From 19092d82f84794f0e63f668b101e25e3dd2c9aea Mon Sep 17 00:00:00 2001
From: johnk3r <johnatan2camargo@gmail.com>
Date: Wed, 14 Jun 2023 10:05:08 -0300
Subject: [PATCH] Create quasar-rat-c2.yaml

---
 ssl/c2/quasar-rat-c2.yaml | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 ssl/c2/quasar-rat-c2.yaml

diff --git a/ssl/c2/quasar-rat-c2.yaml b/ssl/c2/quasar-rat-c2.yaml
new file mode 100644
index 0000000000..ee6e523208
--- /dev/null
+++ b/ssl/c2/quasar-rat-c2.yaml
@@ -0,0 +1,29 @@
+id: quasar-rat-c2
+
+info:
+  name: Detect SSL Certificate Quasar RAT C2
+  author: johnk3r
+  severity: info
+  description: |
+    Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
+  reference: |
+    https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat
+  metadata:
+    max-request: 1
+    verified: "true"
+    shodan-query: ssl.cert.subject.cn:"Quasar Server CA"
+  tags: c2,ir,osint,malware
+
+ssl:
+  - address: "{{Host}}:{{Port}}"
+
+    matchers:
+      - type: word
+        part: issuer_cn
+        words:
+          - "Quasar Server CA"
+
+    extractors:
+      - type: json
+        json:
+          - " .issuer_cn"