29 lines
1.1 KiB
YAML
29 lines
1.1 KiB
YAML
id: quasar-rat-c2
|
|
|
|
info:
|
|
name: Quasar RAT C2 SSL Certificate - Detect
|
|
author: johnk3r,pussycat0x,adilsoybali
|
|
severity: info
|
|
description: |
|
|
Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
|
|
reference: |
|
|
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat
|
|
metadata:
|
|
verified: "true"
|
|
max-request: 1
|
|
shodan-query: ssl.cert.subject.cn:"Quasar Server CA"
|
|
censys-query: 'services.tls.certificates.leaf_data.subject.common_name: {"Quasar Server CA"}'
|
|
tags: c2,ir,osint,malware,ssl,quasar
|
|
ssl:
|
|
- address: "{{Host}}:{{Port}}"
|
|
matchers:
|
|
- type: word
|
|
part: issuer_cn
|
|
words:
|
|
- "Quasar Server CA"
|
|
|
|
extractors:
|
|
- type: json
|
|
json:
|
|
- " .issuer_cn"
|
|
# digest: 4a0a00473045022060eab6349fd324dc7fca63dc27ee1bf461c7b2fe00bcc62ee51d4df73d605b41022100865a2776e133d73f80fd52ea159bb31b974f6c5aab1ad719ea47d105de650844:922c64590222798bb761d5b6d8e72950 |