SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cobint (Back to overview)

CobInt

aka: COOLPANTS

Actor(s): Cobalt


CobInt, is a self-developed backdoor of the Cobalt group. The modular tool has capabilities to collect initial intelligence information about the compromised machine and stream video from its desktop. If the operator decides that the system is of interest, the backdoor will download and launch CobaltStrike framework stager. It's CRM mailslot module was also observed being downloaded by ISFB.

References
2020-06-16PTSecurityPT ESC Threat Intelligence
@online{intelligence:20200616:cobalt:2071fd2, author = {PT ESC Threat Intelligence}, title = {{Cobalt: tactics and tools update}}, date = {2020-06-16}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/cobalt_upd_ttps/}, language = {English}, urldate = {2020-06-16} } Cobalt: tactics and tools update
CobInt
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA
2020SecureworksSecureWorks
@online{secureworks:2020:gold:1892bc8, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz
2020SecureworksSecureWorks
@online{secureworks:2020:gold:983570b, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt
2018-09-11ProofpointProofpoint Staff
@online{staff:20180911:new:14fda4a, author = {Proofpoint Staff}, title = {{New modular downloaders fingerprint systems - Part 3: CobInt}}, date = {2018-09-11}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint}, language = {English}, urldate = {2019-12-20} } New modular downloaders fingerprint systems - Part 3: CobInt
CobInt
2018-08-30NetScoutASERT Team
@online{team:20180830:double:e5d9e22, author = {ASERT Team}, title = {{Double the Infection, Double the Fun}}, date = {2018-08-30}, organization = {NetScout}, url = {https://asert.arbornetworks.com/double-the-infection-double-the-fun/}, language = {English}, urldate = {2020-01-08} } Double the Infection, Double the Fun
More_eggs CobInt
2018-08-30NetScoutASERT Team
@online{team:20180830:double:8129db5, author = {ASERT Team}, title = {{Double the Infection, Double the Fun}}, date = {2018-08-30}, organization = {NetScout}, url = {https://www.netscout.com/blog/asert/double-infection-double-fun}, language = {English}, urldate = {2020-01-05} } Double the Infection, Double the Fun
CobInt
2018-05-29Group-IBRustam Mirkasymov
@online{mirkasymov:20180529:cobalt:b344169, author = {Rustam Mirkasymov}, title = {{Cobalt Renaissance: new attacks and joint operations}}, date = {2018-05-29}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/renaissance}, language = {English}, urldate = {2019-10-22} } Cobalt Renaissance: new attacks and joint operations
CobInt
Yara Rules
[TLP:WHITE] win_cobint_auto (20230407 | Detects win.cobint.)
rule win_cobint_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.cobint."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobint"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83c410 33c0 5d c3 55 8bec 837d0c08 }
            // n = 7, score = 400
            //   83c410               | add                 esp, 0x10
            //   33c0                 | xor                 eax, eax
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   837d0c08             | cmp                 dword ptr [ebp + 0xc], 8

        $sequence_1 = { 59 59 50 ff35???????? ff15???????? ff35???????? }
            // n = 6, score = 400
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   50                   | push                eax
            //   ff35????????         |                     
            //   ff15????????         |                     
            //   ff35????????         |                     

        $sequence_2 = { 0f8cd3000000 8b543104 83c0fc 8955f8 3bc2 }
            // n = 5, score = 400
            //   0f8cd3000000         | jl                  0xd9
            //   8b543104             | mov                 edx, dword ptr [ecx + esi + 4]
            //   83c0fc               | add                 eax, -4
            //   8955f8               | mov                 dword ptr [ebp - 8], edx
            //   3bc2                 | cmp                 eax, edx

        $sequence_3 = { ff750c 890f 8b4d14 894f04 }
            // n = 4, score = 400
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   890f                 | mov                 dword ptr [edi], ecx
            //   8b4d14               | mov                 ecx, dword ptr [ebp + 0x14]
            //   894f04               | mov                 dword ptr [edi + 4], ecx

