SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cobint (Back to overview)

CobInt

aka: COOLPANTS

Actor(s): Cobalt


CobInt, is a self-developed backdoor of the Cobalt group. The modular tool has capabilities to collect initial intelligence information about the compromised machine and stream video from its desktop. If the operator decides that the system is of interest, the backdoor will download and launch CobaltStrike framework stager. It's CRM mailslot module was also observed being downloaded by ISFB.

References
2020-06-16PTSecurityPT ESC Threat Intelligence
@online{intelligence:20200616:cobalt:2071fd2, author = {PT ESC Threat Intelligence}, title = {{Cobalt: tactics and tools update}}, date = {2020-06-16}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/cobalt_upd_ttps/}, language = {English}, urldate = {2020-06-16} } Cobalt: tactics and tools update
CobInt
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020SecureworksSecureWorks
@online{secureworks:2020:gold:1892bc8, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz
2020SecureworksSecureWorks
@online{secureworks:2020:gold:983570b, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt
2018-09-11ProofpointProofpoint Staff
@online{staff:20180911:new:14fda4a, author = {Proofpoint Staff}, title = {{New modular downloaders fingerprint systems - Part 3: CobInt}}, date = {2018-09-11}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint}, language = {English}, urldate = {2019-12-20} } New modular downloaders fingerprint systems - Part 3: CobInt
CobInt
2018-08-30NetScoutASERT Team
@online{team:20180830:double:e5d9e22, author = {ASERT Team}, title = {{Double the Infection, Double the Fun}}, date = {2018-08-30}, organization = {NetScout}, url = {https://asert.arbornetworks.com/double-the-infection-double-the-fun/}, language = {English}, urldate = {2020-01-08} } Double the Infection, Double the Fun
More_eggs CobInt
2018-08-30NetScoutASERT Team
@online{team:20180830:double:8129db5, author = {ASERT Team}, title = {{Double the Infection, Double the Fun}}, date = {2018-08-30}, organization = {NetScout}, url = {https://www.netscout.com/blog/asert/double-infection-double-fun}, language = {English}, urldate = {2020-01-05} } Double the Infection, Double the Fun
CobInt
2018-05-29Group-IBRustam Mirkasymov
@online{mirkasymov:20180529:cobalt:b344169, author = {Rustam Mirkasymov}, title = {{Cobalt Renaissance: new attacks and joint operations}}, date = {2018-05-29}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/renaissance}, language = {English}, urldate = {2019-10-22} } Cobalt Renaissance: new attacks and joint operations
CobInt
Yara Rules
[TLP:WHITE] win_cobint_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_cobint_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobint"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 740d 8b5508 0355f0 8a45ec }
            // n = 4, score = 200
            //   740d                 | je                  0xf
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   0355f0               | add                 edx, dword ptr [ebp - 0x10]
            //   8a45ec               | mov                 al, byte ptr [ebp - 0x14]

        $sequence_1 = { 50 50 68bb010000 8d8524feffff }
            // n = 4, score = 200
            //   50                   | push                eax
            //   50                   | push                eax
            //   68bb010000           | push                0x1bb
            //   8d8524feffff         | lea                 eax, [ebp - 0x1dc]

        $sequence_2 = { 884b04 8d4b09 51 897305 }
            // n = 4, score = 200
            //   884b04               | mov                 byte ptr [ebx + 4], cl
            //   8d4b09               | lea                 ecx, [ebx + 9]
            //   51                   | push                ecx
            //   897305               | mov                 dword ptr [ebx + 5], esi

        $sequence_3 = { 68???????? eb11 c605????????01 eb10 }
            // n = 4, score = 200
            //   68????????           |                     
            //   eb11                 | jmp                 0x13
            //   c605????????01       |                     
            //   eb10                 | jmp                 0x12

        $sequence_4 = { 8801 41 47 4e 85f6 }
            // n = 5, score = 200
            //   8801                 | mov                 byte ptr [ecx], al
            //   41                   | inc                 ecx
            //   47                   | inc                 edi
            //   4e                   | dec                 esi
            //   85f6                 | test                esi, esi

        $sequence_5 = { 90 90 749b 807ce19a80 7c90 }
            // n = 5, score = 200
            //   90                   | nop                 
            //   90                   | nop                 
            //   749b                 | je                  0xffffff9d
            //   807ce19a80           | cmp                 byte ptr [ecx - 0x66], 0x80
            //   7c90                 | jl                  0xffffff92

        $sequence_6 = { 50 51 ff75d8 ffd6 8bd8 }
            // n = 5, score = 200
            //   50                   | push                eax
            //   51                   | push                ecx
            //   ff75d8               | push                dword ptr [ebp - 0x28]
            //   ffd6                 | call                esi
            //   8bd8                 | mov                 ebx, eax

        $sequence_7 = { 90 90 90 e10b 96 7c90 90 }
            // n = 7, score = 200
            //   90                   | nop                 
            //   90                   | nop                 
            //   90                   | nop                 
            //   e10b                 | loope               0xd
            //   96                   | xchg                eax, esi
            //   7c90                 | jl                  0xffffff92
            //   90                   | nop                 

        $sequence_8 = { 807c909090 90 bdfd807c90 90 90 }
            // n = 5, score = 200
            //   807c909090           | cmp                 byte ptr [eax + edx*4 - 0x70], 0x90
            //   90                   | nop                 
            //   bdfd807c90           | mov                 ebp, 0x907c80fd
            //   90                   | nop                 
            //   90                   | nop                 

        $sequence_9 = { 6a00 8bc8 897de8 8d45e8 2bdf 50 }
            // n = 6, score = 200
            //   6a00                 | push                0
            //   8bc8                 | mov                 ecx, eax
            //   897de8               | mov                 dword ptr [ebp - 0x18], edi
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   2bdf                 | sub                 ebx, edi
            //   50                   | push                eax

