{
	"id": "7826a157-4969-4092-85f6-a59b2974dd7e",
	"created_at": "2026-04-06T00:19:10.521875Z",
	"updated_at": "2026-04-10T03:22:13.294349Z",
	"deleted_at": null,
	"sha1_hash": "e591d90cf45dc65dbc048be0b9b69b21c6722cc9",
	"title": "Practical Queries for Malware Infrastructure - Part 3 (Advanced Examples)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 442812,
	"plain_text": "Practical Queries for Malware Infrastructure - Part 3 (Advanced\r\nExamples)\r\nBy Matthew\r\nPublished: 2023-11-22 · Archived: 2026-04-05 17:54:12 UTC\r\nThreat Intelligence Guides\r\nMore interesting and practical queries for identifying malware infrastructure.\r\nNov 22, 2023  -  3 min read\r\nPractical and real-world examples of queries for identifying malware infrastructure. The primary tooling used is\r\nCensys.io.\r\nRedline Stealer\r\nQakbot\r\nNJRat\r\nRemcos\r\nBianLian Go Trojan\r\nXTreme RAT\r\nSuperShell Botnet\r\nQakbot Command and Control Servers\r\nCensys Link\r\nEmpty Banner Produces Unique Hash\r\nParticular Structure to TLS certificates\r\nQakbot server typically on port 443,993 or 995\r\nServer name all lower case letters with no subdomain\r\nNo identified operating system on servers\r\nSame ja3s across malicious servers.\r\nservices:\r\n(banner_hashes=\"sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\"\r\nand tls.certificates.leaf_data.subject_dn:/C=[^,]+, OU=[^,]+, CN=[^,]+/ and\r\nhttps://embeeresearch.io/practical-queries-for-malware-infrastructure-part-3/\r\nPage 1 of 6\n\ntls.certificates.leaf_data.issuer_dn:/C=[^,]+, ST=[^,]+, L=[^,]+, O=[^,]+, CN=[^,]+/ and (port:443 or\r\nport:993 or port:995)) and services.tls.certificates.leaf_data.names:/[a-z]{3,15}.[a-z]{2,5}/ and not\r\noperating_system.product:* and services.tls.ja3s: 475c9302dc42b2751db9edcac3b74891\r\nBianLian GO Trojan\r\nCensys Link\r\nEmpty Banner on Main Service\r\nVery particular structure to certificate names (both Issuer and Subject) eg C=zHNWYSaBumxjPKPY,\r\nO=KcUnN1CdTgEOxr6h, OU=FtVXN2EyNbwlXUP8\r\nService always unidentifed, presumably due to lack of headers.\r\nservices:\r\n(banner_hashes=\"sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\"\r\nand tls.certificates.leaf_data.subject_dn=/C=[^,]{10,20}, O=[^,]{10,20}, OU=[^,]{10,20}/ and\r\ntls.certificates.leaf_data.issuer_dn=/C=[^,]{10,20}, O=[^,]{10,20}, OU=[^,]{10,20}/ and\r\nservice_name:UNKNOWN)\r\nhttps://embeeresearch.io/practical-queries-for-malware-infrastructure-part-3/\r\nPage 2 of 6\n\nNJRat/Xworm Botnet Servers\r\nCensys Link\r\nExtremely high number of running services (typically 200-400)\r\nAt least one dns.name pointing to an ngrok address\r\nMost ports running GStreamer Service\r\nservice_count:[200 to 2000] and dns.names:ngrok and services.banner:GStreamer\r\nRedline Stealer C2\r\nCensys Link\r\nhttps://embeeresearch.io/practical-queries-for-malware-infrastructure-part-3/\r\nPage 3 of 6\n\nInitial Redline stealer c2 on 77.91.124[.]86:19084\r\nRunning 3 services, DNS and 2 Valve Related services.\r\nReverse DNS pointing to a Russian VPN Service\r\nSearching on DNS Forwarding + .ru dns + Valve Service + 3 total services results in 18 servers with 3\r\nmarked as known malware.\r\nOther 15 results are \"clean\", but may be reserved for later malicious use.\r\nservices.dns.server_type=\"FORWARDING\" and dns.reverse_dns.names:*.ru and\r\nservices.extended_service_name=\"VALVE\" and service_count:3\r\nRemcos C2 Servers, Overlap with other RAT Families\r\nCensys Link\r\nEmpty Banner Produces Unique-ish hash value\r\nSame Jarm fingerprint across services\r\nSame Ja3s\r\nAlmost always on port 2404\r\nservices:\r\n(banner_hashes=\"sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\"\r\nand jarm.fingerprint=\"00000000000000000041d41d0000001798d6156df422564fb9b667b7418e4c\" and\r\nport:2404 and tls.ja3s: eb1d94daa7e0344597e756a1fb6e7054)\r\nXTreme RAT\r\nhttps://embeeresearch.io/practical-queries-for-malware-infrastructure-part-3/\r\nPage 4 of 6\n\nCensys Link\r\nBanner is a single 0xAD character\r\nAlways running on port 10001\r\nservices.banner_hashes=\"sha256:22adaf058a2cb668b15cb4c1f30e7cc720bbe38c146544169db35fbf630389c4\"\r\nand services.port:10001\r\nSuperShell BotNet\r\nCensys Link\r\nPresence of \"Supershell\" in html title\r\nre-used favicon across panels\r\nservices.http.response.html_title:\"Supershell\" or\r\nservices.http.response.favicons.md5_hash=\"cb183a53ebfc2b61b3968c9d4aa4b14a\"\r\nSign up for Embee Research\r\nMalware Analysis, Detection and Threat Intelligence\r\nNo spam. Unsubscribe anytime.\r\nhttps://embeeresearch.io/practical-queries-for-malware-infrastructure-part-3/\r\nPage 5 of 6\n\nSource: https://embeeresearch.io/practical-queries-for-malware-infrastructure-part-3/\r\nhttps://embeeresearch.io/practical-queries-for-malware-infrastructure-part-3/\r\nPage 6 of 6\n\nservices: (banner_hashes=\"sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\"   \nand tls.certificates.leaf_data.subject_dn=/C=[^,]{10,20}, O=[^,]{10,20}, OU=[^,]{10,20}/ and\ntls.certificates.leaf_data.issuer_dn=/C=[^,]{10,20}, O=[^,]{10,20}, OU=[^,]{10,20}/ and\nservice_name:UNKNOWN)   \n Page 2 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://embeeresearch.io/practical-queries-for-malware-infrastructure-part-3/"
	],
	"report_names": [
		"practical-queries-for-malware-infrastructure-part-3"
	],
	"threat_actors": [],
	"ts_created_at": 1775434750,
	"ts_updated_at": 1775791333,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e591d90cf45dc65dbc048be0b9b69b21c6722cc9.pdf",
		"text": "https://archive.orkl.eu/e591d90cf45dc65dbc048be0b9b69b21c6722cc9.txt",
		"img": "https://archive.orkl.eu/e591d90cf45dc65dbc048be0b9b69b21c6722cc9.jpg"
	}
}