chore(fp): Add XTreme RAT, BianLian GO Trojan, and Qakbot C2 fingerpr…

…ints

fingerprints.yaml

@@ -218,6 +218,38 @@ malware_name: "unknown"
 confidence_level: 100
 tags: [C2, NetBus]
 ---
+name: XTreme RAT
+censys_query:
+  'services.banner_hashes="sha256:22adaf058a2cb668b15cb4c1f30e7cc720bbe38c146544169db35fbf630389c4"
+  and services.port: 10001'
+censys_virtual_hosts: false
+malware_name: win.extreme_rat
+confidence_level: 100
+tags: [C2, RAT]
+---
+name: BianLian GO Trojan
+censys_query:
+  services:(banner_hashes="sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
+  and tls.certificates.leaf_data.subject_dn=/C=[^,]{10,20}, O=[^,]{10,20}, OU=[^,]{10,20}/
+  and tls.certificates.leaf_data.issuer_dn=/C=[^,]{10,20}, O=[^,]{10,20}, OU=[^,]{10,20}/
+  and service_name:UNKNOWN)
+censys_virtual_hosts: true
+malware_name: win.bianlian
+confidence_level: 100
+tags: [C2]
+---
+name: Qakbot C2
+censys_query:
+  'services: (banner_hashes="sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
+  and tls.certificates.leaf_data.subject_dn: /C=[^,]+, OU=[^,]+, CN=[^,]+/ and tls.certificates.leaf_data.issuer_dn:/C=[^,]+,
+  ST=[^,]+, L=[^,]+, O=[^,]+, CN=[^,]+/ and port: {443, 993, 995} and tls.certificates.leaf_data.names:
+  /[a-z]{3,15}.[a-z]{2,5}/ and tls.ja3s: 475c9302dc42b2751db9edcac3b74891) and not
+  operating_system.product: *'
+censys_virtual_hosts: true
+malware_name: win.qakbot
+confidence_level: 100
+tags: [C2]
+---
 name: "Sliver"
 censys_query: "services: (tls.certificates.leaf_data.pubkey_bit_size: 2048 and tls.certificates.leaf_data.subject.organization: /(ACME|Partners|Tech|Cloud|Synergy|Test|Debug)? ?(co|llc|inc|corp|ltd)?/ and jarm.fingerprint: 3fd21b20d00000021c43d21b21b43d41226dd5dfc615dd4a96265559485910 and tls.certificates.leaf_data.subject.country: US and tls.certificates.leaf_data.subject.postal_code: /<1001-9999>/) or services: (jarm.fingerprint: 00000000000000000043d43d00043de2a97eabb398317329f027c66e4c1b01 and port: 31337)"
 censys_virtual_hosts: false