SYMBOLCOMMON_NAMEaka. SYNONYMS
win.koadic (Back to overview)

Koadic

Actor(s): APT28, Stone Panda

Koadic is a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub. Koadic has several options for staging payloads and creating implants, and performs most of its operations using Windows Script Host.

References
2021-03-18PRODAFT Threat IntelligencePRODAFT
@techreport{prodaft:20210318:silverfish:f203208, author = {PRODAFT}, title = {{SilverFish GroupThreat Actor Report}}, date = {2021-03-18}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf}, language = {English}, urldate = {2021-04-06} } SilverFish GroupThreat Actor Report
Cobalt Strike Dridex Koadic
2021-02-24MalwarebytesHossein Jazi
@techreport{jazi:20210224:lazyscripter:433f4bc, author = {Hossein Jazi}, title = {{LazyScripter: From Empire to double RAT}}, date = {2021-02-24}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2021/02/LazyScripter.pdf}, language = {English}, urldate = {2021-02-25} } LazyScripter: From Empire to double RAT
Octopus Koadic
2021-01-13AlienVaultTom Hegel
@techreport{hegel:20210113:global:72b7b9d, author = {Tom Hegel}, title = {{A Global Perspective of the SideWinder APT}}, date = {2021-01-13}, institution = {AlienVault}, url = {https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf}, language = {English}, urldate = {2021-01-18} } A Global Perspective of the SideWinder APT
8.t Dropper Koadic SideWinder
2021SecureWorks
@online{secureworks:2021:threat:dbd7ed7, author = {SecureWorks}, title = {{Threat Profile: GOLD DRAKE}}, date = {2021}, url = {http://www.secureworks.com/research/threat-profiles/gold-drake}, language = {English}, urldate = {2021-05-28} } Threat Profile: GOLD DRAKE
Cobalt Strike Dridex FriedEx Koadic MimiKatz WastedLocker Evil Corp
2020-11-28pat_h/to/filepat_h/to/file
@online{pathtofile:20201128:hunting:21f38be, author = {pat_h/to/file}, title = {{Hunting Koadic Pt. 2 - JARM Fingerprinting}}, date = {2020-11-28}, organization = {pat_h/to/file}, url = {https://blog.tofile.dev/2020/11/28/koadic_jarm.html}, language = {English}, urldate = {2020-12-08} } Hunting Koadic Pt. 2 - JARM Fingerprinting
Koadic
2020-03-20BitdefenderLiviu Arsene
@online{arsene:20200320:5:46813c6, author = {Liviu Arsene}, title = {{5 Times More Coronavirus-themed Malware Reports during March}}, date = {2020-03-20}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter}, language = {English}, urldate = {2020-03-26} } 5 Times More Coronavirus-themed Malware Reports during March
ostap HawkEye Keylogger Koadic Loki Password Stealer (PWS) Nanocore RAT Remcos
2020-01-09Github (zerosum0x0)zerosum0x0
@online{zerosum0x0:20200109:koadic:2b6e0c1, author = {zerosum0x0}, title = {{Koadic}}, date = {2020-01-09}, organization = {Github (zerosum0x0)}, url = {https://github.com/zerosum0x0/koadic}, language = {English}, urldate = {2020-01-09} } Koadic
Koadic
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:8d36ac3, author = {SecureWorks}, title = {{COBALT TRINITY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-trinity}, language = {English}, urldate = {2020-05-23} } COBALT TRINITY
POWERTON pupy Imminent Monitor RAT Koadic Nanocore RAT NetWire RC PoshC2 APT33
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:e50c4e9, author = {SecureWorks}, title = {{COBALT ULSTER}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/cobalt-ulster}, language = {English}, urldate = {2020-05-27} } COBALT ULSTER
POWERSTATS Koadic MuddyWater
2020SecureworksSecureWorks
@online{secureworks:2020:gold:0d8c853, author = {SecureWorks}, title = {{GOLD DRAKE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-drake}, language = {English}, urldate = {2020-05-23} } GOLD DRAKE
Dridex Empire Downloader FriedEx Koadic MimiKatz
2018-06-06Palo Alto Networks Unit 42Bryan Lee, Robert Falcone
@online{lee:20180606:sofacy:6d3e723, author = {Bryan Lee and Robert Falcone}, title = {{Sofacy Group’s Parallel Attacks}}, date = {2018-06-06}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/}, language = {English}, urldate = {2019-12-20} } Sofacy Group’s Parallel Attacks
Koadic Zebrocy
Yara Rules
[TLP:WHITE] win_koadic_auto (20230715 | Detects win.koadic.)
rule win_koadic_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.koadic."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.koadic"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 68???????? ff35???????? e8???????? 21c0 742b ff35???????? ff35???????? }
            // n = 7, score = 100
            //   68????????           |                     
            //   ff35????????         |                     
            //   e8????????           |                     
            //   21c0                 | and                 eax, eax
            //   742b                 | je                  0x2d
            //   ff35????????         |                     
            //   ff35????????         |                     

