Practical Queries for Identifying Malware Infrastructure With FOFA

by Prapattimynk, Monday, 1 January 2024 (2 months ago)
Practical Queries for Identifying Malware Infrastructure With FOFA


Practical queries for identifying malware infrastructure with FOFA.

https://en.fofa.info/

AsyncRAT

Hardcoded Certificate Values

cert.subject.cn="AsyncRAT Server" || cert.issuer.cn="AsyncRAT Server"Link

Cobalt Strike

Default Certificate Values

cert.issuer.cn="Major Cobalt Strike"Link

cert.issuer.org="cobaltstrike"Link

Amadey Bot

Re-used certificate values

cert.subject.cn="desas.digital"Link

Quasar RAT

Default certificate values.

cert.subject.cn="Quasar Server CA"Link

Laplas Clipper

Certificate values and favicon hash.

cert.subject.cn="Laplas.app" Link

icon_hash="1123908622"Link

Sliver C2

Default Certificate values

cert.subject.cn="multiplayer" && cert.issuer.cn="operators"Link

Mythic C2

Default favicon hash and html title

icon_hash="-859291042"Link

title=="Mythic"Link

Supershell Botnet

HTML titles and re-used favicon

icon_hash="-1010228102"Link

title="Supershell"Link

Comments

Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.