRepack assembly
            └─→ ConfuserEx decryption stub runs: decrypts C2 host/port from encrypted memory
            └─→ Client module initializes with hardcoded AES/RSA keys

[Persistence]
    └─→ Writes copy to install path (encrypted in binary)
    └─→ Registry Run key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    └─→ Scheduled task: schtasks /create /tn "<name>" /sc ONLOGON /rl HIGHEST /f
    └─→ Optionally sets Zone.Identifier ADS to bypass security warnings

[C2 Beaconing]
    └─→ Resolves C2: 0.tcp.eu.ngrok.io → AWS Frankfurt IPs
    └─→ Connects to port 18107 via TCP
        └─→ RSA-2048 key exchange using embedded public key
        └─→ AES-256 encrypted channel established
        └─→ Authentication using SHA1 string: 9A9909A14961BFE37DFE367EC55D07462B620E32

[Collection]
    └─→ System fingerprinting (WMI + geolocation APIs)
    └─→ Keylogger activated (global hook)
    └─→ Browser credential dump
    └─→ FTP client credential dump

[Exfiltration]
    └─→ All collected data sent over AES-256 encrypted channel to ngrok C2

[Operator Control]
    └─→ Attacker issues commands via Quasar RAT server UI
    └─→ Full remote desktop, shell access, file transfer

---

Behavioral Analysis (Inferred from Static + OSINT)

The malware implements the standard Quasar RAT v1.4.1 protocol:

1. Network transport: Custom binary protocol over TCP, messages prefixed with length header
2. Encryption: RSA-2048 for key exchange; AES-256-GCM for session traffic
3. Authentication: SHA1 of AES key presented during handshake
4. Reconnect: Automatic reconnection on disconnect (configurable delay)
5. Anti-double-instance: Mutex check prevents multiple instances (name encrypted by ConfuserEx)
6. Elevation: Attempts to re-launch as administrator via runas

Sandbox-observed network indicators (Hybrid Analysis):

• Connected to 0.tcp.eu.ngrok.io on port 18107
• Contacted IP 3.71.225.231 (AWS Frankfurt, ngrok EU infrastructure)
• Contacted IP 18.153.198.123 (AWS Frankfurt, ngrok EU infrastructure)

---

Network Indicators

C2 Infrastructure

Indicator	Type	Details	Status
0.tcp.eu.ngrok.io:18107	C2 endpoint	ngrok TCP tunnel, primary C2	ACTIVE at analysis time
3.71.225.231	IPv4	AWS EC2, Frankfurt DE, AS16509, port 18107	Active
18.153.198.123	IPv4	AWS EC2, Frankfurt DE, AS16509	Active
52.57.120.10	IPv4	AWS EC2, Frankfurt DE, AS16509 (ngrok)	Passive
18.192.31.30	IPv4	AWS EC2, Frankfurt DE, AS16509 (ngrok)	Passive
3.78.28.71	IPv4	AWS EC2, Frankfurt DE, AS16509 (ngrok)	Passive
3.74.27.83	IPv4	AWS EC2, Frankfurt DE, AS16509 (ngrok)	Passive
https://ipwho.is/	URL	Geolocation lookup	Legitimate service abused
https://api.ipify.org/	URL	WAN IP lookup	Legitimate service abused

ngrok Infrastructure Details

Service: ngrok TCP tunneling (eu.ngrok.io region)
Cloud:   Amazon AWS, EU-Central-1 (Frankfurt, Germany)
ASN:     AS16509 (Amazon.com, Inc.)
Org:     A100 ROW GmbH (AWS reseller)
Port:    18107 (dynamically assigned ngrok port)

0.tcp.eu.ngrok.io resolves to (round-robin):
  3.71.225.231
  18.153.198.123
  52.57.120.10
  18.192.31.30
  3.78.28.71
  3.74.27.83

Note: The ngrok TCP tunnel hides the attacker's real IP address. All IPs above belong to ngrok's AWS infrastructure, not the threat actor.

