Threat Intelligence Guides

Practical Queries for Identifying Malware Infrastructure With FOFA

Identifying malware infrastructure with the FOFA scanner.

Practical queries for identifying malware infrastructure with FOFA.

https://en.fofa.info/

AsyncRAT

Hardcoded Certificate Values

cert.subject.cn="AsyncRAT Server" || cert.issuer.cn="AsyncRAT Server" - Link

Cobalt Strike

Default Certificate Values

cert.issuer.cn="Major Cobalt Strike" - Link

cert.issuer.org="cobaltstrike" - Link

Amadey Bot

Re-used certificate values

cert.subject.cn="desas.digital" - Link

Quasar RAT

Default certificate values.

cert.subject.cn="Quasar Server CA" - Link

Laplas Clipper

Certificate values and favicon hash.

cert.subject.cn="Laplas.app" - Link

icon_hash="1123908622" - Link

Sliver C2

Default Certificate values

cert.subject.cn="multiplayer" && cert.issuer.cn="operators" - Link

Mythic C2

Default favicon hash and html title

icon_hash="-859291042" - Link

title=="Mythic" - Link

Supershell Botnet

HTML titles and re-used favicon

icon_hash="-1010228102" - Link

title="Supershell" - Link

Practical Examples of URL Hunting Queries - Part 1

Practical examples of URL hunting queries.

Advanced Cyberchef Techniques - Defeating Nanocore Obfuscation With Math and Flow Control

Applying Flow Control and Mathematical operators to deobfuscate a .vbs loader for Nanocore malware.

Decoding a Cobalt Strike Downloader Script With CyberChef

Decoding a Cobalt Strike script with CyberChef and VsCode.

Tracking APT SideWinder Domains By Combining Regex Patterns, Whois Records and Domain Registrars

Tracking APT SideWinder Domains With Regular Expressions, Whois Records and Domain Registrars