cycbot | 2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca

General

Target

2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe
Size

191KB
MD5

30c33e7e58544f87a665303845f0bace
SHA1

0d27d98ffa3b09522e2d102accfe1e78e8f38502
SHA256

2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca
SHA512

66fbc958543da2ab1ca08110d739ff2fba64c3b35c371cecff3e82c92a51348a00111bba0d4c98ac6bf0ba7e05a2b7af76b03b24ee97c80e03b212c958b097a6
SSDEEP

3072:5O0FGiGfYYlA6iQK0ZiBitGEWqcjuNl7sUmCkweP1y8NN1bjVgO0/:5dVEYYlA6idI8EWFjylvmCktN13Vgn

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

Processes:

resource	yara_rule
behavioral1/memory/2336-7-0x0000000000400000-0x0000000000447000-memory.dmp	family_cycbot
behavioral1/memory/2356-17-0x0000000000400000-0x0000000000447000-memory.dmp	family_cycbot
behavioral1/memory/2356-83-0x0000000000400000-0x0000000000447000-memory.dmp	family_cycbot
behavioral1/memory/1656-85-0x0000000000400000-0x0000000000447000-memory.dmp	family_cycbot
behavioral1/memory/2356-165-0x0000000000400000-0x0000000000447000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2356-2-0x0000000000400000-0x0000000000447000-memory.dmp	upx
behavioral1/memory/2336-6-0x0000000000400000-0x0000000000447000-memory.dmp	upx
behavioral1/memory/2336-7-0x0000000000400000-0x0000000000447000-memory.dmp	upx
behavioral1/memory/2356-17-0x0000000000400000-0x0000000000447000-memory.dmp	upx
behavioral1/memory/2356-83-0x0000000000400000-0x0000000000447000-memory.dmp	upx
behavioral1/memory/1656-85-0x0000000000400000-0x0000000000447000-memory.dmp	upx
behavioral1/memory/2356-165-0x0000000000400000-0x0000000000447000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe

description	pid	Process	procid_target
PID 2356 wrote to memory of 2336	2356	2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe	31
PID 2356 wrote to memory of 2336	2356	2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe	31
PID 2356 wrote to memory of 2336	2356	2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe	31
PID 2356 wrote to memory of 2336	2356	2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe	31
PID 2356 wrote to memory of 1656	2356	2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe	33
PID 2356 wrote to memory of 1656	2356	2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe	33
PID 2356 wrote to memory of 1656	2356	2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe	33
PID 2356 wrote to memory of 1656	2356	2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe	33

C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe
"C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe
  C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2336
- C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe
  C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\49F8.288

Filesize
1KB

MD5
2c9ce53ac612a0dd66d8a575e3530374

SHA1
9c3aff0c22ca2997d8c13554dc5fa8cd1ca669df

SHA256
7ab079685dbc221524d199bc81cef002e94f208b5e70ac988d4d931da80349ec

SHA512
3e4d3e9bd1179efb99a8d4426e99f4c876b5953b4b1c5b659303ad244c74d6ce6c7d29607ccdd57087c89323ac49086419868b9dec5dd446d27f4f44889bb731

Download Submit
C:\Users\Admin\AppData\Roaming\49F8.288

Filesize
897B

MD5
f45717326bd7cecfad365272e9de85f1

SHA1
45f1ecc94b7881946332f7f00ff279cabeef5ee6

SHA256
f38e37a2ba8b5efdf2fab55866ce783f0a49107d878e83cdd95d36f88485cd9f

SHA512
5d823aa367c8aa159e094b64661a2b7059ed5447a4fc0c9033e734d0f4bb7be969d9135b05a73d85bc2106175dd655165c5af00b6e20fa938d7b6d06b8f333ed

Download Submit
C:\Users\Admin\AppData\Roaming\49F8.288

Filesize
1KB

MD5
0655fd76fa38ebb506bba35ca6512126

SHA1
de332c808296f7885921aeec182e581fbae0e77a

SHA256
d74da65ba01e1323b666cd5973c98d737cf7857d2d142d2f35eec3182bf861e9

SHA512
04ab42ffcfa203d86114b2ed948cf1d75e6cf68206d4bb907c69dc13d39a14a405729286024e381814a32df05594daaadac3e700e2e36587dbf0d20a1222d81a

Download Submit
memory/1656-85-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2336-6-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2336-7-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2356-1-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2356-2-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2356-17-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2356-83-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2356-165-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads