Proof Cobalt installs a Bitcoin miner

TwistedLobby · 05/03/2022, 23:08

So, after injecting Cobalt, Cobalt creates a file called drm.exe located in C:\ProgramData\AMD also to note I don't have AMD. So, I decided to reverse this EXE file.

So, I opened DRM.exe in IDA and waited for it to decompile completely next I Shift+F12 (View All Strings) as shown below I find PhoenixMiner.exe

Proof of DRM.exe being a Bitcoin miner. VM Protect didn't do much for hiding this string.

This is proof of Cobalt taking advantage of their users & their GPU's! Do not waste any money on Cobalt! Avoid at all cost!

attan1us · 05/04/2022, 00:03

What ****** move from them

zdxbcd · 05/04/2022, 00:07

good job man!

qu1ncey · 05/04/2022, 00:12

i'm extremely disappointed on him, because he can't even make a proper virus. i don't know why put viruses in a cheat that works really good and makes for him sells. But jokes on him. drm.exe which is a real file by Nevosoft. The file size is 1,137,960 bytes. Which is not like this drm.exe, It's 81.57% sure it's a virus.

: an ethereum miner which can work without showing any window or anything. He couldn't name it PhoenixMiner.exe other than this. Cause it won't work.

Furthermore, a video would be more interesting. Your words can still not be trusted.
You don't have much vouches, I will check by my self and see if your words are real.

b0redrager · 05/04/2022, 00:12

funny thing the owner always says he will give 20k to prove to anyone that colbart is a miner or rat, there discord is a cesspool of people who just don't care... go claim your money

qu1ncey · 05/04/2022, 01:14

these are other evidences that it downloads that file.

tommyP1 · 05/04/2022, 01:46

Is it available ?
i'll send a private message

ilikebacon · 05/04/2022, 06:15

a little late to the party kids

lort1234 · 05/04/2022, 08:05

Make a video about it. These pictures show no connection to cobalt and could easily be faked.

As ilikdbacon have linked, this isn’t the first time someone accuse cobalt of having a miner, but it seems that no one can make a actual video that shows these things even tho they have been accused for months now.

This has just been announced from Cobalt.

“After looking at reports of people saying cobalt is a "RAT", We have concluded that there is an infected client exe being spread that is 8MB in size.

This client exe seems to be being spread by a competitor trying to sabotage us.

After looking further into this infected client exe we saw that this will implant a file called "DRM.exe", This file is **NOT** related to cobalt and delete it if you see it.

This client exe tries to make it as **OBVIOUS** as possible to make us look bad. ( clipboard replacer, forcing discord to use 100% CPU, etc... )

It also drops a JavaScript file into your discord files, This script will send information about your PC to the competitors server.

We have found that the webhook attached in the script file matches the exact server id of our competitions server.

We have attached the **DEOBFUSCATED** script file here for people to look at and have attached evidence that this client exe is being spread by our competition trying to sabotage us, and that our client is clean.

I hope this clears up all the confusion that has happened in the past few days ❤️, It is disappointing to see competitors sabotaging our product instead of improving their own...

**NOTE:**
I have made this announcement yesterday but since then a elite pvpers post has been posted talking about this, If the so called reverse engineers of elite pvpers want to take a moment to see which server the webhook leads in the javascript file they will find it leads directly to our competitions server ��

|| @

||”

~~MadsM69~~ · 05/04/2022, 10:29

Bro he just made a mad funny announcement

zebleer · 05/04/2022, 18:51

Quote:

Originally Posted by lort1234

Make a video about it. These pictures show no connection to cobalt and could easily be faked.

As ilikdbacon have linked, this isn’t the first time someone accuse cobalt of having a miner, but it seems that no one can make a actual video that shows these things even tho they have been accused for months now.

This has just been announced from Cobalt.

“After looking at reports of people saying cobalt is a "RAT", We have concluded that there is an infected client exe being spread that is 8MB in size.

This client exe seems to be being spread by a competitor trying to sabotage us.

After looking further into this infected client exe we saw that this will implant a file called "DRM.exe", This file is **NOT** related to cobalt and delete it if you see it.

This client exe tries to make it as **OBVIOUS** as possible to make us look bad. ( clipboard replacer, forcing discord to use 100% CPU, etc... )

It also drops a JavaScript file into your discord files, This script will send information about your PC to the competitors server.

We have found that the webhook attached in the script file matches the exact server id of our competitions server.

We have attached the **DEOBFUSCATED** script file here for people to look at and have attached evidence that this client exe is being spread by our competition trying to sabotage us, and that our client is clean.

