← Back to SOC feed Coverage →

Detects strings from C#/VB Stealers and QuasarRat

yara LOW Yara-Rules
backdoorcommunityinfostealer
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Yara-Rules →
Retrieved: 2026-06-19T23:00:00Z · Confidence: medium

Hunt Hypothesis

The detection of suspicious strings associated with C#/VB Stealers and QuasarRat indicates potential exfiltration or credential theft activities by an adversary. SOC teams should proactively hunt for these strings in Azure Sentinel to identify early-stage malware execution and prevent data compromise.

YARA Rule

rule MSILStealer
{
    meta:
        description = "Detects strings from C#/VB Stealers and QuasarRat"
        reference = "https://github.com/quasar/QuasarRAT"
        author = "https://github.com/hwvs"
        last_modified = "2019-11-21"

    strings:
        $ = "Firefox does not have any profiles, has it ever been launched?" wide ascii
        $ = "Firefox is not installed, or the install path could not be located" wide ascii
        $ = "No installs of firefox recorded in its key." wide ascii
        $ = "{0}\\\\FileZilla\\\\recentservers.xml" wide ascii
        $ = "{1}{0}Cookie Name: {2}{0}Value: {3}{0}Path" wide ascii
        $ = "[PRIVATE KEY LOCATION: \\\"{0}\\\"]" wide ascii

    condition:
        1 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

References

False Positive Guidance

Original source: https://github.com/Yara-Rules/rules/blob/main/malware/MALW_MSILStealer.yar