ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > List all tools > List all groups using tool Cotx RAT

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: Cotx RAT

NamesCotx RAT
TypeReconnaissance, Backdoor, Credential stealer
Description(Proofpoint) The RasTls.dll contains the Cotx RAT code. The malware is written in C++ using object-oriented programming. We named it by borrowing the name of the location of its stored configuration. The encrypted configuration is stored in the side-loaded DLL file RasTls.dll in a PE section named “.cotx”. The current encrypted configuration is also stored in the registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Java\user”.

The command and control structure of Cotx RAT is proxy aware. It utilizes wolfSSL for TLS encrypted communication. The initial beacon contains “|”-delimited system information. The data included in the beacon is Zlib compressed and encrypted with AES-192 in CBC mode utilizing the same keys as the configuration. The following values are included:

• 'id' value from 'software\\intel\\java' subkey
• Computer name
• 'mark' field from configuration
• Username
• Windows version
• Architecture
• Possible malware version. '0.9.7' is hardcoded in the analyzed sample
• Local IP addresses
• First adapter's MAC address
• Connection type (https or _proxy)
• 'password' field from configuration

Last change to this tool card: 24 April 2021

Download this tool card in JSON format

All groups using tool Cotx RAT


APT groups

XTA428China2013-Jan 2022 

1 group listed (1 APT, 0 other, 0 unknown)

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]