I hope this clears up all the confusion that has happened in the past few days ❤️, It is disappointing to see competitors sabotaging our product instead of improving their own...

**NOTE:**
I have made this announcement yesterday but since then a elite pvpers post has been posted talking about this, If the so called reverse engineers of elite pvpers want to take a moment to see which server the webhook leads in the javascript file they will find it leads directly to our competitions server ��

https://streamable.com/sbf43t

|| @Everyone ||”

Hey, can you please explain why you are saying that the malware in Cobalt's loader might be fake, yet you reference an announcement from their Discord where they admit the malware that was shown by reverse engineers was real, but implemented by someone else?

Which one is it? Cobalt admitted that the malware exists, so I'm pretty sure it's not fake. Pretty simple 2+2 there.

The question is not if the malware is real or fake, we already know it's real. The question is who put it there. The answer is Cobalt.

As I said before:

The loader is protected. It can't be edited by one byte without vmprotect or themida throwing errors & preventing functionality.

& how did Cobalt's server get infiltrated sot hat the loader could be tampered with & tampered copy retained?

Cobalt did this shit. Cobalt is spreading malware & counting on user stupidity to get away with it. They are malware distributors. They even admitted it, just not the part where they admit it was them who added it.

It's very obvious they put ACD's Discord server ID in their own malware to frame them. That doesn't mean ACD did it. Why would ACD send information to their public Discord server anyways, and not a secure private location?

Even if this was all somehow true (it's not), good luck with a provider that has such shit security that anyone can just spread malware to their users via their own website loader.

Do not support malware distributors please.

lort1234 · 05/04/2022, 19:35

Quote:

Originally Posted by zebleer

Hey, can you please explain why you are saying that the malware in Cobalt's loader might be fake, yet you reference an announcement from their Discord where they admit the malware that was shown by reverse engineers was real, but implemented by someone else?

Which one is it? Cobalt admitted that the malware exists, so I'm pretty sure it's not fake. Pretty simple 2+2 there.

The question is not if the malware is real or fake, we already know it's real. The question is who put it there. The answer is Cobalt.

As I said before:

The loader is protected. It can't be edited by one byte without vmprotect or themida throwing errors & preventing functionality.

& how did Cobalt's server get infiltrated sot hat the loader could be tampered with & tampered copy retained?

Cobalt did this shit. Cobalt is spreading malware & counting on user stupidity to get away with it. They are malware distributors. They even admitted it, just not the part where they admit it was them who added it.

It's very obvious they put ACD's Discord server ID in their own malware to frame them. That doesn't mean ACD did it. Why would ACD send information to their public Discord server anyways, and not a secure private location?

Even if this was all somehow true (it's not), good luck with a provider that has such shit security that anyone can just spread malware to their users via their own website loader.

Do not support malware distributors please.

You are replying to a outdated post i made before it was officially confirmed that there was a rat in the client.exe.

I replied to you in the thread i made about it. You should go and reply to that instead of a outdated post.´

And as you might see i edited the last part about the announcement after it was confirmed.

zebleer · 05/04/2022, 19:46

Quote:

Originally Posted by lort1234

You are replying to a outdated post i made before it was officially confirmed that there was a rat in the client.exe.

I replied to you in the thread i made about it. You should go and reply to that instead of a outdated post.´

And as you might see i edited the last part about the announcement after it was confirmed.

Yes I replied to your post there.

fffcobalt · 05/04/2022, 20:41

Quote:

Originally Posted by zebleer

Hey, can you please explain why you are saying that the malware in Cobalt's loader might be fake, yet you reference an announcement from their Discord where they admit the malware that was shown by reverse engineers was real, but implemented by someone else?

Which one is it? Cobalt admitted that the malware exists, so I'm pretty sure it's not fake. Pretty simple 2+2 there.

The question is not if the malware is real or fake, we already know it's real. The question is who put it there. The answer is Cobalt.

As I said before:

The loader is protected. It can't be edited by one byte without vmprotect or themida throwing errors & preventing functionality.

& how did Cobalt's server get infiltrated sot hat the loader could be tampered with & tampered copy retained?

Cobalt did this shit. Cobalt is spreading malware & counting on user stupidity to get away with it. They are malware distributors. They even admitted it, just not the part where they admit it was them who added it.

It's very obvious they put ACD's Discord server ID in their own malware to frame them. That doesn't mean ACD did it. Why would ACD send information to their public Discord server anyways, and not a secure private location?

Even if this was all somehow true (it's not), good luck with a provider that has such shit security that anyone can just spread malware to their users via their own website loader.

