SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cotx (Back to overview)

Cotx RAT

Actor(s): TA428

There is no description at this point.

References
2021-11-17Trend MicroMohamed Fahmy, Abdelrhman Sharshar, Sherif Magdy, Ryan Maglaque
@online{fahmy:20211117:analyzing:c6c52d1, author = {Mohamed Fahmy and Abdelrhman Sharshar and Sherif Magdy and Ryan Maglaque}, title = {{Analyzing ProxyShell-related Incidents via Trend Micro Managed XDR}}, date = {2021-11-17}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html}, language = {English}, urldate = {2021-11-18} } Analyzing ProxyShell-related Incidents via Trend Micro Managed XDR
Cobalt Strike Cotx RAT
2021-04-02Dr.WebDr.Web
@techreport{drweb:20210402:study:31b191e, author = {Dr.Web}, title = {{Study of targeted attacks on Russian research institutes}}, date = {2021-04-02}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf}, language = {English}, urldate = {2021-04-06} } Study of targeted attacks on Russian research institutes
Cotx RAT Ghost RAT
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-01-08Youtube (Virus Bulletin)Fumio Ozawa, Shogo Hayashi, Rintaro Koike
@online{ozawa:20210108:operation:18eec5e, author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike}, title = {{Operation LagTime IT: colourful Panda footprint}}, date = {2021-01-08}, organization = {Youtube (Virus Bulletin)}, url = {https://www.youtube.com/watch?v=1WfPlgtfWnQ}, language = {English}, urldate = {2021-02-06} } Operation LagTime IT: colourful Panda footprint
Cotx RAT nccTrojan Poison Ivy Tmanger
2020-09-30NTT SecurityFumio Ozawa, Shogo Hayashi, Rintaro Koike
@techreport{ozawa:20200930:operation:04593f6, author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike}, title = {{Operation LagTime IT: colourful Panda footprint (Slides)}}, date = {2020-09-30}, institution = {NTT Security}, url = {https://vblocalhost.com/uploads/VB2020-20.pdf}, language = {English}, urldate = {2021-02-06} } Operation LagTime IT: colourful Panda footprint (Slides)
Cotx RAT nccTrojan Poison Ivy Tmanger
2020-09-30NTT SecurityFumio Ozawa, Shogo Hayashi, Rintaro Koike
@techreport{ozawa:20200930:operation:1efe218, author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike}, title = {{Operation LagTime IT: colourful Panda footprint}}, date = {2020-09-30}, institution = {NTT Security}, url = {https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf}, language = {English}, urldate = {2021-01-25} } Operation LagTime IT: colourful Panda footprint
Cotx RAT nccTrojan Poison Ivy Tmanger
2020-01-29nao_sec blognao_sec
@online{naosec:20200129:overhead:ec0aeb5, author = {nao_sec}, title = {{An Overhead View of the Royal Road}}, date = {2020-01-29}, organization = {nao_sec blog}, url = {https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html}, language = {English}, urldate = {2020-02-03} } An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader
2019-07-23ProofpointMichael Raggi, Dennis Schwarz, Proofpoint Threat Insight Team
@online{raggi:20190723:chinese:804ec1c, author = {Michael Raggi and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia}}, date = {2019-07-23}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology}, language = {English}, urldate = {2021-02-06} } Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia
8.t Dropper Cotx RAT Poison Ivy TA428
Yara Rules
[TLP:WHITE] win_cotx_auto (20211008 | Detects win.cotx.)
rule win_cotx_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.cotx."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cotx"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 83ec20 8d8d00fcffff e8???????? }
            // n = 4, score = 500
            //   e8????????           |                     
            //   83ec20               | sub                 esp, 0x20
            //   8d8d00fcffff         | lea                 ecx, dword ptr [ebp - 0x400]
            //   e8????????           |                     

