SYMBOLCOMMON_NAMEaka. SYNONYMS
win.koadic (Back to overview)

Koadic

Actor(s): Sofacy, Stone Panda


There is no description at this point.

References
2021-03-18PRODAFT Threat IntelligencePRODAFT
@techreport{prodaft:20210318:silverfish:f203208, author = {PRODAFT}, title = {{SilverFish GroupThreat Actor Report}}, date = {2021-03-18}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf}, language = {English}, urldate = {2021-04-06} } SilverFish GroupThreat Actor Report
Cobalt Strike Dridex Koadic
2021-02-24MalwarebytesHossein Jazi
@techreport{jazi:20210224:lazyscripter:433f4bc, author = {Hossein Jazi}, title = {{LazyScripter: From Empire to double RAT}}, date = {2021-02-24}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2021/02/LazyScripter.pdf}, language = {English}, urldate = {2021-02-25} } LazyScripter: From Empire to double RAT
Octopus Koadic
2021-01-13AlienVaultTom Hegel
@techreport{hegel:20210113:global:72b7b9d, author = {Tom Hegel}, title = {{A Global Perspective of the SideWinder APT}}, date = {2021-01-13}, institution = {AlienVault}, url = {https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf}, language = {English}, urldate = {2021-01-18} } A Global Perspective of the SideWinder APT
8.t Dropper Koadic SideWinder
2021SecureWorks
@online{secureworks:2021:threat:dbd7ed7, author = {SecureWorks}, title = {{Threat Profile: GOLD DRAKE}}, date = {2021}, url = {http://www.secureworks.com/research/threat-profiles/gold-drake}, language = {English}, urldate = {2021-05-28} } Threat Profile: GOLD DRAKE
Cobalt Strike Dridex FriedEx Koadic MimiKatz WastedLocker Evil Corp
2020-11-28pat_h/to/filepat_h/to/file
@online{pathtofile:20201128:hunting:21f38be, author = {pat_h/to/file}, title = {{Hunting Koadic Pt. 2 - JARM Fingerprinting}}, date = {2020-11-28}, organization = {pat_h/to/file}, url = {https://blog.tofile.dev/2020/11/28/koadic_jarm.html}, language = {English}, urldate = {2020-12-08} } Hunting Koadic Pt. 2 - JARM Fingerprinting
Koadic
2020-03-20BitdefenderLiviu Arsene
@online{arsene:20200320:5:46813c6, author = {Liviu Arsene}, title = {{5 Times More Coronavirus-themed Malware Reports during March}}, date = {2020-03-20}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter}, language = {English}, urldate = {2020-03-26} } 5 Times More Coronavirus-themed Malware Reports during March
ostap HawkEye Keylogger Koadic Loki Password Stealer (PWS) Nanocore RAT Remcos
2020-01-09Github (zerosum0x0)zerosum0x0
@online{zerosum0x0:20200109:koadic:2b6e0c1, author = {zerosum0x0}, title = {{Koadic}}, date = {2020-01-09}, organization = {Github (zerosum0x0)}, url = {https://github.com/zerosum0x0/koadic}, language = {English}, urldate = {2020-01-09} } Koadic
Koadic
2020SecureworksSecureWorks
@online{secureworks:2020:gold:0d8c853, author = {SecureWorks}, title = {{GOLD DRAKE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-drake}, language = {English}, urldate = {2020-05-23} } GOLD DRAKE
Dridex Empire Downloader FriedEx Koadic MimiKatz
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:8d36ac3, author = {SecureWorks}, title = {{COBALT TRINITY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-trinity}, language = {English}, urldate = {2020-05-23} } COBALT TRINITY
POWERTON pupy Imminent Monitor RAT Koadic Nanocore RAT NetWire RC PoshC2 APT33
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:e50c4e9, author = {SecureWorks}, title = {{COBALT ULSTER}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/cobalt-ulster}, language = {English}, urldate = {2020-05-27} } COBALT ULSTER
POWERSTATS Koadic MuddyWater
2018-06-06Palo Alto Networks Unit 42Bryan Lee, Robert Falcone
@online{lee:20180606:sofacy:6d3e723, author = {Bryan Lee and Robert Falcone}, title = {{Sofacy Group’s Parallel Attacks}}, date = {2018-06-06}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/}, language = {English}, urldate = {2019-12-20} } Sofacy Group’s Parallel Attacks
Koadic Zebrocy
Yara Rules
[TLP:WHITE] win_koadic_auto (20211008 | Detects win.koadic.)
rule win_koadic_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.koadic."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.koadic"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff35???????? ff35???????? ff742408 e8???????? 8d0518344100 50 e8???????? }
            // n = 7, score = 100
            //   ff35????????         |                     
            //   ff35????????         |                     
            //   ff742408             | push                dword ptr [esp + 8]
            //   e8????????           |                     
            //   8d0518344100         | lea                 eax, dword ptr [0x413418]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_1 = { 85ed 0f84bf020000 8b4500 85c0 }
            // n = 4, score = 100
            //   85ed                 | test                ebp, ebp
            //   0f84bf020000         | je                  0x2c5
            //   8b4500               | mov                 eax, dword ptr [ebp]
            //   85c0                 | test                eax, eax