        $sequence_4 = { 8b5d08 33c0 56 8b750c 8bc8 57 8906 }
            // n = 7, score = 400
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   33c0                 | xor                 eax, eax
            //   56                   | push                esi
            //   8b750c               | mov                 esi, dword ptr [ebp + 0xc]
            //   8bc8                 | mov                 ecx, eax
            //   57                   | push                edi
            //   8906                 | mov                 dword ptr [esi], eax

        $sequence_5 = { c745f404000000 50 8d4508 50 6805000020 }
            // n = 5, score = 400
            //   c745f404000000       | mov                 dword ptr [ebp - 0xc], 4
            //   50                   | push                eax
            //   8d4508               | lea                 eax, [ebp + 8]
            //   50                   | push                eax
            //   6805000020           | push                0x20000005

        $sequence_6 = { a1???????? 40 251f000080 7905 48 83c8e0 40 }
            // n = 7, score = 400
            //   a1????????           |                     
            //   40                   | inc                 eax
            //   251f000080           | and                 eax, 0x8000001f
            //   7905                 | jns                 7
            //   48                   | dec                 eax
            //   83c8e0               | or                  eax, 0xffffffe0
            //   40                   | inc                 eax

        $sequence_7 = { 8bd7 391a 740b 41 83c210 83f920 }
            // n = 6, score = 400
            //   8bd7                 | mov                 edx, edi
            //   391a                 | cmp                 dword ptr [edx], ebx
            //   740b                 | je                  0xd
            //   41                   | inc                 ecx
            //   83c210               | add                 edx, 0x10
            //   83f920               | cmp                 ecx, 0x20

        $sequence_8 = { 33db 8a06 8d7602 3c61 7202 04e0 }
            // n = 6, score = 200
            //   33db                 | xor                 ebx, ebx
            //   8a06                 | mov                 al, byte ptr [esi]
            //   8d7602               | lea                 esi, [esi + 2]
            //   3c61                 | cmp                 al, 0x61
            //   7202                 | jb                  4
            //   04e0                 | add                 al, 0xe0

        $sequence_9 = { 83ec14 53 56 8bf1 8955f0 33d2 57 }
            // n = 7, score = 200
            //   83ec14               | sub                 esp, 0x14
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   8955f0               | mov                 dword ptr [ebp - 0x10], edx
            //   33d2                 | xor                 edx, edx
            //   57                   | push                edi

        $sequence_10 = { 7c90 90 90 90 90 90 }
            // n = 6, score = 200
            //   7c90                 | jl                  0xffffff92
            //   90                   | nop                 
            //   90                   | nop                 
            //   90                   | nop                 
            //   90                   | nop                 
            //   90                   | nop                 

        $sequence_11 = { 90 90 bffc807c28 1a807c170e81 7cd7 }
            // n = 5, score = 200
            //   90                   | nop                 
            //   90                   | nop                 
            //   bffc807c28           | mov                 edi, 0x287c80fc
            //   1a807c170e81         | sbb                 al, byte ptr [eax - 0x7ef1e884]
            //   7cd7                 | jl                  0xffffffd9

        $sequence_12 = { 7cd7 9b 807c909090 90 90 }
            // n = 5, score = 200
            //   7cd7                 | jl                  0xffffffd9
            //   9b                   | wait                
            //   807c909090           | cmp                 byte ptr [eax + edx*4 - 0x70], 0x90
            //   90                   | nop                 
            //   90                   | nop                 

        $sequence_13 = { 8975f4 85c0 7505 b301 }
            // n = 4, score = 200
            //   8975f4               | mov                 dword ptr [ebp - 0xc], esi
            //   85c0                 | test                eax, eax
            //   7505                 | jne                 7
            //   b301                 | mov                 bl, 1

