CobInt (Malware Family)

CobInt

aka: COOLPANTS

Actor(s): Cobalt

VTCollection

CobInt, is a self-developed backdoor of the Cobalt group. The modular tool has capabilities to collect initial intelligence information about the compromised machine and stream video from its desktop. If the operator decides that the system is of interest, the backdoor will download and launch CobaltStrike framework stager. It's CRM mailslot module was also observed being downloaded by ISFB.

References

2020-06-16 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence
Cobalt: tactics and tools update
CobInt

2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER

2020-03-03 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt

2018-09-11 ⋅ Proofpoint ⋅ Proofpoint Staff
New modular downloaders fingerprint systems - Part 3: CobInt
CobInt

2018-08-30 ⋅ NetScout ⋅ ASERT Team
Double the Infection, Double the Fun
More_eggs CobInt

2018-08-30 ⋅ NetScout ⋅ ASERT Team
Double the Infection, Double the Fun
CobInt

2018-05-29 ⋅ Group-IB ⋅ Rustam Mirkasymov
Cobalt Renaissance: new attacks and joint operations
CobInt

Yara Rules

[TLP:WHITE] win_cobint_auto (20260504 | Detects win.cobint.)

rule win_cobint_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.cobint."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobint"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4508 8945e8 85c0 7470 2175fc }
            // n = 5, score = 400
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   85c0                 | test                eax, eax
            //   7470                 | je                  0x72
            //   2175fc               | and                 dword ptr [ebp - 4], esi

        $sequence_1 = { c3 55 8bec 8a4d0c 56 8b7508 880e }
            // n = 7, score = 400
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   8a4d0c               | mov                 cl, byte ptr [ebp + 0xc]
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   880e                 | mov                 byte ptr [esi], cl

        $sequence_2 = { 55 8bec 836d0c01 7507 6a00 }
            // n = 5, score = 400
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   836d0c01             | sub                 dword ptr [ebp + 0xc], 1
            //   7507                 | jne                 9
            //   6a00                 | push                0

        $sequence_3 = { 8b7d10 57 e8???????? 57 ff750c }
            // n = 5, score = 400
            //   8b7d10               | mov                 edi, dword ptr [ebp + 0x10]
            //   57                   | push                edi
            //   e8????????           |                     
            //   57                   | push                edi
            //   ff750c               | push                dword ptr [ebp + 0xc]

        $sequence_4 = { 8b0d???????? a1???????? 893cc1 a1???????? 8b0d???????? 8974c804 }
            // n = 6, score = 400
            //   8b0d????????         |                     
            //   a1????????           |                     
            //   893cc1               | mov                 dword ptr [ecx + eax*8], edi
            //   a1????????           |                     
            //   8b0d????????         |                     
            //   8974c804             | mov                 dword ptr [eax + ecx*8 + 4], esi

        $sequence_5 = { c745f404000000 50 8d4508 50 }
            // n = 4, score = 400
            //   c745f404000000       | mov                 dword ptr [ebp - 0xc], 4
            //   50                   | push                eax
            //   8d4508               | lea                 eax, [ebp + 8]
            //   50                   | push                eax

        $sequence_6 = { 56 ff15???????? 85c0 7412 814d0880330000 8d4508 }
            // n = 6, score = 400
            //   56                   | push                esi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7412                 | je                  0x14
            //   814d0880330000       | or                  dword ptr [ebp + 8], 0x3380
            //   8d4508               | lea                 eax, [ebp + 8]

        $sequence_7 = { 8b7d08 6a40 6800300000 ff7708 }
            // n = 4, score = 400
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   6a40                 | push                0x40
            //   6800300000           | push                0x3000
            //   ff7708               | push                dword ptr [edi + 8]

        $sequence_8 = { 8a45ec 8802 eb0b 8b4d08 034df0 8a55ed 8811 }
            // n = 7, score = 200
            //   8a45ec               | mov                 al, byte ptr [ebp - 0x14]
            //   8802                 | mov                 byte ptr [edx], al
            //   eb0b                 | jmp                 0xd
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   034df0               | add                 ecx, dword ptr [ebp - 0x10]
            //   8a55ed               | mov                 dl, byte ptr [ebp - 0x13]
            //   8811                 | mov                 byte ptr [ecx], dl

        $sequence_9 = { e10b 96 7c90 90 }
            // n = 4, score = 200
            //   e10b                 | loope               0xd
            //   96                   | xchg                eax, esi
            //   7c90                 | jl                  0xffffff92
            //   90                   | nop                 

        $sequence_10 = { 7505 b301 885dff 84db 0f8477fdffff 5f 5e }
            // n = 7, score = 200
            //   7505                 | jne                 7
            //   b301                 | mov                 bl, 1
            //   885dff               | mov                 byte ptr [ebp - 1], bl
            //   84db                 | test                bl, bl
            //   0f8477fdffff         | je                  0xfffffd7d
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_11 = { c3 31b7807c30ae 807c909090 90 bdfd807c90 90 90 }
            // n = 7, score = 200
            //   c3                   | ret                 
            //   31b7807c30ae         | xor                 dword ptr [edi - 0x51cf8380], esi
            //   807c909090           | cmp                 byte ptr [eax + edx*4 - 0x70], 0x90
            //   90                   | nop                 
            //   bdfd807c90           | mov                 ebp, 0x907c80fd
            //   90                   | nop                 
            //   90                   | nop                 

