SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cobint (Back to overview)

CobInt

aka: COOLPANTS

Actor(s): Cobalt


CobInt, is a self-developed backdoor of the Cobalt group. The modular tool has capabilities to collect initial intelligence information about the compromised machine and stream video from its desktop. If the operator decides that the system is of interest, the backdoor will download and launch CobaltStrike framework stager. It's CRM mailslot module was also observed being downloaded by ISFB.

References
2020-06-16PTSecurityPT ESC Threat Intelligence
@online{intelligence:20200616:cobalt:2071fd2, author = {PT ESC Threat Intelligence}, title = {{Cobalt: tactics and tools update}}, date = {2020-06-16}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/cobalt_upd_ttps/}, language = {English}, urldate = {2020-06-16} } Cobalt: tactics and tools update
CobInt
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020SecureworksSecureWorks
@online{secureworks:2020:gold:1892bc8, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz
2020SecureworksSecureWorks
@online{secureworks:2020:gold:983570b, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt
2018-09-11ProofpointProofpoint Staff
@online{staff:20180911:new:14fda4a, author = {Proofpoint Staff}, title = {{New modular downloaders fingerprint systems - Part 3: CobInt}}, date = {2018-09-11}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint}, language = {English}, urldate = {2019-12-20} } New modular downloaders fingerprint systems - Part 3: CobInt
CobInt
2018-08-30NetScoutASERT Team
@online{team:20180830:double:e5d9e22, author = {ASERT Team}, title = {{Double the Infection, Double the Fun}}, date = {2018-08-30}, organization = {NetScout}, url = {https://asert.arbornetworks.com/double-the-infection-double-the-fun/}, language = {English}, urldate = {2020-01-08} } Double the Infection, Double the Fun
More_eggs CobInt
2018-08-30NetScoutASERT Team
@online{team:20180830:double:8129db5, author = {ASERT Team}, title = {{Double the Infection, Double the Fun}}, date = {2018-08-30}, organization = {NetScout}, url = {https://www.netscout.com/blog/asert/double-infection-double-fun}, language = {English}, urldate = {2020-01-05} } Double the Infection, Double the Fun
CobInt
2018-05-29Group-IBRustam Mirkasymov
@online{mirkasymov:20180529:cobalt:b344169, author = {Rustam Mirkasymov}, title = {{Cobalt Renaissance: new attacks and joint operations}}, date = {2018-05-29}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/renaissance}, language = {English}, urldate = {2019-10-22} } Cobalt Renaissance: new attacks and joint operations
CobInt
Yara Rules
[TLP:WHITE] win_cobint_auto (20210616 | Detects win.cobint.)
rule win_cobint_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.cobint."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobint"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 53 53 53 53 56 ff15???????? 8907 }
            // n = 7, score = 200
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8907                 | mov                 dword ptr [edi], eax

        $sequence_1 = { 50 ffd1 8b45e8 33d2 8b3e 83e0fc 42 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   ffd1                 | call                ecx
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   33d2                 | xor                 edx, edx
            //   8b3e                 | mov                 edi, dword ptr [esi]
            //   83e0fc               | and                 eax, 0xfffffffc
            //   42                   | inc                 edx

        $sequence_2 = { 56 57 e8???????? 6a40 8bf8 }
            // n = 5, score = 200
            //   56                   | push                esi
            //   57                   | push                edi
            //   e8????????           |                     
            //   6a40                 | push                0x40
            //   8bf8                 | mov                 edi, eax

        $sequence_3 = { 90 90 e10b 96 }
            // n = 4, score = 200
            //   90                   | nop                 
            //   90                   | nop                 
            //   e10b                 | loope               0xd
            //   96                   | xchg                eax, esi

        $sequence_4 = { 6a00 ff55cc ba043d8209 8bcf e8???????? 33c9 51 }
            // n = 7, score = 200
            //   6a00                 | push                0
            //   ff55cc               | call                dword ptr [ebp - 0x34]
            //   ba043d8209           | mov                 edx, 0x9823d04
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   33c9                 | xor                 ecx, ecx
            //   51                   | push                ecx

