SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cobint (Back to overview)

CobInt

aka: COOLPANTS

Actor(s): Cobalt


CobInt, is a self-developed backdoor of the Cobalt group. The modular tool has capabilities to collect initial intelligence information about the compromised machine and stream video from its desktop. If the operator decides that the system is of interest, the backdoor will download and launch CobaltStrike framework stager. It's CRM mailslot module was also observed being downloaded by ISFB.

References
2020-06-16PTSecurityPT ESC Threat Intelligence
@online{intelligence:20200616:cobalt:2071fd2, author = {PT ESC Threat Intelligence}, title = {{Cobalt: tactics and tools update}}, date = {2020-06-16}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/cobalt_upd_ttps/}, language = {English}, urldate = {2020-06-16} } Cobalt: tactics and tools update
CobInt
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-03-04} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Judgment Panda Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare
2020SecureworksSecureWorks
@online{secureworks:2020:gold:1892bc8, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz
2020SecureworksSecureWorks
@online{secureworks:2020:gold:983570b, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt
2018-09-11ProofpointProofpoint Staff
@online{staff:20180911:new:14fda4a, author = {Proofpoint Staff}, title = {{New modular downloaders fingerprint systems - Part 3: CobInt}}, date = {2018-09-11}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint}, language = {English}, urldate = {2019-12-20} } New modular downloaders fingerprint systems - Part 3: CobInt
CobInt
2018-08-30NetScoutASERT Team
@online{team:20180830:double:e5d9e22, author = {ASERT Team}, title = {{Double the Infection, Double the Fun}}, date = {2018-08-30}, organization = {NetScout}, url = {https://asert.arbornetworks.com/double-the-infection-double-the-fun/}, language = {English}, urldate = {2020-01-08} } Double the Infection, Double the Fun
More_eggs CobInt
2018-08-30NetScoutASERT Team
@online{team:20180830:double:8129db5, author = {ASERT Team}, title = {{Double the Infection, Double the Fun}}, date = {2018-08-30}, organization = {NetScout}, url = {https://www.netscout.com/blog/asert/double-infection-double-fun}, language = {English}, urldate = {2020-01-05} } Double the Infection, Double the Fun
CobInt
2018-05-29Group-IBRustam Mirkasymov
@online{mirkasymov:20180529:cobalt:b344169, author = {Rustam Mirkasymov}, title = {{Cobalt Renaissance: new attacks and joint operations}}, date = {2018-05-29}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/renaissance}, language = {English}, urldate = {2019-10-22} } Cobalt Renaissance: new attacks and joint operations
CobInt
Yara Rules
[TLP:WHITE] win_cobint_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_cobint_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobint"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0fb74e14 85c0 7439 83c12c 03ce }
            // n = 5, score = 400
            //   0fb74e14             | movzx               ecx, word ptr [esi + 0x14]
            //   85c0                 | test                eax, eax
            //   7439                 | je                  0x3b
            //   83c12c               | add                 ecx, 0x2c
            //   03ce                 | add                 ecx, esi

        $sequence_1 = { ff55e8 8b55e0 8903 83c304 }
            // n = 4, score = 400
            //   ff55e8               | call                dword ptr [ebp - 0x18]
            //   8b55e0               | mov                 edx, dword ptr [ebp - 0x20]
            //   8903                 | mov                 dword ptr [ebx], eax
            //   83c304               | add                 ebx, 4

        $sequence_2 = { 83c002 03c7 50 56 ff55e8 8b55e0 }
            // n = 6, score = 400
            //   83c002               | add                 eax, 2
            //   03c7                 | add                 eax, edi
            //   50                   | push                eax
            //   56                   | push                esi
            //   ff55e8               | call                dword ptr [ebp - 0x18]
            //   8b55e0               | mov                 edx, dword ptr [ebp - 0x20]

        $sequence_3 = { 8b7df4 8b45e0 83c128 85c0 75cf 8b75f8 }
            // n = 6, score = 400
            //   8b7df4               | mov                 edi, dword ptr [ebp - 0xc]
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   83c128               | add                 ecx, 0x28
            //   85c0                 | test                eax, eax
            //   75cf                 | jne                 0xffffffd1
            //   8b75f8               | mov                 esi, dword ptr [ebp - 8]

