Severity
High
Analysis Summary
Cobalt group has resurfaced again with it’s activities targeting specific customers and using phishing emails to drop malicious url’s.
- CobInt Downloader (EXE) -> Polymorphic Encrypted Data (DLL – CobInt Malware) -> Final Payload
Indicators of Compromise
IP(s) / Hostname(s)
- 193.33.61[.]170
- 144.202.59[.]44
- 192.42.119[.]41
- 45.72.3[.]177
URLs
- hxxps://dskbank[.]nl/order/doc/complaint.doc
- hxxps://dskbank[.]nl/invoice/notepad.exe
- hxxps://ciscoupdt[.]com/woiexjaavl
- hxxps://ciscoupdt[.]com/hcylzkwytfacztxxmcrnwumhulpqooo
- hxxps://ciscoupdt[.]com/zlxksulywulzawzzrzatzgzxuezeirdujimfphpybszce
- hxxps://ciscoupdt[.]com/ljzuzezpzjfmgztyxojvvudqrtushogmzpjvqma
- hxxps://ciscoupdt[.]com/tosvqmknrrzsbznzaltbheyrnwjsfmvdlgizim
- hxxps://ciscoupdt[.]com/zkczmyabbyeezldjzoulwzdzbgzdfrzjwcnozn
- dskbank[.]nl
- ciscoupdt[.]com
- hxxps://boutrost[.]com/woiexjaavl
- boutrost[.]com
Email Address
- eva.olofsson[@]dskbank[.]uk
- jan.larsson[@]dskbank[.]uk
- christoph.danz[@]dskbank[.]uk
- info[@]dskbank[.]uk
Malware Hash (MD5/SHA1/SH256)
- 6fa3bc5e5786b0d828d444b515b5f5a3
- 88f93a412cb88ff8d4b8def191b7d530999b963d
- 50cf1e09ed9cf7c6bc92ff738773c0b40c0f90ac547852964ddb486cd307da09
- 898f5d084e91c0c78dd384e4028ea264
- d40586fb75d8967c697d29e55ef46ff9e56d4d72
- 1574be5da3937920a40ba5d3103e7e3c2ca52b07261cecb802348e01ade89274
- 5ae9fa1af92f323cffc06577e7ba8198
- f6382a2ede229feebd998579d23a25a9cc37e8a7
- 2bb99909be2dac06e8182f50357f505d6a30c3457c85385676369cabf124cf24
- 7eb9902f5f1effd23d1ddd9482a197f3
- 97a0762239cd5db3b4a8bd9d2c3a48a15aa66839
- 303c7f18ba2b47d19dc9f1375a2b2d6beb4ccbeda8afdbf0cc809fda249989c1
Remediation
- Block threat indicators at respective controls.
- Always be suspicious about the emails being sent from unknown senders.
- Never click on the attachments or links sent by unknown senders.