        $sequence_5 = { ba96dc0257 8bc8 e8???????? 8d9524feffff 8945cc 8bce }
            // n = 6, score = 200
            //   ba96dc0257           | mov                 edx, 0x5702dc96
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   8d9524feffff         | lea                 edx, dword ptr [ebp - 0x1dc]
            //   8945cc               | mov                 dword ptr [ebp - 0x34], eax
            //   8bce                 | mov                 ecx, esi

        $sequence_6 = { 837d1000 740d 8b5508 0355f0 8a45ec 8802 }
            // n = 6, score = 200
            //   837d1000             | cmp                 dword ptr [ebp + 0x10], 0
            //   740d                 | je                  0xf
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   0355f0               | add                 edx, dword ptr [ebp - 0x10]
            //   8a45ec               | mov                 al, byte ptr [ebp - 0x14]
            //   8802                 | mov                 byte ptr [edx], al

        $sequence_7 = { ba86f967b4 8bcf 8bf0 e8???????? 8945f8 }
            // n = 5, score = 200
            //   ba86f967b4           | mov                 edx, 0xb467f986
            //   8bcf                 | mov                 ecx, edi
            //   8bf0                 | mov                 esi, eax
            //   e8????????           |                     
            //   8945f8               | mov                 dword ptr [ebp - 8], eax

        $sequence_8 = { 0f8cff000000 56 8b31 2bc3 }
            // n = 4, score = 200
            //   0f8cff000000         | jl                  0x105
            //   56                   | push                esi
            //   8b31                 | mov                 esi, dword ptr [ecx]
            //   2bc3                 | sub                 eax, ebx

        $sequence_9 = { 90 e10b 96 7c90 90 90 }
            // n = 6, score = 200
            //   90                   | nop                 
            //   e10b                 | loope               0xd
            //   96                   | xchg                eax, esi
            //   7c90                 | jl                  0xffffff92
            //   90                   | nop                 
            //   90                   | nop                 

        $sequence_10 = { 90 749b 807ce19a80 7c90 90 90 }
            // n = 6, score = 200
            //   90                   | nop                 
            //   749b                 | je                  0xffffff9d
            //   807ce19a80           | cmp                 byte ptr [ecx - 0x66], 0x80
            //   7c90                 | jl                  0xffffff92
            //   90                   | nop                 
            //   90                   | nop                 

        $sequence_11 = { ff75d4 ffd6 8945d8 85c0 0f84d8010000 }
            // n = 5, score = 200
            //   ff75d4               | push                dword ptr [ebp - 0x2c]
            //   ffd6                 | call                esi
            //   8945d8               | mov                 dword ptr [ebp - 0x28], eax
            //   85c0                 | test                eax, eax
            //   0f84d8010000         | je                  0x1de

        $sequence_12 = { e8???????? 58 83c005 c3 31b7807c30ae 807c909090 90 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   58                   | pop                 eax
            //   83c005               | add                 eax, 5
            //   c3                   | ret                 
            //   31b7807c30ae         | xor                 dword ptr [edi - 0x51cf8380], esi
            //   807c909090           | cmp                 byte ptr [eax + edx*4 - 0x70], 0x90
            //   90                   | nop                 

        $sequence_13 = { 8902 8b450c 894204 8b01 894208 8b4104 89420c }
            // n = 7, score = 200
            //   8902                 | mov                 dword ptr [edx], eax
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   894204               | mov                 dword ptr [edx + 4], eax
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   894208               | mov                 dword ptr [edx + 8], eax
            //   8b4104               | mov                 eax, dword ptr [ecx + 4]
            //   89420c               | mov                 dword ptr [edx + 0xc], eax