        $sequence_10 = { 84db 7405 8d4601 ebd3 8bc7 5f }
            // n = 6, score = 200
            //   84db                 | test                bl, bl
            //   7405                 | je                  7
            //   8d4601               | lea                 eax, [esi + 1]
            //   ebd3                 | jmp                 0xffffffd5
            //   8bc7                 | mov                 eax, edi
            //   5f                   | pop                 edi

        $sequence_11 = { 83c40c 0fb6c0 5d c3 ff751c }
            // n = 5, score = 200
            //   83c40c               | add                 esp, 0xc
            //   0fb6c0               | movzx               eax, al
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   ff751c               | push                dword ptr [ebp + 0x1c]

        $sequence_12 = { 2bc8 8bc2 d3f8 080433 43 6a08 58 }
            // n = 7, score = 200
            //   2bc8                 | sub                 ecx, eax
            //   8bc2                 | mov                 eax, edx
            //   d3f8                 | sar                 eax, cl
            //   080433               | or                  byte ptr [ebx + esi], al
            //   43                   | inc                 ebx
            //   6a08                 | push                8
            //   58                   | pop                 eax

        $sequence_13 = { eb0b 8b4d08 034df0 8a55ed }
            // n = 4, score = 200
            //   eb0b                 | jmp                 0xd
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   034df0               | add                 ecx, dword ptr [ebp - 0x10]
            //   8a55ed               | mov                 dl, byte ptr [ebp - 0x13]

        $sequence_14 = { 0355f0 8a45ec 8802 eb0b 8b4d08 }
            // n = 5, score = 200
            //   0355f0               | add                 edx, dword ptr [ebp - 0x10]
            //   8a45ec               | mov                 al, byte ptr [ebp - 0x14]
            //   8802                 | mov                 byte ptr [edx], al
            //   eb0b                 | jmp                 0xd
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]

        $sequence_15 = { 56 52 e8???????? 59 59 3bc7 }
            // n = 6, score = 200
            //   56                   | push                esi
            //   52                   | push                edx
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   3bc7                 | cmp                 eax, edi

        $sequence_16 = { 8a45cc 8d4dcc 83c40c 8ad0 3245cd 8845cc }
            // n = 6, score = 200
            //   8a45cc               | mov                 al, byte ptr [ebp - 0x34]
            //   8d4dcc               | lea                 ecx, [ebp - 0x34]
            //   83c40c               | add                 esp, 0xc
            //   8ad0                 | mov                 dl, al
            //   3245cd               | xor                 al, byte ptr [ebp - 0x33]
            //   8845cc               | mov                 byte ptr [ebp - 0x34], al

        $sequence_17 = { 58 83c005 c3 31b7807c30ae }
            // n = 4, score = 200
            //   58                   | pop                 eax
            //   83c005               | add                 eax, 5
            //   c3                   | ret                 
            //   31b7807c30ae         | xor                 dword ptr [edi - 0x51cf8380], esi

        $sequence_18 = { 42 3b5318 72c4 33c0 5f 5e }
            // n = 6, score = 200
            //   42                   | inc                 edx
            //   3b5318               | cmp                 edx, dword ptr [ebx + 0x18]
            //   72c4                 | jb                  0xffffffc6
            //   33c0                 | xor                 eax, eax
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_19 = { ffd7 8bf8 c745f405000000 32db 897ddc 885dff 8d45d0 }
            // n = 7, score = 200
            //   ffd7                 | call                edi
            //   8bf8                 | mov                 edi, eax
            //   c745f405000000       | mov                 dword ptr [ebp - 0xc], 5
            //   32db                 | xor                 bl, bl
            //   897ddc               | mov                 dword ptr [ebp - 0x24], edi
            //   885dff               | mov                 byte ptr [ebp - 1], bl
            //   8d45d0               | lea                 eax, [ebp - 0x30]

        $sequence_20 = { 90 bffc807c28 1a807c170e81 7cd7 9b 807c909090 }
            // n = 6, score = 200
            //   90                   | nop                 
            //   bffc807c28           | mov                 edi, 0x287c80fc
            //   1a807c170e81         | sbb                 al, byte ptr [eax - 0x7ef1e884]
            //   7cd7                 | jl                  0xffffffd9
            //   9b                   | wait                
            //   807c909090           | cmp                 byte ptr [eax + edx*4 - 0x70], 0x90

        $sequence_21 = { 33c9 8945bc 51 6800008000 51 51 51 }
            // n = 7, score = 200
            //   33c9                 | xor                 ecx, ecx
            //   8945bc               | mov                 dword ptr [ebp - 0x44], eax
            //   51                   | push                ecx
            //   6800008000           | push                0x800000
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   51                   | push                ecx

        $sequence_22 = { 03fe 8a0f 84c9 7421 8bd8 8ac1 8bcb }
            // n = 7, score = 200
            //   03fe                 | add                 edi, esi
            //   8a0f                 | mov                 cl, byte ptr [edi]
            //   84c9                 | test                cl, cl
            //   7421                 | je                  0x23
            //   8bd8                 | mov                 ebx, eax
            //   8ac1                 | mov                 al, cl
            //   8bcb                 | mov                 ecx, ebx

        $sequence_23 = { 8bf0 33ff e8???????? 8d4dec }
            // n = 4, score = 200
            //   8bf0                 | mov                 esi, eax
            //   33ff                 | xor                 edi, edi
            //   e8????????           |                     
            //   8d4dec               | lea                 ecx, [ebp - 0x14]

    condition:
        7 of them and filesize < 65536
}
Download all Yara Rules