SYMBOLCOMMON_NAMEaka. SYNONYMS
win.koadic (Back to overview)

Koadic

Actor(s): APT28, Stone Panda

VTCollection    

Koadic is an open-source post-exploitation framework for Windows, created by zerosum0x0 and available on GitHub. The framework is written in Python and can generate JScript and VBScript payloads which can be written to disk or mapped directly into memory. Its capabilities include remote desktop access, command execution, lateral movement via SMB, file transfer, credential theft using Mimikatz, port scanning, and system information collection. It can also collect specific system information and targeted files based on their name or extension.

References
2024-01-25JSAC 2024Masafumi Takeda, Tomoya Furukawa
Threat Intelligence of Abused Public Post-Exploitation Frameworks
AsyncRAT DCRat Empire Downloader GRUNT Havoc Koadic Merlin PoshC2 Quasar RAT Sliver
2021-03-18PRODAFT Threat IntelligencePRODAFT
SilverFish GroupThreat Actor Report
Cobalt Strike Dridex Koadic
2021-02-24MalwarebytesHossein Jazi
LazyScripter: From Empire to double RAT
Octopus Koadic
2021-01-13AlienVaultTom Hegel
A Global Perspective of the SideWinder APT
8.t Dropper Koadic SideWinder
2021-01-01SecureWorks
Threat Profile: GOLD DRAKE
Cobalt Strike Dridex FriedEx Koadic MimiKatz WastedLocker Evil Corp
2020-11-28pat_h/to/filepat_h/to/file
Hunting Koadic Pt. 2 - JARM Fingerprinting
Koadic
2020-03-20BitdefenderLiviu Arsene
5 Times More Coronavirus-themed Malware Reports during March
ostap HawkEye Keylogger Koadic Loki Password Stealer (PWS) Nanocore RAT Remcos
2020-01-09Github (zerosum0x0)zerosum0x0
Koadic
Koadic
2020-01-01SecureworksSecureWorks
COBALT TRINITY
POWERTON pupy Imminent Monitor RAT Koadic Nanocore RAT NetWire RC PoshC2 APT33
2020-01-01SecureworksSecureWorks
GOLD DRAKE
Dridex Empire Downloader FriedEx Koadic MimiKatz
2020-01-01SecureworksSecureWorks
COBALT ULSTER
POWERSTATS Koadic MuddyWater
2018-06-06Palo Alto Networks Unit 42Bryan Lee, Robert Falcone
Sofacy Group’s Parallel Attacks
Koadic Zebrocy
Yara Rules
[TLP:WHITE] win_koadic_auto (20260504 | Detects win.koadic.)
rule win_koadic_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.koadic."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.koadic"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 011424 ff35???????? e8???????? 89c5 c7450001000000 ff35???????? }
            // n = 6, score = 100
            //   011424               | add                 dword ptr [esp], edx
            //   ff35????????         |                     
            //   e8????????           |                     
            //   89c5                 | mov                 ebp, eax
            //   c7450001000000       | mov                 dword ptr [ebp], 1
            //   ff35????????         |                     

        $sequence_1 = { 8d442424 50 e8???????? eb0f 8d4c2418 }
            // n = 5, score = 100
            //   8d442424             | lea                 eax, [esp + 0x24]
            //   50                   | push                eax
            //   e8????????           |                     
            //   eb0f                 | jmp                 0x11
            //   8d4c2418             | lea                 ecx, [esp + 0x18]

        $sequence_2 = { 6810000000 ff35???????? e8???????? 68???????? e8???????? 8b15???????? }
            // n = 6, score = 100
            //   6810000000           | push                0x10
            //   ff35????????         |                     
            //   e8????????           |                     
            //   68????????           |                     
            //   e8????????           |                     
            //   8b15????????         |                     

        $sequence_3 = { ff3424 e8???????? 8b1424 ff35???????? e8???????? 58 }
            // n = 6, score = 100
            //   ff3424               | push                dword ptr [esp]
            //   e8????????           |                     
            //   8b1424               | mov                 edx, dword ptr [esp]
            //   ff35????????         |                     
            //   e8????????           |                     
            //   58                   | pop                 eax

        $sequence_4 = { 8b4c241c 894f04 885d30 5f 5e 5b }
            // n = 6, score = 100
            //   8b4c241c             | mov                 ecx, dword ptr [esp + 0x1c]
            //   894f04               | mov                 dword ptr [edi + 4], ecx
            //   885d30               | mov                 byte ptr [ebp + 0x30], bl
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_5 = { 50 e8???????? eb29 6a08 51 845c2420 7411 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   eb29                 | jmp                 0x2b
            //   6a08                 | push                8
            //   51                   | push                ecx
            //   845c2420             | test                byte ptr [esp + 0x20], bl
            //   7411                 | je                  0x13

        $sequence_6 = { ff7500 58 a3???????? 8b6c240c ff7500 58 a3???????? }
            // n = 7, score = 100
            //   ff7500               | push                dword ptr [ebp]
            //   58                   | pop                 eax
            //   a3????????           |                     
            //   8b6c240c             | mov                 ebp, dword ptr [esp + 0xc]
            //   ff7500               | push                dword ptr [ebp]
            //   58                   | pop                 eax
            //   a3????????           |                     

        $sequence_7 = { 83feff 0f8580fdffff 8bc8 8b450c 5e 3bc8 7d1d }
            // n = 7, score = 100
            //   83feff               | cmp                 esi, -1
            //   0f8580fdffff         | jne                 0xfffffd86
            //   8bc8                 | mov                 ecx, eax
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   5e                   | pop                 esi
            //   3bc8                 | cmp                 ecx, eax
            //   7d1d                 | jge                 0x1f

        $sequence_8 = { 8b4614 55 8b6c241c 57 8b3d???????? }
            // n = 5, score = 100
            //   8b4614               | mov                 eax, dword ptr [esi + 0x14]
            //   55                   | push                ebp
            //   8b6c241c             | mov                 ebp, dword ptr [esp + 0x1c]
            //   57                   | push                edi
            //   8b3d????????         |                     

        $sequence_9 = { e8???????? ff35???????? e8???????? 8d442410 50 e8???????? ff35???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   ff35????????         |                     
            //   e8????????           |                     
            //   8d442410             | lea                 eax, [esp + 0x10]
            //   50                   | push                eax
            //   e8????????           |                     
            //   ff35????????         |                     

    condition:
        7 of them and filesize < 180224
}
Download all Yara Rules