        $sequence_14 = { 7cd7 9b 807c909090 90 90 }
            // n = 5, score = 200
            //   7cd7                 | jl                  0xffffffd9
            //   9b                   | wait                
            //   807c909090           | cmp                 byte ptr [eax + edx*4 - 0x70], 0x90
            //   90                   | nop                 
            //   90                   | nop                 

        $sequence_15 = { 59 57 57 85f6 751d 6a66 }
            // n = 6, score = 200
            //   59                   | pop                 ecx
            //   57                   | push                edi
            //   57                   | push                edi
            //   85f6                 | test                esi, esi
            //   751d                 | jne                 0x1f
            //   6a66                 | push                0x66

        $sequence_16 = { 03c7 8d3c08 66391e 75e3 8b5df4 81ffea968891 }
            // n = 6, score = 200
            //   03c7                 | add                 eax, edi
            //   8d3c08               | lea                 edi, dword ptr [eax + ecx]
            //   66391e               | cmp                 word ptr [esi], bx
            //   75e3                 | jne                 0xffffffe5
            //   8b5df4               | mov                 ebx, dword ptr [ebp - 0xc]
            //   81ffea968891         | cmp                 edi, 0x918896ea

        $sequence_17 = { 75f3 6b8edc0a000032 668b4510 5f 5b 668984317c090000 }
            // n = 6, score = 200
            //   75f3                 | jne                 0xfffffff5
            //   6b8edc0a000032       | imul                ecx, dword ptr [esi + 0xadc], 0x32
            //   668b4510             | mov                 ax, word ptr [ebp + 0x10]
            //   5f                   | pop                 edi
            //   5b                   | pop                 ebx
            //   668984317c090000     | mov                 word ptr [ecx + esi + 0x97c], ax

        $sequence_18 = { 8802 eb0b 8b4d08 034df0 8a55ed 8811 }
            // n = 6, score = 200
            //   8802                 | mov                 byte ptr [edx], al
            //   eb0b                 | jmp                 0xd
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   034df0               | add                 ecx, dword ptr [ebp - 0x10]
            //   8a55ed               | mov                 dl, byte ptr [ebp - 0x13]
            //   8811                 | mov                 byte ptr [ecx], dl

        $sequence_19 = { 90 90 90 749b }
            // n = 4, score = 200
            //   90                   | nop                 
            //   90                   | nop                 
            //   90                   | nop                 
            //   749b                 | je                  0xffffff9d

        $sequence_20 = { 895df8 8b5df4 8b45f8 3945f0 7412 }
            // n = 5, score = 200
            //   895df8               | mov                 dword ptr [ebp - 8], ebx
            //   8b5df4               | mov                 ebx, dword ptr [ebp - 0xc]
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   3945f0               | cmp                 dword ptr [ebp - 0x10], eax
            //   7412                 | je                  0x14

        $sequence_21 = { 8acb 8a1407 d2ea eb2a }
            // n = 4, score = 200
            //   8acb                 | mov                 cl, bl
            //   8a1407               | mov                 dl, byte ptr [edi + eax]
            //   d2ea                 | shr                 dl, cl
            //   eb2a                 | jmp                 0x2c

        $sequence_22 = { e8???????? 8b4dfc 33ff 83c424 8bd7 8d040b 884c3009 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   33ff                 | xor                 edi, edi
            //   83c424               | add                 esp, 0x24
            //   8bd7                 | mov                 edx, edi
            //   8d040b               | lea                 eax, dword ptr [ebx + ecx]
            //   884c3009             | mov                 byte ptr [eax + esi + 9], cl

        $sequence_23 = { 2c20 41 880433 43 3bcf }
            // n = 5, score = 200
            //   2c20                 | sub                 al, 0x20
            //   41                   | inc                 ecx
            //   880433               | mov                 byte ptr [ebx + esi], al
            //   43                   | inc                 ebx
            //   3bcf                 | cmp                 ecx, edi

    condition:
        7 of them and filesize < 65536
}
Download all Yara Rules