        $sequence_12 = { 90 bffc807c28 1a807c170e81 7cd7 9b 807c909090 90 }
            // n = 7, score = 200
            //   90                   | nop                 
            //   bffc807c28           | mov                 edi, 0x287c80fc
            //   1a807c170e81         | sbb                 al, byte ptr [eax - 0x7ef1e884]
            //   7cd7                 | jl                  0xffffffd9
            //   9b                   | wait                
            //   807c909090           | cmp                 byte ptr [eax + edx*4 - 0x70], 0x90
            //   90                   | nop                 

        $sequence_13 = { 8b7228 8bf8 663906 742c 33db 8a06 }
            // n = 6, score = 200
            //   8b7228               | mov                 esi, dword ptr [edx + 0x28]
            //   8bf8                 | mov                 edi, eax
            //   663906               | cmp                 word ptr [esi], ax
            //   742c                 | je                  0x2e
            //   33db                 | xor                 ebx, ebx
            //   8a06                 | mov                 al, byte ptr [esi]

        $sequence_14 = { 740d 8b5508 0355f0 8a45ec 8802 eb0b }
            // n = 6, score = 200
            //   740d                 | je                  0xf
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   0355f0               | add                 edx, dword ptr [ebp - 0x10]
            //   8a45ec               | mov                 al, byte ptr [ebp - 0x14]
            //   8802                 | mov                 byte ptr [edx], al
            //   eb0b                 | jmp                 0xd

        $sequence_15 = { 885dff 8d45d0 c745d090010000 50 8d8524feffff 50 }
            // n = 6, score = 200
            //   885dff               | mov                 byte ptr [ebp - 1], bl
            //   8d45d0               | lea                 eax, [ebp - 0x30]
            //   c745d090010000       | mov                 dword ptr [ebp - 0x30], 0x190
            //   50                   | push                eax
            //   8d8524feffff         | lea                 eax, [ebp - 0x1dc]
            //   50                   | push                eax

        $sequence_16 = { 90 90 749b 807ce19a80 7c90 90 90 }
            // n = 7, score = 200
            //   90                   | nop                 
            //   90                   | nop                 
            //   749b                 | je                  0xffffff9d
            //   807ce19a80           | cmp                 byte ptr [ecx - 0x66], 0x80
            //   7c90                 | jl                  0xffffff92
            //   90                   | nop                 
            //   90                   | nop                 

        $sequence_17 = { 51 51 51 8d8524feffff }
            // n = 4, score = 200
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   8d8524feffff         | lea                 eax, [ebp - 0x1dc]

        $sequence_18 = { 8b12 85d2 75c4 eb03 8b4210 ba2d5f6af8 8945e0 }
            // n = 7, score = 200
            //   8b12                 | mov                 edx, dword ptr [edx]
            //   85d2                 | test                edx, edx
            //   75c4                 | jne                 0xffffffc6
            //   eb03                 | jmp                 5
            //   8b4210               | mov                 eax, dword ptr [edx + 0x10]
            //   ba2d5f6af8           | mov                 edx, 0xf86a5f2d
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax

        $sequence_19 = { 8b75e4 ff75d8 ffd6 8a5dff eb03 8b75e4 ff75d4 }
            // n = 7, score = 200
            //   8b75e4               | mov                 esi, dword ptr [ebp - 0x1c]
            //   ff75d8               | push                dword ptr [ebp - 0x28]
            //   ffd6                 | call                esi
            //   8a5dff               | mov                 bl, byte ptr [ebp - 1]
            //   eb03                 | jmp                 5
            //   8b75e4               | mov                 esi, dword ptr [ebp - 0x1c]
            //   ff75d4               | push                dword ptr [ebp - 0x2c]

        $sequence_20 = { e8???????? 58 83c005 c3 31b7807c30ae 807c909090 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   58                   | pop                 eax
            //   83c005               | add                 eax, 5
            //   c3                   | ret                 
            //   31b7807c30ae         | xor                 dword ptr [edi - 0x51cf8380], esi
            //   807c909090           | cmp                 byte ptr [eax + edx*4 - 0x70], 0x90

        $sequence_21 = { 8bc8 e8???????? 8d9524feffff 8945cc }
            // n = 4, score = 200
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   8d9524feffff         | lea                 edx, [ebp - 0x1dc]
            //   8945cc               | mov                 dword ptr [ebp - 0x34], eax

        $sequence_22 = { 8bdf 890496 8bf9 8b45e8 42 c1e802 3bd0 }
            // n = 7, score = 200
            //   8bdf                 | mov                 ebx, edi
            //   890496               | mov                 dword ptr [esi + edx*4], eax
            //   8bf9                 | mov                 edi, ecx
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   42                   | inc                 edx
            //   c1e802               | shr                 eax, 2
            //   3bd0                 | cmp                 edx, eax

        $sequence_23 = { bdfd807c90 90 90 90 90 90 90 }
            // n = 7, score = 200
            //   bdfd807c90           | mov                 ebp, 0x907c80fd
            //   90                   | nop                 
            //   90                   | nop                 
            //   90                   | nop                 
            //   90                   | nop                 
            //   90                   | nop                 
            //   90                   | nop                 

    condition:
        7 of them and filesize < 65536
}

Download all Yara Rules

CobInt Propose Change

References

Yara Rules

CobInt