31 lines
1.1 KiB
YAML
31 lines
1.1 KiB
YAML
id: quasar-rat-c2
|
|
|
|
info:
|
|
name: Quasar RAT C2 SSL Certificate - Detect
|
|
author: johnk3r,pussycat0x,adilsoybali
|
|
severity: info
|
|
description: |
|
|
Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
|
|
reference: |
|
|
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat
|
|
metadata:
|
|
verified: "true"
|
|
max-request: 1
|
|
shodan-query: ssl.cert.subject.cn:"Quasar Server CA"
|
|
censys-query: 'services.tls.certificates.leaf_data.subject.common_name: {"Quasar Server CA"}'
|
|
tags: c2,ir,osint,malware,ssl,quasar
|
|
ssl:
|
|
- address: "{{Host}}:{{Port}}"
|
|
matchers:
|
|
- type: word
|
|
part: issuer_cn
|
|
words:
|
|
- "Quasar Server CA"
|
|
|
|
extractors:
|
|
- type: json
|
|
json:
|
|
- " .issuer_cn"
|
|
|
|
# digest: 4a0a0047304502210089c3b7edfbbd1e6f13c79ed724e93ae0db447239b79bb2be0496828c5b7d2e2a022069d9ff039f32ebf74f17f2a6efe0a56b6704a80540b1b1d93bf359b0fc28b2f1:922c64590222798bb761d5b6d8e72950
|