Skip to content

S0338 Cobian RAT

Cobian RAT is a backdoor, remote access tool that has been observed since 2016.1

Item Value
ID S0338
Associated Names
Type MALWARE
Version 1.1
Created 29 January 2019
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.004 DNS Cobian RAT uses DNS for C2.1
enterprise T1123 Audio Capture Cobian RAT has a feature to perform voice recording on the victim’s machine.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Cobian RAT creates an autostart Registry key to ensure persistence.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Cobian RAT can launch a remote command shell interface for executing commands.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Cobian RAT obfuscates communications with the C2 server using Base64 encoding.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Cobian RAT has a feature to perform keylogging on the victim’s machine.1
enterprise T1113 Screen Capture Cobian RAT has a feature to perform screen capture.1
enterprise T1125 Video Capture Cobian RAT has a feature to access the webcam on the victim’s machine.1

References