SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cobint (Back to overview)

CobInt

aka: COOLPANTS

Actor(s): Cobalt


CobInt, is a self-developed backdoor of the Cobalt group. The modular tool has capabilities to collect initial intelligence information about the compromised machine and stream video from its desktop. If the operator decides that the system is of interest, the backdoor will download and launch CobaltStrike framework stager. It's CRM mailslot module was also observed being downloaded by ISFB.

References
2020-06-16PTSecurityPT ESC Threat Intelligence
@online{intelligence:20200616:cobalt:2071fd2, author = {PT ESC Threat Intelligence}, title = {{Cobalt: tactics and tools update}}, date = {2020-06-16}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/cobalt_upd_ttps/}, language = {English}, urldate = {2020-06-16} } Cobalt: tactics and tools update
CobInt
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020SecureworksSecureWorks
@online{secureworks:2020:gold:1892bc8, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz
2020SecureworksSecureWorks
@online{secureworks:2020:gold:983570b, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt
2018-09-11ProofpointProofpoint Staff
@online{staff:20180911:new:14fda4a, author = {Proofpoint Staff}, title = {{New modular downloaders fingerprint systems - Part 3: CobInt}}, date = {2018-09-11}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint}, language = {English}, urldate = {2019-12-20} } New modular downloaders fingerprint systems - Part 3: CobInt
CobInt
2018-08-30NetScoutASERT Team
@online{team:20180830:double:e5d9e22, author = {ASERT Team}, title = {{Double the Infection, Double the Fun}}, date = {2018-08-30}, organization = {NetScout}, url = {https://asert.arbornetworks.com/double-the-infection-double-the-fun/}, language = {English}, urldate = {2020-01-08} } Double the Infection, Double the Fun
More_eggs CobInt
2018-08-30NetScoutASERT Team
@online{team:20180830:double:8129db5, author = {ASERT Team}, title = {{Double the Infection, Double the Fun}}, date = {2018-08-30}, organization = {NetScout}, url = {https://www.netscout.com/blog/asert/double-infection-double-fun}, language = {English}, urldate = {2020-01-05} } Double the Infection, Double the Fun
CobInt
2018-05-29Group-IBRustam Mirkasymov
@online{mirkasymov:20180529:cobalt:b344169, author = {Rustam Mirkasymov}, title = {{Cobalt Renaissance: new attacks and joint operations}}, date = {2018-05-29}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/renaissance}, language = {English}, urldate = {2019-10-22} } Cobalt Renaissance: new attacks and joint operations
CobInt
Yara Rules
[TLP:WHITE] win_cobint_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_cobint_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobint"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b12 85d2 75c4 eb03 }
            // n = 4, score = 200
            //   8b12                 | mov                 edx, dword ptr [edx]
            //   85d2                 | test                edx, edx
            //   75c4                 | jne                 0xffffffc6
            //   eb03                 | jmp                 5

        $sequence_1 = { 8bc1 2bc7 33c3 8bdf }
            // n = 4, score = 200
            //   8bc1                 | mov                 eax, ecx
            //   2bc7                 | sub                 eax, edi
            //   33c3                 | xor                 eax, ebx
            //   8bdf                 | mov                 ebx, edi

        $sequence_2 = { 8b7ddc c645ff01 8b75e4 53 ffd6 eb03 }
            // n = 6, score = 200
            //   8b7ddc               | mov                 edi, dword ptr [ebp - 0x24]
            //   c645ff01             | mov                 byte ptr [ebp - 1], 1
            //   8b75e4               | mov                 esi, dword ptr [ebp - 0x1c]
            //   53                   | push                ebx
            //   ffd6                 | call                esi
            //   eb03                 | jmp                 5

        $sequence_3 = { e8???????? 58 83c005 c3 31b7807c30ae }
            // n = 5, score = 200
            //   e8????????           |                     
            //   58                   | pop                 eax
            //   83c005               | add                 eax, 5
            //   c3                   | ret                 
            //   31b7807c30ae         | xor                 dword ptr [edi - 0x51cf8380], esi

