SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cotx (Back to overview)

Cotx RAT

Actor(s): TA428


There is no description at this point.

References
2021-04-02Dr.WebDr.Web
@techreport{drweb:20210402:study:31b191e, author = {Dr.Web}, title = {{Study of targeted attacks on Russian research institutes}}, date = {2021-04-02}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf}, language = {English}, urldate = {2021-04-06} } Study of targeted attacks on Russian research institutes
Cotx RAT Ghost RAT
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Ransomware Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Ransomware Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-01-08Youtube (Virus Bulletin)Fumio Ozawa, Shogo Hayashi, Rintaro Koike
@online{ozawa:20210108:operation:18eec5e, author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike}, title = {{Operation LagTime IT: colourful Panda footprint}}, date = {2021-01-08}, organization = {Youtube (Virus Bulletin)}, url = {https://www.youtube.com/watch?v=1WfPlgtfWnQ}, language = {English}, urldate = {2021-02-06} } Operation LagTime IT: colourful Panda footprint
Cotx RAT nccTrojan Poison Ivy Tmanger
2020-09-30NTT SecurityFumio Ozawa, Shogo Hayashi, Rintaro Koike
@techreport{ozawa:20200930:operation:04593f6, author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike}, title = {{Operation LagTime IT: colourful Panda footprint (Slides)}}, date = {2020-09-30}, institution = {NTT Security}, url = {https://vblocalhost.com/uploads/VB2020-20.pdf}, language = {English}, urldate = {2021-02-06} } Operation LagTime IT: colourful Panda footprint (Slides)
Cotx RAT nccTrojan Poison Ivy Tmanger
2020-09-30NTT SecurityFumio Ozawa, Shogo Hayashi, Rintaro Koike
@techreport{ozawa:20200930:operation:1efe218, author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike}, title = {{Operation LagTime IT: colourful Panda footprint}}, date = {2020-09-30}, institution = {NTT Security}, url = {https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf}, language = {English}, urldate = {2021-01-25} } Operation LagTime IT: colourful Panda footprint
Cotx RAT nccTrojan Poison Ivy Tmanger
2020-01-29nao_sec blognao_sec
@online{naosec:20200129:overhead:ec0aeb5, author = {nao_sec}, title = {{An Overhead View of the Royal Road}}, date = {2020-01-29}, organization = {nao_sec blog}, url = {https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html}, language = {English}, urldate = {2020-02-03} } An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader
2019-07-23ProofpointMichael Raggi, Dennis Schwarz, Proofpoint Threat Insight Team
@online{raggi:20190723:chinese:804ec1c, author = {Michael Raggi and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia}}, date = {2019-07-23}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology}, language = {English}, urldate = {2021-02-06} } Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia
8.t Dropper Cotx RAT Poison Ivy TA428
Yara Rules
[TLP:WHITE] win_cotx_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_cotx_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cotx"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c705????????2d494a94 c705????????8db133d4 c705????????8e220b1d c705????????6825794d c705????????4506ce62 c705????????b60451f0 c705????????3f3f5288 }
            // n = 7, score = 500
            //   c705????????2d494a94     |     
            //   c705????????8db133d4     |     
            //   c705????????8e220b1d     |     
            //   c705????????6825794d     |     
            //   c705????????4506ce62     |     
            //   c705????????b60451f0     |     
            //   c705????????3f3f5288     |     

        $sequence_1 = { 47 84c0 75f8 0f2805???????? 8d85bdfaffff 8bca c785b8faffff39313044 }
            // n = 7, score = 500
            //   47                   | inc                 edi
            //   84c0                 | test                al, al
            //   75f8                 | jne                 0xfffffffa
            //   0f2805????????       |                     
            //   8d85bdfaffff         | lea                 eax, [ebp - 0x543]
            //   8bca                 | mov                 ecx, edx
            //   c785b8faffff39313044     | mov    dword ptr [ebp - 0x548], 0x44303139

        $sequence_2 = { 68???????? e8???????? 0f2805???????? 8d85e7feffff }
            // n = 4, score = 500
            //   68????????           |                     
            //   e8????????           |                     
            //   0f2805????????       |                     
            //   8d85e7feffff         | lea                 eax, [ebp - 0x119]

        $sequence_3 = { c1e902 f3a5 8bca c685bcfaffff2d 68db030000 }
            // n = 5, score = 500
            //   c1e902               | shr                 ecx, 2
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   8bca                 | mov                 ecx, edx
            //   c685bcfaffff2d       | mov                 byte ptr [ebp - 0x544], 0x2d
            //   68db030000           | push                0x3db

        $sequence_4 = { 75f8 8bca c1e902 f3a5 8bca 8bd3 83e103 }
            // n = 7, score = 500
            //   75f8                 | jne                 0xfffffffa
            //   8bca                 | mov                 ecx, edx
            //   c1e902               | shr                 ecx, 2
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   8bca                 | mov                 ecx, edx
            //   8bd3                 | mov                 edx, ebx
            //   83e103               | and                 ecx, 3

        $sequence_5 = { e8???????? 8d85bce3ffff 50 8d85bcfbffff 50 }
            // n = 5, score = 500
            //   e8????????           |                     
            //   8d85bce3ffff         | lea                 eax, [ebp - 0x1c44]
            //   50                   | push                eax
            //   8d85bcfbffff         | lea                 eax, [ebp - 0x444]
            //   50                   | push                eax

        $sequence_6 = { 50 8d45a0 68???????? 50 e8???????? 8d55a0 83c420 }
            // n = 7, score = 500
            //   50                   | push                eax
            //   8d45a0               | lea                 eax, [ebp - 0x60]
            //   68????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d55a0               | lea                 edx, [ebp - 0x60]
            //   83c420               | add                 esp, 0x20

        $sequence_7 = { c785c8fcffff74726f6c c785ccfcffff6c65722e 66c785d0fcffff6578 c685d2fcffff65 e8???????? 83c448 c785c0fdffff52617354 }
            // n = 7, score = 500
            //   c785c8fcffff74726f6c     | mov    dword ptr [ebp - 0x338], 0x6c6f7274
            //   c785ccfcffff6c65722e     | mov    dword ptr [ebp - 0x334], 0x2e72656c
            //   66c785d0fcffff6578     | mov    word ptr [ebp - 0x330], 0x7865
            //   c685d2fcffff65       | mov                 byte ptr [ebp - 0x32e], 0x65
            //   e8????????           |                     
            //   83c448               | add                 esp, 0x48
            //   c785c0fdffff52617354     | mov    dword ptr [ebp - 0x240], 0x54736152

        $sequence_8 = { 50 ff15???????? 8d85bcf3ffff 6a2e 50 e8???????? }
            // n = 6, score = 500
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d85bcf3ffff         | lea                 eax, [ebp - 0xc44]
            //   6a2e                 | push                0x2e
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_9 = { 50 8d85bcebffff 50 e8???????? 8d8dbcebffff }
            // n = 5, score = 500
            //   50                   | push                eax
            //   8d85bcebffff         | lea                 eax, [ebp - 0x1444]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d8dbcebffff         | lea                 ecx, [ebp - 0x1444]

    condition:
        7 of them and filesize < 1171456
}
Download all Yara Rules