Malware Analysis Report

2024-12-07 03:14

Sample ID 241113-2yb8bs1cpa
Target 6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f
SHA256 6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f
Tags
cycbot backdoor discovery persistence rat spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f

Threat Level: Known bad

The file 6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f was found to be: Known bad.

Malicious Activity Summary

cycbot backdoor discovery persistence rat spyware stealer upx

Cycbot

Cycbot family

Detects Cycbot payload

Reads user/profile data of web browsers

Adds Run key to start application

UPX packed file

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 22:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 22:58

Reported

2024-11-13 23:01

Platform

win7-20240903-en

Max time kernel

140s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe"

Signatures

Cycbot

backdoor rat cycbot

Cycbot family

cycbot

Detects Cycbot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe" C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 796 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe
PID 796 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe
PID 796 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe
PID 796 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe
PID 796 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe
PID 796 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe
PID 796 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe
PID 796 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe

"C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe"

C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe

C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming

C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe

C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp

Network

Country Destination Domain Proto
US 8.8.8.8:53 psfk.com udp
DE 35.158.87.123:80 psfk.com tcp
US 8.8.8.8:53 zonedg.com udp
US 8.8.8.8:53 zonedg.com udp
US 8.8.8.8:53 separatemilkandtee.com udp
US 8.8.8.8:53 zonedg.com udp
US 8.8.8.8:53 zonedg.com udp
US 170.178.183.18:80 zonedg.com tcp
US 170.178.183.18:80 zonedg.com tcp
US 170.178.183.18:80 zonedg.com tcp
US 70.32.1.32:80 zonedg.com tcp
US 70.32.1.32:80 zonedg.com tcp
US 70.32.1.32:80 zonedg.com tcp
US 8.8.8.8:53 highspeeddbsearch.com udp
US 70.32.1.32:80 zonedg.com tcp
US 70.32.1.32:80 zonedg.com tcp
US 70.32.1.32:80 zonedg.com tcp
US 8.8.8.8:53 www.google.com udp
GB 216.58.201.100:80 www.google.com tcp
US 70.32.1.32:80 zonedg.com tcp
GB 216.58.201.100:80 www.google.com tcp
GB 216.58.201.100:80 www.google.com tcp
N/A 127.0.0.1:56404 tcp
N/A 127.0.0.1:56404 tcp

Files

memory/796-1-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2452-9-0x000000000058B000-0x00000000005A5000-memory.dmp

memory/2452-8-0x0000000000400000-0x0000000000445000-memory.dmp

memory/796-14-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Roaming\7D3A.3BB

MD5 738de9588f5ed21fc990279798686ba6
SHA1 ca8704a6582d41163f81463b189f942231546d1a
SHA256 8ffa5da3569c06e5882446afe53d20a83c98cef2472d1ee03bcc4b83c1471e05
SHA512 01d3fdaf468603721de3ed11f5cda9a0aaa10428cdc06454251bf228705ef5885a805d14003169d6f59b485189f722c93189c2b2a2b63c4e55b1ddf93d1ee35e

C:\Users\Admin\AppData\Roaming\7D3A.3BB

MD5 db6fb048c1f245d107142333cbf461f8
SHA1 0d39bc4df9f4d7be8c11721c89c9837a7355c7f4
SHA256 bf547bf93c690dd65264eb1eb7b78e1e2226df6b81689b9042f1a82bfb28c085
SHA512 71951092548a6ca52f42dbbcb38d3027f2e8321040b95335f9c227bc4f9db48a59e1c8433cf1ffd310e0ad409696443cc226d6c6c827a6d5a327d27028166a53

memory/3020-84-0x0000000000400000-0x0000000000445000-memory.dmp

memory/3020-83-0x0000000000400000-0x0000000000445000-memory.dmp

memory/3020-85-0x0000000000400000-0x0000000000445000-memory.dmp

memory/796-152-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Roaming\7D3A.3BB

MD5 0ca390a8a1aacd6accfe0fcde8bc737c
SHA1 9f06e662eae14bae96e5bc8a82ae72d04ff869c7
SHA256 21a9c9c846dc2c29bde19410fc190d0834f2c546614c31da22d4a2b07037e5fd
SHA512 5c6852c66553b7f0ca0b0092b9207e99e0534a456e6a6d4f4cdf9e0d55095b070c2f43349f5a79d88278fbd5a4f93cc58e2a7751938d296d09b3df7311efca96

memory/796-191-0x0000000000400000-0x0000000000445000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 22:58

Reported

2024-11-13 23:01

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe

"C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3144 -ip 3144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 564

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A