        $sequence_4 = { 7531 8bf3 85db 742b 8b5df8 ffb690010000 }
            // n = 6, score = 200
            //   7531                 | jne                 0x33
            //   8bf3                 | mov                 esi, ebx
            //   85db                 | test                ebx, ebx
            //   742b                 | je                  0x2d
            //   8b5df8               | mov                 ebx, dword ptr [ebp - 8]
            //   ffb690010000         | push                dword ptr [esi + 0x190]

        $sequence_5 = { 8bd8 895db4 85db 0f8487010000 }
            // n = 4, score = 200
            //   8bd8                 | mov                 ebx, eax
            //   895db4               | mov                 dword ptr [ebp - 0x4c], ebx
            //   85db                 | test                ebx, ebx
            //   0f8487010000         | je                  0x18d

        $sequence_6 = { 96 7c90 90 90 }
            // n = 4, score = 200
            //   96                   | xchg                eax, esi
            //   7c90                 | jl                  0xffffff92
            //   90                   | nop                 
            //   90                   | nop                 

        $sequence_7 = { 8d460c ff7608 50 ff16 56 e8???????? 83c410 }
            // n = 7, score = 200
            //   8d460c               | lea                 eax, [esi + 0xc]
            //   ff7608               | push                dword ptr [esi + 8]
            //   50                   | push                eax
            //   ff16                 | call                dword ptr [esi]
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10

        $sequence_8 = { 55 8bec 837d0c08 7c1f 8b4508 }
            // n = 5, score = 200
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   837d0c08             | cmp                 dword ptr [ebp + 0xc], 8
            //   7c1f                 | jl                  0x21
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_9 = { 8d45ec 50 b800a80000 2bc7 50 56 }
            // n = 6, score = 200
            //   8d45ec               | lea                 eax, [ebp - 0x14]
            //   50                   | push                eax
            //   b800a80000           | mov                 eax, 0xa800
            //   2bc7                 | sub                 eax, edi
            //   50                   | push                eax
            //   56                   | push                esi

        $sequence_10 = { 807c909090 90 90 90 }
            // n = 4, score = 200
            //   807c909090           | cmp                 byte ptr [eax + edx*4 - 0x70], 0x90
            //   90                   | nop                 
            //   90                   | nop                 
            //   90                   | nop                 

        $sequence_11 = { 59 33db 897304 eb0c ff7704 ff15???????? 215f04 }
            // n = 7, score = 200
            //   59                   | pop                 ecx
            //   33db                 | xor                 ebx, ebx
            //   897304               | mov                 dword ptr [ebx + 4], esi
            //   eb0c                 | jmp                 0xe
            //   ff7704               | push                dword ptr [edi + 4]
            //   ff15????????         |                     
            //   215f04               | and                 dword ptr [edi + 4], ebx

        $sequence_12 = { 807c909090 90 bdfd807c90 90 }
            // n = 4, score = 200
            //   807c909090           | cmp                 byte ptr [eax + edx*4 - 0x70], 0x90
            //   90                   | nop                 
            //   bdfd807c90           | mov                 ebp, 0x907c80fd
            //   90                   | nop                 

        $sequence_13 = { 90 90 749b 807ce19a80 }
            // n = 4, score = 200
            //   90                   | nop                 
            //   90                   | nop                 
            //   749b                 | je                  0xffffff9d
            //   807ce19a80           | cmp                 byte ptr [ecx - 0x66], 0x80

        $sequence_14 = { 56 8b7508 57 33ff 8d86e00a0000 }
            // n = 5, score = 200
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi
            //   8d86e00a0000         | lea                 eax, [esi + 0xae0]

