33 lines
971 B
YAML
33 lines
971 B
YAML
id: quasar-rat-c2
|
|
|
|
info:
|
|
name: Quasar RAT C2 SSL Certificate - Detect
|
|
author: johnk3r,pussycat0x
|
|
severity: info
|
|
description: |
|
|
Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
|
|
reference: |
|
|
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat
|
|
metadata:
|
|
max-request: 1
|
|
verified: "true"
|
|
shodan-query: ssl.cert.subject.cn:"Quasar Server CA"
|
|
censys-query: 'services.tls.certificates.leaf_data.subject.common_name: {"Orcus Server","OrcusServerCertificate"}'
|
|
tags: c2,ir,osint,malware,quasar,rat
|
|
|
|
ssl:
|
|
- address: "{{Host}}:{{Port}}"
|
|
|
|
matchers:
|
|
- type: word
|
|
part: issuer_cn
|
|
words:
|
|
- "Quasar Server CA"
|
|
- "OrcusServerCertificate"
|
|
condition: or
|
|
|
|
extractors:
|
|
- type: json
|
|
json:
|
|
- " .issuer_cn"
|