        $sequence_1 = { 397004 740d 894108 8b00 85c0 75f2 5e }
            // n = 7, score = 100
            //   397004               | cmp                 dword ptr [eax + 4], esi
            //   740d                 | je                  0xf
            //   894108               | mov                 dword ptr [ecx + 8], eax
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   85c0                 | test                eax, eax
            //   75f2                 | jne                 0xfffffff4
            //   5e                   | pop                 esi

        $sequence_2 = { e8???????? 7573 8b1424 ff35???????? }
            // n = 4, score = 100
            //   e8????????           |                     
            //   7573                 | jne                 0x75
            //   8b1424               | mov                 edx, dword ptr [esp]
            //   ff35????????         |                     

        $sequence_3 = { 85c9 7414 85ff 7410 2bce 90 8a0431 }
            // n = 7, score = 100
            //   85c9                 | test                ecx, ecx
            //   7414                 | je                  0x16
            //   85ff                 | test                edi, edi
            //   7410                 | je                  0x12
            //   2bce                 | sub                 ecx, esi
            //   90                   | nop                 
            //   8a0431               | mov                 al, byte ptr [ecx + esi]

        $sequence_4 = { 53 55 57 80f92d 7507 bf01000000 eb07 }
            // n = 7, score = 100
            //   53                   | push                ebx
            //   55                   | push                ebp
            //   57                   | push                edi
            //   80f92d               | cmp                 cl, 0x2d
            //   7507                 | jne                 9
            //   bf01000000           | mov                 edi, 1
            //   eb07                 | jmp                 9

        $sequence_5 = { 8bec 51 51 834dfcff 57 8d4508 50 }
            // n = 7, score = 100
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   834dfcff             | or                  dword ptr [ebp - 4], 0xffffffff
            //   57                   | push                edi
            //   8d4508               | lea                 eax, [ebp + 8]
            //   50                   | push                eax

        $sequence_6 = { 8b4508 3b06 7515 6a00 ff75fc ff75fc }
            // n = 6, score = 100
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   3b06                 | cmp                 eax, dword ptr [esi]
            //   7515                 | jne                 0x17
            //   6a00                 | push                0
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff75fc               | push                dword ptr [ebp - 4]

        $sequence_7 = { 8d45d0 50 ff55f4 53 89450c e8???????? 395d0c }
            // n = 7, score = 100
            //   8d45d0               | lea                 eax, [ebp - 0x30]
            //   50                   | push                eax
            //   ff55f4               | call                dword ptr [ebp - 0xc]
            //   53                   | push                ebx
            //   89450c               | mov                 dword ptr [ebp + 0xc], eax
            //   e8????????           |                     
            //   395d0c               | cmp                 dword ptr [ebp + 0xc], ebx

        $sequence_8 = { e8???????? ff35???????? e8???????? 09c0 7410 8b2d???????? }
            // n = 6, score = 100
            //   e8????????           |                     
            //   ff35????????         |                     
            //   e8????????           |                     
            //   09c0                 | or                  eax, eax
            //   7410                 | je                  0x12
            //   8b2d????????         |                     

        $sequence_9 = { 6a00 50 ff15???????? 8bd8 8bd3 895c2420 8bc5 }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   8bd3                 | mov                 edx, ebx
            //   895c2420             | mov                 dword ptr [esp + 0x20], ebx
            //   8bc5                 | mov                 eax, ebp

    condition:
        7 of them and filesize < 180224
}
Download all Yara Rules