SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cobint (Back to overview)

CobInt

aka: COOLPANTS

Actor(s): Cobalt

CobInt, is a self-developed backdoor of the Cobalt group. The modular tool has capabilities to collect initial intelligence information about the compromised machine and stream video from its desktop. If the operator decides that the system is of interest, the backdoor will download and launch CobaltStrike framework stager. It's CRM mailslot module was also observed being downloaded by ISFB.

References
2020-06-16PTSecurityPT ESC Threat Intelligence
@online{intelligence:20200616:cobalt:2071fd2, author = {PT ESC Threat Intelligence}, title = {{Cobalt: tactics and tools update}}, date = {2020-06-16}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/cobalt_upd_ttps/}, language = {English}, urldate = {2020-06-16} } Cobalt: tactics and tools update
CobInt
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2020SecureworksSecureWorks
@online{secureworks:2020:gold:1892bc8, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz
2020SecureworksSecureWorks
@online{secureworks:2020:gold:983570b, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt
2018-09-11ProofpointProofpoint Staff
@online{staff:20180911:new:14fda4a, author = {Proofpoint Staff}, title = {{New modular downloaders fingerprint systems - Part 3: CobInt}}, date = {2018-09-11}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint}, language = {English}, urldate = {2019-12-20} } New modular downloaders fingerprint systems - Part 3: CobInt
CobInt
2018-08-30NetScoutASERT Team
@online{team:20180830:double:e5d9e22, author = {ASERT Team}, title = {{Double the Infection, Double the Fun}}, date = {2018-08-30}, organization = {NetScout}, url = {https://asert.arbornetworks.com/double-the-infection-double-the-fun/}, language = {English}, urldate = {2020-01-08} } Double the Infection, Double the Fun
More_eggs CobInt
2018-08-30NetScoutASERT Team
@online{team:20180830:double:8129db5, author = {ASERT Team}, title = {{Double the Infection, Double the Fun}}, date = {2018-08-30}, organization = {NetScout}, url = {https://www.netscout.com/blog/asert/double-infection-double-fun}, language = {English}, urldate = {2020-01-05} } Double the Infection, Double the Fun
CobInt
2018-05-29Group-IBRustam Mirkasymov
@online{mirkasymov:20180529:cobalt:b344169, author = {Rustam Mirkasymov}, title = {{Cobalt Renaissance: new attacks and joint operations}}, date = {2018-05-29}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/renaissance}, language = {English}, urldate = {2019-10-22} } Cobalt Renaissance: new attacks and joint operations
CobInt
Yara Rules
[TLP:WHITE] win_cobint_auto (20230808 | Detects win.cobint.)
rule win_cobint_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.cobint."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobint"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83c410 5e 5d c3 a1???????? 56 33f6 }
            // n = 7, score = 400
            //   83c410               | add                 esp, 0x10
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   a1????????           |                     
            //   56                   | push                esi
            //   33f6                 | xor                 esi, esi

        $sequence_1 = { 3931 740d 40 83c110 83f820 }
            // n = 5, score = 400
            //   3931                 | cmp                 dword ptr [ecx], esi
            //   740d                 | je                  0xf
            //   40                   | inc                 eax
            //   83c110               | add                 ecx, 0x10
            //   83f820               | cmp                 eax, 0x20

        $sequence_2 = { 57 ff15???????? 8b15???????? 8bc6 8bca }
            // n = 5, score = 400
            //   57                   | push                edi
            //   ff15????????         |                     
            //   8b15????????         |                     
            //   8bc6                 | mov                 eax, esi
            //   8bca                 | mov                 ecx, edx

        $sequence_3 = { ff7508 e8???????? 83c40c 0fb6c0 5d c3 ff751c }
            // n = 7, score = 400
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   0fb6c0               | movzx               eax, al
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   ff751c               | push                dword ptr [ebp + 0x1c]

        $sequence_4 = { 33f6 a1???????? 03c6 3938 }
            // n = 4, score = 400
            //   33f6                 | xor                 esi, esi
            //   a1????????           |                     
            //   03c6                 | add                 eax, esi
            //   3938                 | cmp                 dword ptr [eax], edi