Do not support malware distributors please.

Hello, I was supposed to post this on the other post, but it seems like the thread got closed as soon as I wanted to reply.

Anyways.

Quote:

Originally Posted by zebleer

1. It isn't unheard of in the cheating community for providers to crack other providers software to use it a harmful way.
The malware analysts who evaluated Cobalt and found what Cobalt admitted was found got it from cobalt.solutions, the primary website. Cobalt also said nothing about a crack but that is secondary evidence.

2. The fact that it wasn't all client.exe that had the miner in them (Actually a small % of clients did) seems to me that it didn't come from their website, it was most likely a cracked version of the loader that had the miner. And that loader was most likely shared through out the discord.
So you've never heard of evasive malware? That is a factor of malware analysis. Malware might remain inactive for long periods of time before starting activity, it might be present in only a few instances of production, etc. These are all examples of evasive measures for malware.

3. Why ACD allegedly have sent the information to their main server i do not know, but people in the cheating community aren't always the smartest. Note that ACD doesn't dev anything them self, they are reselling their software.
Yes I know ACD is a reseller so how are they somehow able to hack Cobalt's website and alter a VMP protected loader for download? If they are somehow smart enough to do that, they aren't going to be stupid enough to leave a trail to their main Discord server which is not secure, not anonymous, and might get deleted at any time.

4. The security of Cobalt i cannot speak about since i don't know about it. But again it isn't unheard of providers cracking other providers in the cheating community.
Already answered #1.

5. Again i don't think the client.exe was spread through their website, but most likely was a cracked version of their loader, that was spread through discord.
It came from their website. People aren't distributing cheat provider loaders on Discord unless it's advertised cracked, which Cobalt didn't get cracked. They get the shit from the website like everyone else.

6. I don't see any reason for Cobalt to spread a miner to their users, they are growing rapidly, also faster than any other providers atm. Why ruin a growing good business? That in my eyes doesn't make any sense at all.
Yeah their free and 10 eur products are really flying off the shelf because they're good and not because they are cheap. When something is free or cheap in the cheat scene, your device might be what they get, not your money.

But for other providers this isn't good, the fast that both Cobalt and ACD have been seen as cheats you use for raging give them the same user base.
Cobalt is also 1/5 of the price of ACD cheat + spoofer.
I believe that ACD have more benefits for ruining Cobalt reputation/sales than Cobalt would have to rat their own customers.
Yeah ACD seems to be profit driven while Cobalt seems to be malware infection driven. Not sure why you're surprised by the price difference. Cobalt has given away a lot for "free" too. Nothing in life is free.

I do not support malware distributors. But i also wont join on the hype train to accuse a provider, that in the most logically way probably haven't done anything wrong other than having a weak protection against debugging and are being stupid enough to allow share a client.exe in their general channel on discord.
I hope that people can make their own choice on who they believe in the right and who isn't. But it was not my intention to accuse ACD, i indented for this information to be public to people can make their own choice.
The proof is legitimately overwhelming that Cobalt is a malware distributor. This is not a hype train.

Hello, I'm the developer of cobalt and have seen a major amount of misinformation here that I would like to correct, I am the only developer of cobalt and I am the only one who has access to the source.

You seem like you're pretty reasonable and have general knowledge about cheating, but it seems like some of your claims are incorrect and I'd like to correct those.

1.
First of all you claimed multiple times that the loader is protected and "a single byte change" would cause VMProtect/Themida to error.

This is in fact not the case as the official loader is not protected with Themida/VMProtect.

It is true that it used to be protected by Themida 2-3 months ago, but I decided to stop protecting it as people were claiming it was a RAT because "VirusTotal said it was packed/virtualized" which is what Themida does to protect the file.

I want to say that this is not the first time that people have been claiming its a rat, It seems like every 2 months or so a wave of people come claiming its a rat and then disappear after a month which is extremely infuriating.

You can test it yourself and modify the client exe with HxD or any program and it will run fine, Which means anyone is able to bind a RAT using any public binder and claim its the "official" loader.

For your last point of "ACD is profit driven and Cobalt is malware driven".

If we say that the average cobalt user has a 2070 Super, Which can generate 1.58 USD/day at maximum speed according to NiceHash ( I've only ever mined once on my main PC around 8 months ago when Ethereum was booming so I'm not sure how accurate this is )

If we say I run the miner at around 30% which is still highly noticeable, And if we assume that the average cobalt users keeps their PC on for 12 hours every day, Which is way more than I keep my PC on ( 8 hours )

I would only be making ( 1.58 * 0.30 * ( 12/24 ) ) per day, Which is 0.237/day, 7.11/month, Which is literally half the price of the subscription?

