SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cobint (Back to overview)

CobInt

aka: COOLPANTS

Actor(s): Cobalt


CobInt, is a self-developed backdoor of the Cobalt group. The modular tool has capabilities to collect initial intelligence information about the compromised machine and stream video from its desktop. If the operator decides that the system is of interest, the backdoor will download and launch CobaltStrike framework stager. It's CRM mailslot module was also observed being downloaded by ISFB.

References
2020-06-16PTSecurityPT ESC Threat Intelligence
@online{intelligence:20200616:cobalt:2071fd2, author = {PT ESC Threat Intelligence}, title = {{Cobalt: tactics and tools update}}, date = {2020-06-16}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/cobalt_upd_ttps/}, language = {English}, urldate = {2020-06-16} } Cobalt: tactics and tools update
CobInt
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020SecureworksSecureWorks
@online{secureworks:2020:gold:1892bc8, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz
2020SecureworksSecureWorks
@online{secureworks:2020:gold:983570b, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt
2018-09-11ProofpointProofpoint Staff
@online{staff:20180911:new:14fda4a, author = {Proofpoint Staff}, title = {{New modular downloaders fingerprint systems - Part 3: CobInt}}, date = {2018-09-11}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint}, language = {English}, urldate = {2019-12-20} } New modular downloaders fingerprint systems - Part 3: CobInt
CobInt
2018-08-30NetScoutASERT Team
@online{team:20180830:double:e5d9e22, author = {ASERT Team}, title = {{Double the Infection, Double the Fun}}, date = {2018-08-30}, organization = {NetScout}, url = {https://asert.arbornetworks.com/double-the-infection-double-the-fun/}, language = {English}, urldate = {2020-01-08} } Double the Infection, Double the Fun
More_eggs CobInt
2018-08-30NetScoutASERT Team
@online{team:20180830:double:8129db5, author = {ASERT Team}, title = {{Double the Infection, Double the Fun}}, date = {2018-08-30}, organization = {NetScout}, url = {https://www.netscout.com/blog/asert/double-infection-double-fun}, language = {English}, urldate = {2020-01-05} } Double the Infection, Double the Fun
CobInt
2018-05-29Group-IBRustam Mirkasymov
@online{mirkasymov:20180529:cobalt:b344169, author = {Rustam Mirkasymov}, title = {{Cobalt Renaissance: new attacks and joint operations}}, date = {2018-05-29}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/renaissance}, language = {English}, urldate = {2019-10-22} } Cobalt Renaissance: new attacks and joint operations
CobInt
Yara Rules
[TLP:WHITE] win_cobint_auto (20220411 | Detects win.cobint.)
rule win_cobint_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.cobint."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobint"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 8bd0 85d2 7504 32c0 5d }
            // n = 6, score = 400
            //   e8????????           |                     
            //   8bd0                 | mov                 edx, eax
            //   85d2                 | test                edx, edx
            //   7504                 | jne                 6
            //   32c0                 | xor                 al, al
            //   5d                   | pop                 ebp

        $sequence_1 = { 740f ff740604 e8???????? a1???????? }
            // n = 4, score = 400
            //   740f                 | je                  0x11
            //   ff740604             | push                dword ptr [esi + eax + 4]
            //   e8????????           |                     
            //   a1????????           |                     

        $sequence_2 = { c3 56 be00020000 56 e8???????? 56 }
            // n = 6, score = 400
            //   c3                   | ret                 
            //   56                   | push                esi
            //   be00020000           | mov                 esi, 0x200
            //   56                   | push                esi
            //   e8????????           |                     
            //   56                   | push                esi

        $sequence_3 = { 8b08 8b4004 3bc8 7f13 85c9 780f }
            // n = 6, score = 400
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   8b4004               | mov                 eax, dword ptr [eax + 4]
            //   3bc8                 | cmp                 ecx, eax
            //   7f13                 | jg                  0x15
            //   85c9                 | test                ecx, ecx
            //   780f                 | js                  0x11

        $sequence_4 = { 0f8495000000 8b4508 83c008 50 e8???????? }
            // n = 5, score = 400
            //   0f8495000000         | je                  0x9b
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   83c008               | add                 eax, 8
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_5 = { ff7604 8d460c ff7608 50 }
            // n = 4, score = 400
            //   ff7604               | push                dword ptr [esi + 4]
            //   8d460c               | lea                 eax, dword ptr [esi + 0xc]
            //   ff7608               | push                dword ptr [esi + 8]
            //   50                   | push                eax

        $sequence_6 = { 83f904 7c52 56 8b7001 83e904 0fb6d2 }
            // n = 6, score = 400
            //   83f904               | cmp                 ecx, 4
            //   7c52                 | jl                  0x54
            //   56                   | push                esi
            //   8b7001               | mov                 esi, dword ptr [eax + 1]
            //   83e904               | sub                 ecx, 4
            //   0fb6d2               | movzx               edx, dl

        $sequence_7 = { 55 8bec 836d0c01 7507 }
            // n = 4, score = 400
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   836d0c01             | sub                 dword ptr [ebp + 0xc], 1
            //   7507                 | jne                 9

        $sequence_8 = { 50 6a03 50 50 68bb010000 8d8524feffff 50 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   6a03                 | push                3
            //   50                   | push                eax
            //   50                   | push                eax
            //   68bb010000           | push                0x1bb
            //   8d8524feffff         | lea                 eax, dword ptr [ebp - 0x1dc]
            //   50                   | push                eax

        $sequence_9 = { e8???????? 6a00 6a00 8bc8 897de8 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   8bc8                 | mov                 ecx, eax
            //   897de8               | mov                 dword ptr [ebp - 0x18], edi