        $sequence_4 = { 833b00 8bd0 8955e0 75b4 8b75f0 }
            // n = 5, score = 400
            //   833b00               | cmp                 dword ptr [ebx], 0
            //   8bd0                 | mov                 edx, eax
            //   8955e0               | mov                 dword ptr [ebp - 0x20], edx
            //   75b4                 | jne                 0xffffffb6
            //   8b75f0               | mov                 esi, dword ptr [ebp - 0x10]

        $sequence_5 = { 8b4508 85d2 7416 56 57 8b7d0c }
            // n = 6, score = 400
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   85d2                 | test                edx, edx
            //   7416                 | je                  0x18
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b7d0c               | mov                 edi, dword ptr [ebp + 0xc]

        $sequence_6 = { 8bec 8a4d0c 56 8b7508 880e }
            // n = 5, score = 400
            //   8bec                 | mov                 ebp, esp
            //   8a4d0c               | mov                 cl, byte ptr [ebp + 0xc]
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   880e                 | mov                 byte ptr [esi], cl

        $sequence_7 = { 03df 03d7 8945dc 8955e0 833b00 }
            // n = 5, score = 400
            //   03df                 | add                 ebx, edi
            //   03d7                 | add                 edx, edi
            //   8945dc               | mov                 dword ptr [ebp - 0x24], eax
            //   8955e0               | mov                 dword ptr [ebp - 0x20], edx
            //   833b00               | cmp                 dword ptr [ebx], 0

        $sequence_8 = { 58 83c005 c3 31b7807c30ae 807c909090 }
            // n = 5, score = 200
            //   58                   | pop                 eax
            //   83c005               | add                 eax, 5
            //   c3                   | ret                 
            //   31b7807c30ae         | xor                 dword ptr [edi - 0x51cf8380], esi
            //   807c909090           | cmp                 byte ptr [eax + edx*4 - 0x70], 0x90

        $sequence_9 = { 90 bffc807c28 1a807c170e81 7cd7 9b 807c909090 90 }
            // n = 7, score = 200
            //   90                   | nop                 
            //   bffc807c28           | mov                 edi, 0x287c80fc
            //   1a807c170e81         | sbb                 al, byte ptr [eax - 0x7ef1e884]
            //   7cd7                 | jl                  0xffffffd9
            //   9b                   | wait                
            //   807c909090           | cmp                 byte ptr [eax + edx*4 - 0x70], 0x90
            //   90                   | nop                 

        $sequence_10 = { 8d9524feffff 8bf0 e8???????? 8945f8 }
            // n = 4, score = 200
            //   8d9524feffff         | lea                 edx, [ebp - 0x1dc]
            //   8bf0                 | mov                 esi, eax
            //   e8????????           |                     
            //   8945f8               | mov                 dword ptr [ebp - 8], eax

        $sequence_11 = { 895df8 8b5df4 8b45f8 3945f0 7412 }
            // n = 5, score = 200
            //   895df8               | mov                 dword ptr [ebp - 8], ebx
            //   8b5df4               | mov                 ebx, dword ptr [ebp - 0xc]
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   3945f0               | cmp                 dword ptr [ebp - 0x10], eax
            //   7412                 | je                  0x14

        $sequence_12 = { 90 90 e10b 96 7c90 90 90 }
            // n = 7, score = 200
            //   90                   | nop                 
            //   90                   | nop                 
            //   e10b                 | loope               0xd
            //   96                   | xchg                eax, esi
            //   7c90                 | jl                  0xffffff92
            //   90                   | nop                 
            //   90                   | nop                 

        $sequence_13 = { 837d1000 740d 8b5508 0355f0 }
            // n = 4, score = 200
            //   837d1000             | cmp                 dword ptr [ebp + 0x10], 0
            //   740d                 | je                  0xf
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   0355f0               | add                 edx, dword ptr [ebp - 0x10]

