SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cotx (Back to overview)

Cotx RAT


There is no description at this point.

References
2020-01-29nao_sec blognao_sec
@online{naosec:20200129:overhead:ec0aeb5, author = {nao_sec}, title = {{An Overhead View of the Royal Road}}, date = {2020-01-29}, organization = {nao_sec blog}, url = {https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html}, language = {English}, urldate = {2020-02-03} } An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader
2019-07-23ProofpointMichael Raggi, Dennis Schwarz, Proofpoint Threat Insight Team
@online{raggi:20190723:chinese:804ec1c, author = {Michael Raggi and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia}}, date = {2019-07-23}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology}, language = {English}, urldate = {2019-12-20} } Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia
8.t Dropper Cotx RAT TA428
Yara Rules
[TLP:WHITE] win_cotx_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_cotx_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cotx"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d8500f8ffff 6a00 50 68???????? ff15???????? 8b0d???????? }
            // n = 6, score = 300
            //   8d8500f8ffff         | lea                 eax, [ebp - 0x800]
            //   6a00                 | push                0
            //   50                   | push                eax
            //   68????????           |                     
            //   ff15????????         |                     
            //   8b0d????????         |                     

        $sequence_1 = { ff15???????? ff74240c 8b35???????? 8bf8 }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   ff74240c             | push                dword ptr [esp + 0xc]
            //   8b35????????         |                     
            //   8bf8                 | mov                 edi, eax

        $sequence_2 = { 8d85bcf3ffff 6a2e 50 e8???????? }
            // n = 4, score = 300
            //   8d85bcf3ffff         | lea                 eax, [ebp - 0xc44]
            //   6a2e                 | push                0x2e
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_3 = { 6a01 68000000c0 8d85bcf3ffff 50 }
            // n = 4, score = 300
            //   6a01                 | push                1
            //   68000000c0           | push                0xc0000000
            //   8d85bcf3ffff         | lea                 eax, [ebp - 0xc44]
            //   50                   | push                eax

        $sequence_4 = { 50 0f1145d0 e8???????? b201 8d8db0fbffff }
            // n = 5, score = 300
            //   50                   | push                eax
            //   0f1145d0             | movups              xmmword ptr [ebp - 0x30], xmm0
            //   e8????????           |                     
            //   b201                 | mov                 dl, 1
            //   8d8db0fbffff         | lea                 ecx, [ebp - 0x450]

        $sequence_5 = { 8b5f50 53 6a00 ff75ec ff15???????? 8945fc 85c0 }
            // n = 7, score = 300
            //   8b5f50               | mov                 ebx, dword ptr [edi + 0x50]
            //   53                   | push                ebx
            //   6a00                 | push                0
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   ff15????????         |                     
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   85c0                 | test                eax, eax

        $sequence_6 = { 56 e8???????? 8b45fc 8b55f4 }
            // n = 4, score = 300
            //   56                   | push                esi
            //   e8????????           |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]

        $sequence_7 = { 57 8b403c 03c6 8b75f8 8907 53 }
            // n = 6, score = 300
            //   57                   | push                edi
            //   8b403c               | mov                 eax, dword ptr [eax + 0x3c]
            //   03c6                 | add                 eax, esi
            //   8b75f8               | mov                 esi, dword ptr [ebp - 8]
            //   8907                 | mov                 dword ptr [edi], eax
            //   53                   | push                ebx

        $sequence_8 = { 50 ff15???????? 8d85bcf3ffff 50 }
            // n = 4, score = 300
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d85bcf3ffff         | lea                 eax, [ebp - 0xc44]
            //   50                   | push                eax

        $sequence_9 = { c705????????d468bcb5 c705????????a1a14538 c705????????2086e659 c705????????eec45abf }
            // n = 4, score = 300
            //   c705????????d468bcb5     |     
            //   c705????????a1a14538     |     
            //   c705????????2086e659     |     
            //   c705????????eec45abf     |     

    condition:
        7 of them and filesize < 1171456
}
Download all Yara Rules