        $sequence_10 = { 83c005 c3 31b7807c30ae 807c909090 90 bdfd807c90 90 }
            // n = 7, score = 200
            //   83c005               | add                 eax, 5
            //   c3                   | ret                 
            //   31b7807c30ae         | xor                 dword ptr [edi - 0x51cf8380], esi
            //   807c909090           | cmp                 byte ptr [eax + edx*4 - 0x70], 0x90
            //   90                   | nop                 
            //   bdfd807c90           | mov                 ebp, 0x907c80fd
            //   90                   | nop                 

        $sequence_11 = { 0355f0 8a45ec 8802 eb0b 8b4d08 034df0 8a55ed }
            // n = 7, score = 200
            //   0355f0               | add                 edx, dword ptr [ebp - 0x10]
            //   8a45ec               | mov                 al, byte ptr [ebp - 0x14]
            //   8802                 | mov                 byte ptr [edx], al
            //   eb0b                 | jmp                 0xd
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   034df0               | add                 ecx, dword ptr [ebp - 0x10]
            //   8a55ed               | mov                 dl, byte ptr [ebp - 0x13]

        $sequence_12 = { 837d1000 740d 8b5508 0355f0 8a45ec 8802 }
            // n = 6, score = 200
            //   837d1000             | cmp                 dword ptr [ebp + 0x10], 0
            //   740d                 | je                  0xf
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   0355f0               | add                 edx, dword ptr [ebp - 0x10]
            //   8a45ec               | mov                 al, byte ptr [ebp - 0x14]
            //   8802                 | mov                 byte ptr [edx], al

        $sequence_13 = { 1a807c170e81 7cd7 9b 807c909090 90 90 90 }
            // n = 7, score = 200
            //   1a807c170e81         | sbb                 al, byte ptr [eax - 0x7ef1e884]
            //   7cd7                 | jl                  0xffffffd9
            //   9b                   | wait                
            //   807c909090           | cmp                 byte ptr [eax + edx*4 - 0x70], 0x90
            //   90                   | nop                 
            //   90                   | nop                 
            //   90                   | nop                 

        $sequence_14 = { 6800300000 6800a80000 6a00 ffd0 8b4ddc bab1c50790 }
            // n = 6, score = 200
            //   6800300000           | push                0x3000
            //   6800a80000           | push                0xa800
            //   6a00                 | push                0
            //   ffd0                 | call                eax
            //   8b4ddc               | mov                 ecx, dword ptr [ebp - 0x24]
            //   bab1c50790           | mov                 edx, 0x9007c5b1

        $sequence_15 = { 33d2 57 8b463c 8b5c3078 03de }
            // n = 5, score = 200
            //   33d2                 | xor                 edx, edx
            //   57                   | push                edi
            //   8b463c               | mov                 eax, dword ptr [esi + 0x3c]
            //   8b5c3078             | mov                 ebx, dword ptr [eax + esi + 0x78]
            //   03de                 | add                 ebx, esi

        $sequence_16 = { 8d45c0 c745c001000000 50 6a41 53 }
            // n = 5, score = 200
            //   8d45c0               | lea                 eax, dword ptr [ebp - 0x40]
            //   c745c001000000       | mov                 dword ptr [ebp - 0x40], 1
            //   50                   | push                eax
            //   6a41                 | push                0x41
            //   53                   | push                ebx

        $sequence_17 = { 90 e10b 96 7c90 90 }
            // n = 5, score = 200
            //   90                   | nop                 
            //   e10b                 | loope               0xd
            //   96                   | xchg                eax, esi
            //   7c90                 | jl                  0xffffff92
            //   90                   | nop                 

        $sequence_18 = { 90 90 90 bffc807c28 1a807c170e81 7cd7 9b }
            // n = 7, score = 200
            //   90                   | nop                 
            //   90                   | nop                 
            //   90                   | nop                 
            //   bffc807c28           | mov                 edi, 0x287c80fc
            //   1a807c170e81         | sbb                 al, byte ptr [eax - 0x7ef1e884]
            //   7cd7                 | jl                  0xffffffd9
            //   9b                   | wait                

        $sequence_19 = { 749b 807ce19a80 7c90 90 }
            // n = 4, score = 200
            //   749b                 | je                  0xffffff9d
            //   807ce19a80           | cmp                 byte ptr [ecx - 0x66], 0x80
            //   7c90                 | jl                  0xffffff92
            //   90                   | nop                 

        $sequence_20 = { 8b7ddc c645ff01 8b75e4 53 ffd6 }
            // n = 5, score = 200
            //   8b7ddc               | mov                 edi, dword ptr [ebp - 0x24]
            //   c645ff01             | mov                 byte ptr [ebp - 1], 1
            //   8b75e4               | mov                 esi, dword ptr [ebp - 0x1c]
            //   53                   | push                ebx
            //   ffd6                 | call                esi

        $sequence_21 = { 55 8bec 8b4504 2d11000000 5d }
            // n = 5, score = 200
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   8b4504               | mov                 eax, dword ptr [ebp + 4]
            //   2d11000000           | sub                 eax, 0x11
            //   5d                   | pop                 ebp

        $sequence_22 = { 90 90 749b 807ce19a80 }
            // n = 4, score = 200
            //   90                   | nop                 
            //   90                   | nop                 
            //   749b                 | je                  0xffffff9d
            //   807ce19a80           | cmp                 byte ptr [ecx - 0x66], 0x80

        $sequence_23 = { 0f8477fdffff 5f 5e 33c0 5b 8be5 }
            // n = 6, score = 200
            //   0f8477fdffff         | je                  0xfffffd7d
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   33c0                 | xor                 eax, eax
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp

    condition:
        7 of them and filesize < 65536
}
Download all Yara Rules