        $sequence_14 = { 83f804 761b 8b0c96 8bc1 2bc7 }
            // n = 5, score = 200
            //   83f804               | cmp                 eax, 4
            //   761b                 | jbe                 0x1d
            //   8b0c96               | mov                 ecx, dword ptr [esi + edx*4]
            //   8bc1                 | mov                 eax, ecx
            //   2bc7                 | sub                 eax, edi

        $sequence_15 = { 8bf9 8b45e8 42 c1e802 3bd0 }
            // n = 5, score = 200
            //   8bf9                 | mov                 edi, ecx
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   42                   | inc                 edx
            //   c1e802               | shr                 eax, 2
            //   3bd0                 | cmp                 edx, eax

        $sequence_16 = { 8a45ec 8802 eb0b 8b4d08 }
            // n = 4, score = 200
            //   8a45ec               | mov                 al, byte ptr [ebp - 0x14]
            //   8802                 | mov                 byte ptr [edx], al
            //   eb0b                 | jmp                 0xd
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]

        $sequence_17 = { 33c0 eb38 8b7228 8bf8 663906 742c 33db }
            // n = 7, score = 200
            //   33c0                 | xor                 eax, eax
            //   eb38                 | jmp                 0x3a
            //   8b7228               | mov                 esi, dword ptr [edx + 0x28]
            //   8bf8                 | mov                 edi, eax
            //   663906               | cmp                 word ptr [esi], ax
            //   742c                 | je                  0x2e
            //   33db                 | xor                 ebx, ebx

        $sequence_18 = { eb0b 8b4d08 034df0 8a55ed }
            // n = 4, score = 200
            //   eb0b                 | jmp                 0xd
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   034df0               | add                 ecx, dword ptr [ebp - 0x10]
            //   8a55ed               | mov                 dl, byte ptr [ebp - 0x13]

        $sequence_19 = { 6a1f 53 ffd6 6a04 8d45c0 c745c001000000 50 }
            // n = 7, score = 200
            //   6a1f                 | push                0x1f
            //   53                   | push                ebx
            //   ffd6                 | call                esi
            //   6a04                 | push                4
            //   8d45c0               | lea                 eax, [ebp - 0x40]
            //   c745c001000000       | mov                 dword ptr [ebp - 0x40], 1
            //   50                   | push                eax

        $sequence_20 = { 7e1e 8a0431 3c20 7608 3c2e 7404 3c2c }
            // n = 7, score = 200
            //   7e1e                 | jle                 0x20
            //   8a0431               | mov                 al, byte ptr [ecx + esi]
            //   3c20                 | cmp                 al, 0x20
            //   7608                 | jbe                 0xa
            //   3c2e                 | cmp                 al, 0x2e
            //   7404                 | je                  6
            //   3c2c                 | cmp                 al, 0x2c

        $sequence_21 = { 90 90 749b 807ce19a80 7c90 90 90 }
            // n = 7, score = 200
            //   90                   | nop                 
            //   90                   | nop                 
            //   749b                 | je                  0xffffff9d
            //   807ce19a80           | cmp                 byte ptr [ecx - 0x66], 0x80
            //   7c90                 | jl                  0xffffff92
            //   90                   | nop                 
            //   90                   | nop                 

        $sequence_22 = { 8975f4 85c0 7505 b301 885dff 84db }
            // n = 6, score = 200
            //   8975f4               | mov                 dword ptr [ebp - 0xc], esi
            //   85c0                 | test                eax, eax
            //   7505                 | jne                 7
            //   b301                 | mov                 bl, 1
            //   885dff               | mov                 byte ptr [ebp - 1], bl
            //   84db                 | test                bl, bl

        $sequence_23 = { 7c90 90 90 90 90 90 90 }
            // n = 7, score = 200
            //   7c90                 | jl                  0xffffff92
            //   90                   | nop                 
            //   90                   | nop                 
            //   90                   | nop                 
            //   90                   | nop                 
            //   90                   | nop                 
            //   90                   | nop                 

    condition:
        7 of them and filesize < 65536
}
Download all Yara Rules