SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cotx (Back to overview)

Cotx RAT

Actor(s): TA428

VTCollection    

There is no description at this point.

References
2022-08-08KasperskyKaspersky Lab ICS CERT
Targeted attack on industrial enterprises and public institutions
Cotx RAT Logtu nccTrojan PortDoor
2021-11-17Trend MicroAbdelrhman Sharshar, Mohamed Fahmy, Ryan Maglaque, Sherif Magdy
Analyzing ProxyShell-related Incidents via Trend Micro Managed XDR
Cobalt Strike Cotx RAT
2021-04-02Dr.WebDr.Web
Study of targeted attacks on Russian research institutes
Cotx RAT Ghost RAT TA428
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-01-08Youtube (Virus Bulletin)Fumio Ozawa, Rintaro Koike, Shogo Hayashi
Operation LagTime IT: colourful Panda footprint
Cotx RAT nccTrojan Poison Ivy Tmanger TA428
2020-09-30NTT SecurityFumio Ozawa, Rintaro Koike, Shogo Hayashi
Operation LagTime IT: colourful Panda footprint
Cotx RAT nccTrojan Poison Ivy Tmanger
2020-09-30NTT SecurityFumio Ozawa, Rintaro Koike, Shogo Hayashi
Operation LagTime IT: colourful Panda footprint (Slides)
Cotx RAT nccTrojan Poison Ivy Tmanger
2020-08-28NTTFumio Ozawa, Rintaro Koike, Shogo Hayashi
Operation Lagtime IT: Colourful Panda Footprint
Cotx RAT Poison Ivy TA428
2020-08-19NTT SecurityFumio Ozawa, Rintaro Koike, Shogo Hayashi
Operation LagTime IT: Colorful Panda Footprint
8.t Dropper Cotx RAT Poison Ivy TA428
2020-01-29nao_sec blognao_sec
An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader
2019-07-23ProofpointDennis Schwarz, Michael Raggi, Proofpoint Threat Insight Team
Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia
8.t Dropper Cotx RAT Poison Ivy TA428
Yara Rules
[TLP:WHITE] win_cotx_auto (20260504 | Detects win.cotx.)
rule win_cotx_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.cotx."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cotx"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 897704 0fb74316 c1e80d 83e001 894714 0fb74316 }
            // n = 6, score = 500
            //   897704               | mov                 dword ptr [edi + 4], esi
            //   0fb74316             | movzx               eax, word ptr [ebx + 0x16]
            //   c1e80d               | shr                 eax, 0xd
            //   83e001               | and                 eax, 1
            //   894714               | mov                 dword ptr [edi + 0x14], eax
            //   0fb74316             | movzx               eax, word ptr [ebx + 0x16]

        $sequence_1 = { 0f1185a8faffff c785b8faffff74726f6c 66c785bcfaffff6c65 c685befaffff72 e8???????? 83c424 ff15???????? }
            // n = 7, score = 500
            //   0f1185a8faffff       | movups              xmmword ptr [ebp - 0x558], xmm0
            //   c785b8faffff74726f6c     | mov    dword ptr [ebp - 0x548], 0x6c6f7274
            //   66c785bcfaffff6c65     | mov    word ptr [ebp - 0x544], 0x656c
            //   c685befaffff72       | mov                 byte ptr [ebp - 0x542], 0x72
            //   e8????????           |                     
            //   83c424               | add                 esp, 0x24
            //   ff15????????         |                     

        $sequence_2 = { 83c438 8d8500f8ffff 6a00 50 68???????? ff15???????? 8b0d???????? }
            // n = 7, score = 500
            //   83c438               | add                 esp, 0x38
            //   8d8500f8ffff         | lea                 eax, [ebp - 0x800]
            //   6a00                 | push                0
            //   50                   | push                eax
            //   68????????           |                     
            //   ff15????????         |                     
            //   8b0d????????         |                     

        $sequence_3 = { 84c0 75f8 0f2805???????? 8d85bdfaffff 8bca c785b8faffff39313044 }
            // n = 6, score = 500
            //   84c0                 | test                al, al
            //   75f8                 | jne                 0xfffffffa
            //   0f2805????????       |                     
            //   8d85bdfaffff         | lea                 eax, [ebp - 0x543]
            //   8bca                 | mov                 ecx, edx
            //   c785b8faffff39313044     | mov    dword ptr [ebp - 0x548], 0x44303139

        $sequence_4 = { c785c8fcffff74726f6c c785ccfcffff6c65722e 66c785d0fcffff6578 c685d2fcffff65 e8???????? 83c448 c785c0fdffff52617354 }
            // n = 7, score = 500
            //   c785c8fcffff74726f6c     | mov    dword ptr [ebp - 0x338], 0x6c6f7274
            //   c785ccfcffff6c65722e     | mov    dword ptr [ebp - 0x334], 0x2e72656c
            //   66c785d0fcffff6578     | mov    word ptr [ebp - 0x330], 0x7865
            //   c685d2fcffff65       | mov                 byte ptr [ebp - 0x32e], 0x65
            //   e8????????           |                     
            //   83c448               | add                 esp, 0x48
            //   c785c0fdffff52617354     | mov    dword ptr [ebp - 0x240], 0x54736152

        $sequence_5 = { 6800f00000 81c690ef0000 68???????? 56 e8???????? 6800f00000 81c600f00000 }
            // n = 7, score = 500
            //   6800f00000           | push                0xf000
            //   81c690ef0000         | add                 esi, 0xef90
            //   68????????           |                     
            //   56                   | push                esi
            //   e8????????           |                     
            //   6800f00000           | push                0xf000
            //   81c600f00000         | add                 esi, 0xf000

        $sequence_6 = { f3a5 8bca c685bcfaffff2d 68db030000 83e103 0f118598faffff }
            // n = 6, score = 500
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   8bca                 | mov                 ecx, edx
            //   c685bcfaffff2d       | mov                 byte ptr [ebp - 0x544], 0x2d
            //   68db030000           | push                0x3db
            //   83e103               | and                 ecx, 3
            //   0f118598faffff       | movups              xmmword ptr [ebp - 0x568], xmm0

        $sequence_7 = { f3a4 50 0f1185a8faffff e8???????? 83c40c 8d45a0 6a40 }
            // n = 7, score = 500
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   50                   | push                eax
            //   0f1185a8faffff       | movups              xmmword ptr [ebp - 0x558], xmm0
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d45a0               | lea                 eax, [ebp - 0x60]
            //   6a40                 | push                0x40

        $sequence_8 = { ff15???????? 8d85bcf3ffff 50 ff15???????? 8d85bcf3ffff 6a2e 50 }
            // n = 7, score = 500
            //   ff15????????         |                     
            //   8d85bcf3ffff         | lea                 eax, [ebp - 0xc44]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d85bcf3ffff         | lea                 eax, [ebp - 0xc44]
            //   6a2e                 | push                0x2e
            //   50                   | push                eax

        $sequence_9 = { e8???????? 8b15???????? 8b4dfc a3???????? e8???????? }
            // n = 5, score = 500
            //   e8????????           |                     
            //   8b15????????         |                     
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   a3????????           |                     
            //   e8????????           |                     

    condition:
        7 of them and filesize < 1171456
}
Download all Yara Rules