---

MITRE ATT&CK TTPs

Technique ID	Technique	Sub-technique	Notes
T1547.001	Boot or Logon Autostart Execution	Registry Run Keys / Startup Folder	HKCU\Run, HKLM\Run
T1053.005	Scheduled Task/Job	Scheduled Task	ONLOGON trigger, HIGHEST privilege
T1059.003	Command and Scripting Interpreter	Windows Command Shell	cmd.exe sessions
T1056.001	Input Capture	Keylogging	Gma.System.MouseKeyHook global hook
T1113	Screen Capture		Remote desktop module
T1555.003	Credentials from Password Stores	Credentials from Web Browsers	Chrome, Firefox, Edge, Opera, Brave, Yandex, IE
T1552.001	Unsecured Credentials	Credentials in Files	FileZilla recentservers.xml, WinSCP registry
T1573.002	Encrypted Channel	Asymmetric Cryptography	RSA-2048 key exchange + AES-256 session
T1571	Non-Standard Port		Port 18107 via ngrok
T1090.001	Proxy	Internal Proxy	Reverse proxy module
T1090.004	Proxy	Domain Fronting	ngrok tunnel hides true C2 destination
T1027.002	Obfuscated Files or Information	Software Packing	ConfuserEx protection
T1027.005	Obfuscated Files or Information	Indicator Removal from Tools	String encryption removes IOCs
T1012	Query Registry		Registry editor, credential harvesting
T1082	System Information Discovery		WMI queries for hardware/OS
T1016	System Network Configuration Discovery		LAN IP, MAC address, network adapter
T1033	System Owner/User Discovery		Username, PC name, domain
T1057	Process Discovery		Process manager feature
T1083	File and Directory Discovery		File manager
T1614	System Location Discovery		Geolocation via ipwho.is
T1041	Exfiltration Over C2 Channel		All data exfiltrated through encrypted C2
T1134.001	Access Token Manipulation	Token Impersonation/Theft	Elevation via runas
T1548.002	Abuse Elevation Control Mechanism	Bypass User Account Control	Requests elevation for higher privilege

---

IOCs

File Indicators

Type	Value
SHA256	58a901e3e5abc71192df4ae0f8e2928de0a3c1f2ee438f39c75142967f6ffc1f
SHA1	9061a2bf539ab290b9bfdabafba82ea9849361e9
MD5	ba198835c37707d77ed34a5265ac958d
Filename	DollRAT.exe
Product Name	Lilly's RAT V8
Company Name	C.U.M Software Inc.
Internal Name	win_d0ll_tool
File Size	3,365,376 bytes

Network Indicators

Type	Value	Notes
Domain	0.tcp.eu.ngrok.io	C2 endpoint domain
Port	18107	C2 port (ngrok-assigned)
IP	3.71.225.231	ngrok EU (AWS Frankfurt)
IP	18.153.198.123	ngrok EU (AWS Frankfurt)
URL	https://ipwho.is/	Victim geolocation
URL	https://api.ipify.org/	WAN IP discovery

Cryptographic Indicators

Type	Value
AES Key (b64)	fUx/kVA9+VH0kO3UloqruNEJDaN7kXthBirHCNCZ0WXpTGsukl7x4dnx8kLaXONeNUDpezJogG1aYnlOIYHrs2w8jW0Z0bEPegYCIsq4thXARo+dRK+K9v1kB15oQc8W
Auth String (SHA1)	9A9909A14961BFE37DFE367EC55D07462B620E32
Module GUID	60f5dce2-4de4-4c86-aa69-383ebe2f504c

Registry Indicators

Key	Notes
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\<name>	Persistence
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<name>	Persistence
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\<name>	Persistence
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\<name>	Persistence (32-bit on 64-bit)
SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions	WinSCP credential target
Software\Microsoft\Internet Explorer\IntelliForms\Storage2	IE credential target