        $sequence_15 = { c3 31b7807c30ae 807c909090 90 }
            // n = 4, score = 200
            //   c3                   | ret                 
            //   31b7807c30ae         | xor                 dword ptr [edi - 0x51cf8380], esi
            //   807c909090           | cmp                 byte ptr [eax + edx*4 - 0x70], 0x90
            //   90                   | nop                 

        $sequence_16 = { 742c 33db 8a06 8d7602 }
            // n = 4, score = 200
            //   742c                 | je                  0x2e
            //   33db                 | xor                 ebx, ebx
            //   8a06                 | mov                 al, byte ptr [esi]
            //   8d7602               | lea                 esi, [esi + 2]

        $sequence_17 = { 837d1000 740d 8b5508 0355f0 8a45ec 8802 eb0b }
            // n = 7, score = 200
            //   837d1000             | cmp                 dword ptr [ebp + 0x10], 0
            //   740d                 | je                  0xf
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   0355f0               | add                 edx, dword ptr [ebp - 0x10]
            //   8a45ec               | mov                 al, byte ptr [ebp - 0x14]
            //   8802                 | mov                 byte ptr [edx], al
            //   eb0b                 | jmp                 0xd

        $sequence_18 = { 03c3 c1c108 47 8d1c08 }
            // n = 4, score = 200
            //   03c3                 | add                 eax, ebx
            //   c1c108               | rol                 ecx, 8
            //   47                   | inc                 edi
            //   8d1c08               | lea                 ebx, [eax + ecx]

        $sequence_19 = { 90 bffc807c28 1a807c170e81 7cd7 9b 807c909090 90 }
            // n = 7, score = 200
            //   90                   | nop                 
            //   bffc807c28           | mov                 edi, 0x287c80fc
            //   1a807c170e81         | sbb                 al, byte ptr [eax - 0x7ef1e884]
            //   7cd7                 | jl                  0xffffffd9
            //   9b                   | wait                
            //   807c909090           | cmp                 byte ptr [eax + edx*4 - 0x70], 0x90
            //   90                   | nop                 

        $sequence_20 = { 8d7001 eb06 803e00 7406 46 803e7c 75f5 }
            // n = 7, score = 200
            //   8d7001               | lea                 esi, [eax + 1]
            //   eb06                 | jmp                 8
            //   803e00               | cmp                 byte ptr [esi], 0
            //   7406                 | je                  8
            //   46                   | inc                 esi
            //   803e7c               | cmp                 byte ptr [esi], 0x7c
            //   75f5                 | jne                 0xfffffff7

        $sequence_21 = { 881406 eb2f c604067a 46 0fbec2 83e819 6bc81a }
            // n = 7, score = 200
            //   881406               | mov                 byte ptr [esi + eax], dl
            //   eb2f                 | jmp                 0x31
            //   c604067a             | mov                 byte ptr [esi + eax], 0x7a
            //   46                   | inc                 esi
            //   0fbec2               | movsx               eax, dl
            //   83e819               | sub                 eax, 0x19
            //   6bc81a               | imul                ecx, eax, 0x1a

        $sequence_22 = { 56 ff7510 895df8 890b 8a4d0c 884b04 }
            // n = 6, score = 200
            //   56                   | push                esi
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   895df8               | mov                 dword ptr [ebp - 8], ebx
            //   890b                 | mov                 dword ptr [ebx], ecx
            //   8a4d0c               | mov                 cl, byte ptr [ebp + 0xc]
            //   884b04               | mov                 byte ptr [ebx + 4], cl

        $sequence_23 = { 8945d4 85c0 0f8444020000 ba5953df81 8bcf e8???????? }
            // n = 6, score = 200
            //   8945d4               | mov                 dword ptr [ebp - 0x2c], eax
            //   85c0                 | test                eax, eax
            //   0f8444020000         | je                  0x24a
            //   ba5953df81           | mov                 edx, 0x81df5359
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     

    condition:
        7 of them and filesize < 65536
}
Download all Yara Rules