        $sequence_1 = { 8bf2 8a02 42 84c0 75f9 8dbd98faffff 2bd6 }
            // n = 7, score = 500
            //   8bf2                 | mov                 esi, edx
            //   8a02                 | mov                 al, byte ptr [edx]
            //   42                   | inc                 edx
            //   84c0                 | test                al, al
            //   75f9                 | jne                 0xfffffffb
            //   8dbd98faffff         | lea                 edi, dword ptr [ebp - 0x568]
            //   2bd6                 | sub                 edx, esi

        $sequence_2 = { 66c745fc3a46 c645fe00 e8???????? 83c430 }
            // n = 4, score = 500
            //   66c745fc3a46         | mov                 word ptr [ebp - 4], 0x463a
            //   c645fe00             | mov                 byte ptr [ebp - 2], 0
            //   e8????????           |                     
            //   83c430               | add                 esp, 0x30

        $sequence_3 = { 50 0f2805???????? 8d85bcfbffff 0f1145d0 }
            // n = 4, score = 500
            //   50                   | push                eax
            //   0f2805????????       |                     
            //   8d85bcfbffff         | lea                 eax, dword ptr [ebp - 0x444]
            //   0f1145d0             | movups              xmmword ptr [ebp - 0x30], xmm0

        $sequence_4 = { c785d8feffff74726f6c c785dcfeffff6c65722e c785e0feffff6578652e 66c785e4feffff696e c685e6feffff69 e8???????? 0f2805???????? }
            // n = 7, score = 500
            //   c785d8feffff74726f6c     | mov    dword ptr [ebp - 0x128], 0x6c6f7274
            //   c785dcfeffff6c65722e     | mov    dword ptr [ebp - 0x124], 0x2e72656c
            //   c785e0feffff6578652e     | mov    dword ptr [ebp - 0x120], 0x2e657865
            //   66c785e4feffff696e     | mov    word ptr [ebp - 0x11c], 0x6e69
            //   c685e6feffff69       | mov                 byte ptr [ebp - 0x11a], 0x69
            //   e8????????           |                     
            //   0f2805????????       |                     

        $sequence_5 = { 8d85bce3ffff 50 8d85bcfbffff 50 8d85bcebffff 50 e8???????? }
            // n = 7, score = 500
            //   8d85bce3ffff         | lea                 eax, dword ptr [ebp - 0x1c44]
            //   50                   | push                eax
            //   8d85bcfbffff         | lea                 eax, dword ptr [ebp - 0x444]
            //   50                   | push                eax
            //   8d85bcebffff         | lea                 eax, dword ptr [ebp - 0x1444]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_6 = { 8bce e8???????? 6a00 53 56 }
            // n = 5, score = 500
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   6a00                 | push                0
            //   53                   | push                ebx
            //   56                   | push                esi

        $sequence_7 = { 8b5f50 53 6a00 ff75ec ff15???????? 8945fc 85c0 }
            // n = 7, score = 500
            //   8b5f50               | mov                 ebx, dword ptr [edi + 0x50]
            //   53                   | push                ebx
            //   6a00                 | push                0
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   ff15????????         |                     
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   85c0                 | test                eax, eax

        $sequence_8 = { c705????????597e743c c705????????c1e1039f c705????????0a9769e0 c705????????c4b85363 c705????????3abf261f c705????????890e9944 }
            // n = 6, score = 500
            //   c705????????597e743c     |     
            //   c705????????c1e1039f     |     
            //   c705????????0a9769e0     |     
            //   c705????????c4b85363     |     
            //   c705????????3abf261f     |     
            //   c705????????890e9944     |     

        $sequence_9 = { c705????????d468bcb5 c705????????a1a14538 c705????????2086e659 c705????????eec45abf }
            // n = 4, score = 500
            //   c705????????d468bcb5     |     
            //   c705????????a1a14538     |     
            //   c705????????2086e659     |     
            //   c705????????eec45abf     |     

    condition:
        7 of them and filesize < 1171456
}
Download all Yara Rules