        $sequence_14 = { 8802 eb0b 8b4d08 034df0 8a55ed 8811 }
            // n = 6, score = 200
            //   8802                 | mov                 byte ptr [edx], al
            //   eb0b                 | jmp                 0xd
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   034df0               | add                 ecx, dword ptr [ebp - 0x10]
            //   8a55ed               | mov                 dl, byte ptr [ebp - 0x13]
            //   8811                 | mov                 byte ptr [ecx], dl

        $sequence_15 = { 8d4dec 8945f8 51 6800a80000 56 53 }
            // n = 6, score = 200
            //   8d4dec               | lea                 ecx, [ebp - 0x14]
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   51                   | push                ecx
            //   6800a80000           | push                0xa800
            //   56                   | push                esi
            //   53                   | push                ebx

        $sequence_16 = { 8b400c 8b5014 33c0 eb38 }
            // n = 4, score = 200
            //   8b400c               | mov                 eax, dword ptr [eax + 0xc]
            //   8b5014               | mov                 edx, dword ptr [eax + 0x14]
            //   33c0                 | xor                 eax, eax
            //   eb38                 | jmp                 0x3a

        $sequence_17 = { 90 90 90 749b 807ce19a80 7c90 90 }
            // n = 7, score = 200
            //   90                   | nop                 
            //   90                   | nop                 
            //   90                   | nop                 
            //   749b                 | je                  0xffffff9d
            //   807ce19a80           | cmp                 byte ptr [ecx - 0x66], 0x80
            //   7c90                 | jl                  0xffffff92
            //   90                   | nop                 

        $sequence_18 = { 837d1000 740d 8b5508 0355f0 8a45ec }
            // n = 5, score = 200
            //   837d1000             | cmp                 dword ptr [ebp + 0x10], 0
            //   740d                 | je                  0xf
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   0355f0               | add                 edx, dword ptr [ebp - 0x10]
            //   8a45ec               | mov                 al, byte ptr [ebp - 0x14]

        $sequence_19 = { 807c909090 90 bdfd807c90 90 }
            // n = 4, score = 200
            //   807c909090           | cmp                 byte ptr [eax + edx*4 - 0x70], 0x90
            //   90                   | nop                 
            //   bdfd807c90           | mov                 ebp, 0x907c80fd
            //   90                   | nop                 

        $sequence_20 = { 47 8d1c08 8a07 84c0 75ec 895df8 8b5df4 }
            // n = 7, score = 200
            //   47                   | inc                 edi
            //   8d1c08               | lea                 ebx, [eax + ecx]
            //   8a07                 | mov                 al, byte ptr [edi]
            //   84c0                 | test                al, al
            //   75ec                 | jne                 0xffffffee
            //   895df8               | mov                 dword ptr [ebp - 8], ebx
            //   8b5df4               | mov                 ebx, dword ptr [ebp - 0xc]

        $sequence_21 = { 58 83c005 c3 31b7807c30ae 807c909090 }
            // n = 5, score = 200
            //   58                   | pop                 eax
            //   83c005               | add                 eax, 5
            //   c3                   | ret                 
            //   31b7807c30ae         | xor                 dword ptr [edi - 0x51cf8380], esi
            //   807c909090           | cmp                 byte ptr [eax + edx*4 - 0x70], 0x90

        $sequence_22 = { 8945ec 395318 763c 8b3c90 33c0 03fe }
            // n = 6, score = 200
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   395318               | cmp                 dword ptr [ebx + 0x18], edx
            //   763c                 | jbe                 0x3e
            //   8b3c90               | mov                 edi, dword ptr [eax + edx*4]
            //   33c0                 | xor                 eax, eax
            //   03fe                 | add                 edi, esi

        $sequence_23 = { 33d2 8b3e 83e0fc 42 }
            // n = 4, score = 200
            //   33d2                 | xor                 edx, edx
            //   8b3e                 | mov                 edi, dword ptr [esi]
            //   83e0fc               | and                 eax, 0xfffffffc
            //   42                   | inc                 edx

    condition:
        7 of them and filesize < 65536
}
Download all Yara Rules