        $sequence_5 = { ffd6 f7d8 c745f404000000 1bc0 }
            // n = 4, score = 400
            //   ffd6                 | call                esi
            //   f7d8                 | neg                 eax
            //   c745f404000000       | mov                 dword ptr [ebp - 0xc], 4
            //   1bc0                 | sbb                 eax, eax

        $sequence_6 = { 6a65 eb31 85db 743a 3bde 7336 53 }
            // n = 7, score = 400
            //   6a65                 | push                0x65
            //   eb31                 | jmp                 0x33
            //   85db                 | test                ebx, ebx
            //   743a                 | je                  0x3c
            //   3bde                 | cmp                 ebx, esi
            //   7336                 | jae                 0x38
            //   53                   | push                ebx

        $sequence_7 = { 59 5d c3 ff7508 6a00 ff35???????? }
            // n = 6, score = 400
            //   59                   | pop                 ecx
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   ff7508               | push                dword ptr [ebp + 8]
            //   6a00                 | push                0
            //   ff35????????         |                     

        $sequence_8 = { 90 90 e10b 96 7c90 90 }
            // n = 6, score = 200
            //   90                   | nop                 
            //   90                   | nop                 
            //   e10b                 | loope               0xd
            //   96                   | xchg                eax, esi
            //   7c90                 | jl                  0xffffff92
            //   90                   | nop                 

        $sequence_9 = { 90 90 749b 807ce19a80 7c90 }
            // n = 5, score = 200
            //   90                   | nop                 
            //   90                   | nop                 
            //   749b                 | je                  0xffffff9d
            //   807ce19a80           | cmp                 byte ptr [ecx - 0x66], 0x80
            //   7c90                 | jl                  0xffffff92

        $sequence_10 = { 807c909090 90 90 90 90 90 }
            // n = 6, score = 200
            //   807c909090           | cmp                 byte ptr [eax + edx*4 - 0x70], 0x90
            //   90                   | nop                 
            //   90                   | nop                 
            //   90                   | nop                 
            //   90                   | nop                 
            //   90                   | nop                 

        $sequence_11 = { 3c2e 7404 3c2c 7506 41 8a0431 2c20 }
            // n = 7, score = 200
            //   3c2e                 | cmp                 al, 0x2e
            //   7404                 | je                  6
            //   3c2c                 | cmp                 al, 0x2c
            //   7506                 | jne                 8
            //   41                   | inc                 ecx
            //   8a0431               | mov                 al, byte ptr [ecx + esi]
            //   2c20                 | sub                 al, 0x20

        $sequence_12 = { ffd6 6a04 8d45c0 c745c001000000 }
            // n = 4, score = 200
            //   ffd6                 | call                esi
            //   6a04                 | push                4
            //   8d45c0               | lea                 eax, [ebp - 0x40]
            //   c745c001000000       | mov                 dword ptr [ebp - 0x40], 1

        $sequence_13 = { 7202 04e0 8bcf 0fb6c0 c1c108 03c7 }
            // n = 6, score = 200
            //   7202                 | jb                  4
            //   04e0                 | add                 al, 0xe0
            //   8bcf                 | mov                 ecx, edi
            //   0fb6c0               | movzx               eax, al
            //   c1c108               | rol                 ecx, 8
            //   03c7                 | add                 eax, edi

        $sequence_14 = { c745c001000000 50 6a41 53 ffd6 baf608f7a4 }
            // n = 6, score = 200
            //   c745c001000000       | mov                 dword ptr [ebp - 0x40], 1
            //   50                   | push                eax
            //   6a41                 | push                0x41
            //   53                   | push                ebx
            //   ffd6                 | call                esi
            //   baf608f7a4           | mov                 edx, 0xa4f708f6

        $sequence_15 = { 837d1000 740d 8b5508 0355f0 }
            // n = 4, score = 200
            //   837d1000             | cmp                 dword ptr [ebp + 0x10], 0
            //   740d                 | je                  0xf
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   0355f0               | add                 edx, dword ptr [ebp - 0x10]

