29 lines
1.1 KiB
YAML
29 lines
1.1 KiB
YAML
id: quasar-rat-c2
|
|
|
|
info:
|
|
name: Quasar RAT C2 SSL Certificate - Detect
|
|
author: johnk3r,pussycat0x,adilsoybali
|
|
severity: info
|
|
description: |
|
|
Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
|
|
reference: |
|
|
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat
|
|
metadata:
|
|
verified: "true"
|
|
max-request: 1
|
|
shodan-query: ssl.cert.subject.cn:"Quasar Server CA"
|
|
censys-query: 'services.tls.certificates.leaf_data.subject.common_name: {"Quasar Server CA"}'
|
|
tags: c2,ssl,tls,ir,osint,malware,quasar
|
|
ssl:
|
|
- address: "{{Host}}:{{Port}}"
|
|
matchers:
|
|
- type: word
|
|
part: issuer_cn
|
|
words:
|
|
- "Quasar Server CA"
|
|
|
|
extractors:
|
|
- type: json
|
|
json:
|
|
- " .issuer_cn"
|
|
# digest: 4b0a00483046022100fd3d55551e069506653234df7fb2fb4b29696addfa7fef0accd5354d479ec507022100f666d5642d2ebf87e311c4a2ea48eee8e2ac56d59097d61e226f29acc4e98894:922c64590222798bb761d5b6d8e72950 |