Why would I risk 100% of my profit and reputation for a 50% increase in profit?

This calculation also doesn't include the fact that more than 90% of cobalt users don't have the infected client/drm.exe?

I make enough money from warzone, I'm not looking to be a millionaire from cheating.

I've talked to many cheat companies and they make around $100 000 which is more than x4 what I make.

Apologies for the long explanation, The point I'm trying to get across is that I'd make more working on the cheat and advertising to more customers.

zebleer · 05/04/2022, 22:34

Quote:

Originally Posted by fffcobalt

Hello, I was supposed to post this on the other post, but it seems like the thread got closed as soon as I wanted to reply.

Anyways.

Hello, I'm the developer of cobalt and have seen a major amount of misinformation here that I would like to correct, I am the only developer of cobalt and I am the only one who has access to the source.

You seem like you're pretty reasonable and have general knowledge about cheating, but it seems like some of your claims are incorrect and I'd like to correct those.

1.
First of all you claimed multiple times that the loader is protected and "a single byte change" would cause VMProtect/Themida to error.

This is in fact not the case as the official loader is not protected with Themida/VMProtect.

It is true that it used to be protected by Themida 2-3 months ago, but I decided to stop protecting it as people were claiming it was a RAT because "VirusTotal said it was packed/virtualized" which is what Themida does to protect the file.

I want to say that this is not the first time that people have been claiming its a rat, It seems like every 2 months or so a wave of people come claiming its a rat and then disappear after a month which is extremely infuriating.

You can test it yourself and modify the client exe with HxD or any program and it will run fine, Which means anyone is able to bind a RAT using any public binder and claim its the "official" loader.

For your last point of "ACD is profit driven and Cobalt is malware driven".

If we say that the average cobalt user has a 2070 Super, Which can generate 1.58 USD/day at maximum speed according to NiceHash ( I've only ever mined once on my main PC around 8 months ago when Ethereum was booming so I'm not sure how accurate this is )

If we say I run the miner at around 30% which is still highly noticeable, And if we assume that the average cobalt users keeps their PC on for 12 hours every day, Which is way more than I keep my PC on ( 8 hours )

I would only be making ( 1.58 * 0.30 * ( 12/24 ) ) per day, Which is 0.237/day, 7.11/month, Which is literally half the price of the subscription?

Why would I risk 100% of my profit and reputation for a 50% increase in profit?

This calculation also doesn't include the fact that more than 90% of cobalt users don't have the infected client/drm.exe?

I make enough money from warzone, I'm not looking to be a millionaire from cheating.

I've talked to many cheat companies and they make around $100 000 which is more than x4 what I make.

Apologies for the long explanation, The point I'm trying to get across is that I'd make more working on the cheat and advertising to more customers.

I don't understand why you are only looking to disprove me in terms of what protection you use for your loader. The point is that it's protected. Okay so the information that I got that you used Themida then VMP was only half correct assuming what you are saying right now is true. I am a fair person & I will give you that. That doesn't really change anything. I still have a ton of doubt. The bottom line is that your loader was protected, your site should be secure, so why was someone able to alter your loader to give your users malware, by your own admission, if the loader/site are protected?

Also why do you expect us to believe that ACD left their primary Discord server ID in a JS file that is part of the malware, rather than a private/secure location for the data to be transmitted to & stored?

Why did you take so long to discover this? Why did you not clarify if it was a crack that was circulating? Why are people reversing the loader from your site & finding things?

Your answer to me really accomplishes nothing besides trying to flatter me & proving I was wrong about what protection you currently use, which you can easily change at any time.

I know your flattery of me is just to get me on your side & it won't work. We are going to sort this out the proper way.

The entire situation overwhelmingly points to you distributing malware.

As for your claims about malware not being profitable:

1. The measurements you've made in terms of how much you could make off the miner seem low. You'd make more from what I can see online from sources I trust.

2. The malware was not just a miner, it also replaced copied addresses with a new address. This is a method to steal virtually any amount of money imaginable considering you have no idea how much the target PC is moving in crypto.

3. You probably thought you wouldn't get caught, so no it's not a choice between selling cheats vs. malware, you tried to get both.

4. Cobalt sells very cheap & some of your products have even been for free. You'd certainly be motivated to do that if malware was involved.

5. I don't care if some 16 year old posted in your Discord "my device never got rat". That doesn't mean shit about how many users were given malware.

Quote:

Originally Posted by fffcobalt

I've talked to many cheat companies and they make around $100 000 which is more than x4 what I make.