SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cotx (Back to overview)

Cotx RAT

Actor(s): TA428


There is no description at this point.

References
2021-04-02Dr.WebDr.Web
@techreport{drweb:20210402:study:31b191e, author = {Dr.Web}, title = {{Study of targeted attacks on Russian research institutes}}, date = {2021-04-02}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf}, language = {English}, urldate = {2021-04-06} } Study of targeted attacks on Russian research institutes
Cotx RAT Ghost RAT
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-01-08Youtube (Virus Bulletin)Fumio Ozawa, Shogo Hayashi, Rintaro Koike
@online{ozawa:20210108:operation:18eec5e, author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike}, title = {{Operation LagTime IT: colourful Panda footprint}}, date = {2021-01-08}, organization = {Youtube (Virus Bulletin)}, url = {https://www.youtube.com/watch?v=1WfPlgtfWnQ}, language = {English}, urldate = {2021-02-06} } Operation LagTime IT: colourful Panda footprint
Cotx RAT nccTrojan Poison Ivy Tmanger
2020-09-30NTT SecurityFumio Ozawa, Shogo Hayashi, Rintaro Koike
@techreport{ozawa:20200930:operation:04593f6, author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike}, title = {{Operation LagTime IT: colourful Panda footprint (Slides)}}, date = {2020-09-30}, institution = {NTT Security}, url = {https://vblocalhost.com/uploads/VB2020-20.pdf}, language = {English}, urldate = {2021-02-06} } Operation LagTime IT: colourful Panda footprint (Slides)
Cotx RAT nccTrojan Poison Ivy Tmanger
2020-09-30NTT SecurityFumio Ozawa, Shogo Hayashi, Rintaro Koike
@techreport{ozawa:20200930:operation:1efe218, author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike}, title = {{Operation LagTime IT: colourful Panda footprint}}, date = {2020-09-30}, institution = {NTT Security}, url = {https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf}, language = {English}, urldate = {2021-01-25} } Operation LagTime IT: colourful Panda footprint
Cotx RAT nccTrojan Poison Ivy Tmanger
2020-01-29nao_sec blognao_sec
@online{naosec:20200129:overhead:ec0aeb5, author = {nao_sec}, title = {{An Overhead View of the Royal Road}}, date = {2020-01-29}, organization = {nao_sec blog}, url = {https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html}, language = {English}, urldate = {2020-02-03} } An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader
2019-07-23ProofpointMichael Raggi, Dennis Schwarz, Proofpoint Threat Insight Team
@online{raggi:20190723:chinese:804ec1c, author = {Michael Raggi and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia}}, date = {2019-07-23}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology}, language = {English}, urldate = {2021-02-06} } Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia
8.t Dropper Cotx RAT Poison Ivy TA428
Yara Rules
[TLP:WHITE] win_cotx_auto (20210616 | Detects win.cotx.)
rule win_cotx_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.cotx."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cotx"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c705????????4506ce62 c705????????b60451f0 c705????????3f3f5288 c705????????6a62ae99 c705????????b872ad0c c705????????8ee66789 }
            // n = 6, score = 500
            //   c705????????4506ce62     |     
            //   c705????????b60451f0     |     
            //   c705????????3f3f5288     |     
            //   c705????????6a62ae99     |     
            //   c705????????b872ad0c     |     
            //   c705????????8ee66789     |     

        $sequence_1 = { c78504f8ffff6c732e64 66c78508f8ffff6c6c e8???????? 83c438 }
            // n = 4, score = 500
            //   c78504f8ffff6c732e64     | mov    dword ptr [ebp - 0x7fc], 0x642e736c
            //   66c78508f8ffff6c6c     | mov    word ptr [ebp - 0x7f8], 0x6c6c
            //   e8????????           |                     
            //   83c438               | add                 esp, 0x38

        $sequence_2 = { 66c745fc3a46 c645fe00 e8???????? 83c430 }
            // n = 4, score = 500
            //   66c745fc3a46         | mov                 word ptr [ebp - 4], 0x463a
            //   c645fe00             | mov                 byte ptr [ebp - 2], 0
            //   e8????????           |                     
            //   83c430               | add                 esp, 0x30

        $sequence_3 = { 8b4dfc a3???????? e8???????? 8b15???????? }
            // n = 4, score = 500
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   a3????????           |                     
            //   e8????????           |                     
            //   8b15????????         |                     

        $sequence_4 = { 8bca 8bd3 83e103 f3a4 8d8d98f6ffff e8???????? }
            // n = 6, score = 500
            //   8bca                 | mov                 ecx, edx
            //   8bd3                 | mov                 edx, ebx
            //   83e103               | and                 ecx, 3
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   8d8d98f6ffff         | lea                 ecx, dword ptr [ebp - 0x968]
            //   e8????????           |                     

        $sequence_5 = { c705????????890e9944 c705????????dbd99823 c705????????d468bcb5 c705????????a1a14538 c705????????2086e659 }
            // n = 5, score = 500
            //   c705????????890e9944     |     
            //   c705????????dbd99823     |     
            //   c705????????d468bcb5     |     
            //   c705????????a1a14538     |     
            //   c705????????2086e659     |     

        $sequence_6 = { 83c438 8d8500f8ffff 6a00 50 68???????? ff15???????? }
            // n = 6, score = 500
            //   83c438               | add                 esp, 0x38
            //   8d8500f8ffff         | lea                 eax, dword ptr [ebp - 0x800]
            //   6a00                 | push                0
            //   50                   | push                eax
            //   68????????           |                     
            //   ff15????????         |                     

        $sequence_7 = { 3dbfbc9e63 740e 3d10b6afa6 7407 }
            // n = 4, score = 500
            //   3dbfbc9e63           | cmp                 eax, 0x639ebcbf
            //   740e                 | je                  0x10
            //   3d10b6afa6           | cmp                 eax, 0xa6afb610
            //   7407                 | je                  9

        $sequence_8 = { c785b8faffff39313044 c1e902 f3a5 8bca }
            // n = 4, score = 500
            //   c785b8faffff39313044     | mov    dword ptr [ebp - 0x548], 0x44303139
            //   c1e902               | shr                 ecx, 2
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   8bca                 | mov                 ecx, edx

        $sequence_9 = { c705????????b60451f0 c705????????3f3f5288 c705????????6a62ae99 c705????????b872ad0c c705????????8ee66789 }
            // n = 5, score = 500
            //   c705????????b60451f0     |     
            //   c705????????3f3f5288     |     
            //   c705????????6a62ae99     |     
            //   c705????????b872ad0c     |     
            //   c705????????8ee66789     |     

    condition:
        7 of them and filesize < 1171456
}
Download all Yara Rules