        $sequence_16 = { 0355f0 8a45ec 8802 eb0b 8b4d08 034df0 8a55ed }
            // n = 7, score = 200
            //   0355f0               | add                 edx, dword ptr [ebp - 0x10]
            //   8a45ec               | mov                 al, byte ptr [ebp - 0x14]
            //   8802                 | mov                 byte ptr [edx], al
            //   eb0b                 | jmp                 0xd
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   034df0               | add                 ecx, dword ptr [ebp - 0x10]
            //   8a55ed               | mov                 dl, byte ptr [ebp - 0x13]

        $sequence_17 = { 83c005 c3 31b7807c30ae 807c909090 90 bdfd807c90 90 }
            // n = 7, score = 200
            //   83c005               | add                 eax, 5
            //   c3                   | ret                 
            //   31b7807c30ae         | xor                 dword ptr [edi - 0x51cf8380], esi
            //   807c909090           | cmp                 byte ptr [eax + edx*4 - 0x70], 0x90
            //   90                   | nop                 
            //   bdfd807c90           | mov                 ebp, 0x907c80fd
            //   90                   | nop                 

        $sequence_18 = { 3bcf 7ce2 8b4dbc 8d9524feffff e8???????? 8d8524feffff 50 }
            // n = 7, score = 200
            //   3bcf                 | cmp                 ecx, edi
            //   7ce2                 | jl                  0xffffffe4
            //   8b4dbc               | mov                 ecx, dword ptr [ebp - 0x44]
            //   8d9524feffff         | lea                 edx, [ebp - 0x1dc]
            //   e8????????           |                     
            //   8d8524feffff         | lea                 eax, [ebp - 0x1dc]
            //   50                   | push                eax

        $sequence_19 = { 8d3c08 66391e 75e3 8b5df4 }
            // n = 4, score = 200
            //   8d3c08               | lea                 edi, [eax + ecx]
            //   66391e               | cmp                 word ptr [esi], bx
            //   75e3                 | jne                 0xffffffe5
            //   8b5df4               | mov                 ebx, dword ptr [ebp - 0xc]

        $sequence_20 = { 749b 807ce19a80 7c90 90 90 90 }
            // n = 6, score = 200
            //   749b                 | je                  0xffffff9d
            //   807ce19a80           | cmp                 byte ptr [ecx - 0x66], 0x80
            //   7c90                 | jl                  0xffffff92
            //   90                   | nop                 
            //   90                   | nop                 
            //   90                   | nop                 

        $sequence_21 = { 8bcf 8bf0 e8???????? 8945f8 8d45c4 50 8d45f0 }
            // n = 7, score = 200
            //   8bcf                 | mov                 ecx, edi
            //   8bf0                 | mov                 esi, eax
            //   e8????????           |                     
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8d45c4               | lea                 eax, [ebp - 0x3c]
            //   50                   | push                eax
            //   8d45f0               | lea                 eax, [ebp - 0x10]

        $sequence_22 = { 90 90 bffc807c28 1a807c170e81 7cd7 9b }
            // n = 6, score = 200
            //   90                   | nop                 
            //   90                   | nop                 
            //   bffc807c28           | mov                 edi, 0x287c80fc
            //   1a807c170e81         | sbb                 al, byte ptr [eax - 0x7ef1e884]
            //   7cd7                 | jl                  0xffffffd9
            //   9b                   | wait                

        $sequence_23 = { 8b75f8 85c0 7412 814df080330000 8d45f0 6a04 50 }
            // n = 7, score = 200
            //   8b75f8               | mov                 esi, dword ptr [ebp - 8]
            //   85c0                 | test                eax, eax
            //   7412                 | je                  0x14
            //   814df080330000       | or                  dword ptr [ebp - 0x10], 0x3380
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   6a04                 | push                4
            //   50                   | push                eax

    condition:
        7 of them and filesize < 65536
}
Download all Yara Rules