        $sequence_2 = { 6800000000 e8???????? 6802000000 e8???????? e8???????? 50 bb3c330000 }
            // n = 7, score = 100
            //   6800000000           | push                0
            //   e8????????           |                     
            //   6802000000           | push                2
            //   e8????????           |                     
            //   e8????????           |                     
            //   50                   | push                eax
            //   bb3c330000           | mov                 ebx, 0x333c

        $sequence_3 = { eb7c 837d0c00 7507 c7450c02104100 f6462c01 ff750c }
            // n = 6, score = 100
            //   eb7c                 | jmp                 0x7e
            //   837d0c00             | cmp                 dword ptr [ebp + 0xc], 0
            //   7507                 | jne                 9
            //   c7450c02104100       | mov                 dword ptr [ebp + 0xc], 0x411002
            //   f6462c01             | test                byte ptr [esi + 0x2c], 1
            //   ff750c               | push                dword ptr [ebp + 0xc]

        $sequence_4 = { 85f6 744b 0fbe06 8bfe 3bc3 750c 8d4900 }
            // n = 7, score = 100
            //   85f6                 | test                esi, esi
            //   744b                 | je                  0x4d
            //   0fbe06               | movsx               eax, byte ptr [esi]
            //   8bfe                 | mov                 edi, esi
            //   3bc3                 | cmp                 eax, ebx
            //   750c                 | jne                 0xe
            //   8d4900               | lea                 ecx, dword ptr [ecx]

        $sequence_5 = { 0375f0 7902 33f6 85c0 790a 33c0 eb06 }
            // n = 7, score = 100
            //   0375f0               | add                 esi, dword ptr [ebp - 0x10]
            //   7902                 | jns                 4
            //   33f6                 | xor                 esi, esi
            //   85c0                 | test                eax, eax
            //   790a                 | jns                 0xc
            //   33c0                 | xor                 eax, eax
            //   eb06                 | jmp                 8

        $sequence_6 = { 8bc6 85f6 743c 8b542410 85d2 7434 803e00 }
            // n = 7, score = 100
            //   8bc6                 | mov                 eax, esi
            //   85f6                 | test                esi, esi
            //   743c                 | je                  0x3e
            //   8b542410             | mov                 edx, dword ptr [esp + 0x10]
            //   85d2                 | test                edx, edx
            //   7434                 | je                  0x36
            //   803e00               | cmp                 byte ptr [esi], 0

        $sequence_7 = { 8be8 8bfb 897c2414 85f6 0f8411010000 803e00 }
            // n = 6, score = 100
            //   8be8                 | mov                 ebp, eax
            //   8bfb                 | mov                 edi, ebx
            //   897c2414             | mov                 dword ptr [esp + 0x14], edi
            //   85f6                 | test                esi, esi
            //   0f8411010000         | je                  0x117
            //   803e00               | cmp                 byte ptr [esi], 0

        $sequence_8 = { ba09000000 83ec04 c7042400000000 4a 75f3 8b542430 8d0c24 }
            // n = 7, score = 100
            //   ba09000000           | mov                 edx, 9
            //   83ec04               | sub                 esp, 4
            //   c7042400000000       | mov                 dword ptr [esp], 0
            //   4a                   | dec                 edx
            //   75f3                 | jne                 0xfffffff5
            //   8b542430             | mov                 edx, dword ptr [esp + 0x30]
            //   8d0c24               | lea                 ecx, dword ptr [esp]

        $sequence_9 = { 83c102 894d08 eb09 8b5508 83c201 895508 e9???????? }
            // n = 7, score = 100
            //   83c102               | add                 ecx, 2
            //   894d08               | mov                 dword ptr [ebp + 8], ecx
            //   eb09                 | jmp                 0xb
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   83c201               | add                 edx, 1
            //   895508               | mov                 dword ptr [ebp + 8], edx
            //   e9????????           |                     

    condition:
        7 of them and filesize < 180224
}
Download all Yara Rules