From dd8b2559ce315504b8d4e9ced05295250ab0259f Mon Sep 17 00:00:00 2001
From: Aidan Holland <aidan@censys.com>
Date: Mon, 23 Oct 2023 09:33:22 -0400
Subject: [PATCH] feat(fp): Add VenomRAT fingerprint

---
 fingerprints.yaml | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/fingerprints.yaml b/fingerprints.yaml
index 7513b5a..e867116 100644
--- a/fingerprints.yaml
+++ b/fingerprints.yaml
@@ -84,7 +84,7 @@ confidence_level: 100
 tags: [C2, Mythic]
 ---
 name: "BitRAT"
-censys_query: 'services.software.product: BitRAT'
+censys_query: "services.software.product: BitRAT"
 censys_virtual_hosts: true
 malware_name: "win.bit_rat"
 confidence_level: 100
@@ -161,7 +161,8 @@ confidence_level: 75
 tags: [C2, RAT]
 ---
 name: "Pikabot"
-censys_query: 'services: (jarm.fingerprint="21d19d00021d21d21c21d19d21d21dd188f9fdeea4d1b361be3a6ec494b2d2"
+censys_query:
+  'services: (jarm.fingerprint="21d19d00021d21d21c21d19d21d21dd188f9fdeea4d1b361be3a6ec494b2d2"
   and port: 5000)'
 censys_virtual_hosts: false
 malware_name: "win.pikabot"
@@ -175,3 +176,10 @@ malware_name: "win.sliver"
 confidence_level: 90
 tags: [C2]
 ---
+name: "VenomRAT"
+censys_query: 'services: (tls.certificates.leaf_data.subject.common_name: "VenomRAT" or tls.certificates.leaf_data.issuer.common_name: "VenomRAT Server" or tls.certificates.leaf_data.issuer.organization: "VenomRAT By qwqdanchun")'
+censys_virtual_hosts: true
+malware_name: "win.venom"
+confidence_level: 100
+tags: [C2, RAT]
+---