User-Agent Strings

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0

---

Campaign Context & Attribution

Threat Actor Assessment

Confidence: LOW-MEDIUM

• Actor Name: Unknown; self-identified as "Lilly" (product name) and "C.U.M Software Inc." (company name in PE metadata)
• Tool Version: "V8" — implies at least 7 prior versions or iterations, suggesting an experienced developer with ongoing development
• Attribution Signals:
  • PE metadata strings ("C.U.M Software Inc.") are characteristic of underground crimeware developers who use humor/provocation in their tool metadata
  • Use of ngrok for C2 evasion is a common technique among commodity RAT operators and less-sophisticated actors
  • No public presence found for the tool name, author, or reporter (burger403)
  • Sample appears to be a fresh build (same-day submission and first-seen date)

OPSEC Assessment: MODERATE The operator uses ngrok to conceal their true C2 IP address, which is a deliberate OPSEC measure. However, they left identifiable metadata in the PE resource section ("Lilly's RAT V8", "win_d0ll_tool") which provides attribution anchors.

Related Samples & Campaign

• No previously known related samples were found in public repositories
• The "V8" designation and use of QuasarRAT framework suggests ongoing development
• The ngrok port 18107 was ACTIVE at analysis time, indicating an active campaign

Infrastructure Assessment

The attacker uses ngrok to tunnel C2 traffic:

[Attacker Machine] → [ngrok client] → [ngrok.io servers (AWS Frankfurt)] → [ngrok DNS: 0.tcp.eu.ngrok.io:18107]
                                                                                        ↑
                                                                              [Victim connects here]

This architecture means:

1. The attacker's real IP is never exposed to victims
2. ngrok provides TLS between victim and ngrok servers (though the Quasar protocol adds its own AES-256 layer)
3. The ngrok port (18107) can be changed by simply restarting the ngrok tunnel

---

Infrastructure Map

 VICTIM MACHINE
      │
      │ TCP:18107
      ▼
 0.tcp.eu.ngrok.io
 ┌────────────────────────────────────────┐
 │  ngrok EU Region (AWS Frankfurt)       │
 │  3.71.225.231  (AS16509, DE)          │
 │  18.153.198.123 (AS16509, DE)         │
 │  52.57.120.10   (AS16509, DE)         │
 │  18.192.31.30   (AS16509, DE)         │
 │  3.78.28.71     (AS16509, DE)         │
 │  3.74.27.83     (AS16509, DE)         │
 └────────────────────┬───────────────────┘
                      │ ngrok tunnel
                      ▼
           ATTACKER'S MACHINE (IP unknown)
           Running: QuasarRAT server ("Lilly's RAT V8" server)
           Port: local port forwarded through ngrok

---

Detection Guidance

Behavioral Detection

1. Process: Look for .NET processes making TCP connections to *.ngrok.io domains
2. Registry: Monitor for new entries under HKCU\Software\Microsoft\Windows\CurrentVersion\Run created by unknown executables
3. Network: Alert on any internal hosts connecting to *.ngrok.io on non-standard ports (not 80/443)
4. Scheduled Task: Monitor schtasks /create with /rl HIGHEST and /sc ONLOGON parameters
5. File: Monitor for new executables in %AppData%, %LocalAppData%, or %ProgramFiles% subdirectories created by downloaded files

File-based Detection

• Product name string: Lilly's RAT V8
• Company name string: C.U.M Software Inc.
• Internal name: win_d0ll_tool
• SHA256: 58a901e3e5abc71192df4ae0f8e2928de0a3c1f2ee438f39c75142967f6ffc1f

Network-based Detection

• Block/alert on outbound TCP connections to *.tcp.eu.ngrok.io
• Alert on DNS queries for *.tcp.ngrok.io or *.ngrok.io from internal hosts
• Monitor HTTP/HTTPS to ipwho.is and api.ipify.org from server-like processes