Merge pull request #7423 from johnk3r/main

Create quasar-rat-c2.yaml
2023-06-15 14:53:51 +05:30 · 2023-06-15 14:53:51 +05:30 · c2a3dd7d25
parent d8e6b24a09 579fd894ae
commit c2a3dd7d25
1 changed files with 32 additions and 0 deletions
--- a/ssl/c2/quasar-rat-c2.yaml
+++ b/ssl/c2/quasar-rat-c2.yaml
@ -0,0 +1,32 @@
+id: quasar-rat-c2
+
+info:
+  name: Quasar RAT C2 SSL Certificate - Detect
+  author: johnk3r,pussycat0x
+  severity: info
+  description: |
+    Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
+  reference: |
+    https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat
+  metadata:
+    max-request: 1
+    verified: "true"
+    shodan-query: ssl.cert.subject.cn:"Quasar Server CA"
+    censys-query: 'services.tls.certificates.leaf_data.subject.common_name: {"Orcus Server","OrcusServerCertificate"}'
+  tags: c2,ir,osint,malware,quasar,rat
+
+ssl:
+  - address: "{{Host}}:{{Port}}"
+
+    matchers:
+      - type: word
+        part: issuer_cn
+        words:
+          - "Quasar Server CA"
+          - "OrcusServerCertificate"
+        condition: or
+
+    extractors:
+      - type: json
+        json:
+          - " .issuer_cn"