cycbot | 11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6

General

Target

11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe
Size

187KB
MD5

d733b00a9267fb7569ac2b14e206eb67
SHA1

276b638a41c807ee9a8d93b67f5599fb1bc30fff
SHA256

11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6
SHA512

f407f7cdadc1889b6d55d021f3426bb80625de13c569c9df1753bea1b284b48e6833b1120e8596a4fd61800110a73269aed8ad3440506d248d957305983cc608
SSDEEP

3072:VUHqpj+iHwsE3+64QSuedh+wyYE8pCaHSJaDf+HyUaP/wooi:iZsE3+SSuYxN4gD+SX

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/748-13-0x0000000000400000-0x0000000000441000-memory.dmp	family_cycbot
behavioral2/memory/960-14-0x0000000000400000-0x0000000000441000-memory.dmp	family_cycbot
behavioral2/memory/960-77-0x0000000000400000-0x0000000000441000-memory.dmp	family_cycbot
behavioral2/memory/928-80-0x0000000000400000-0x0000000000441000-memory.dmp	family_cycbot
behavioral2/memory/960-193-0x0000000000400000-0x0000000000441000-memory.dmp	family_cycbot

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/960-2-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral2/memory/748-12-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral2/memory/748-13-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral2/memory/960-14-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral2/memory/960-77-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral2/memory/928-80-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral2/memory/928-79-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral2/memory/960-193-0x0000000000400000-0x0000000000441000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 748	960	11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe	83
PID 960 wrote to memory of 748	960	11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe	83
PID 960 wrote to memory of 748	960	11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe	83
PID 960 wrote to memory of 928	960	11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe	95
PID 960 wrote to memory of 928	960	11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe	95
PID 960 wrote to memory of 928	960	11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe	95

C:\Users\Admin\AppData\Local\Temp\11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe
"C:\Users\Admin\AppData\Local\Temp\11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:960
- C:\Users\Admin\AppData\Local\Temp\11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe
  C:\Users\Admin\AppData\Local\Temp\11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:748
- C:\Users\Admin\AppData\Local\Temp\11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe
  C:\Users\Admin\AppData\Local\Temp\11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\C906.C7A

Filesize
600B

MD5
d588d65511a1615d8e1c7848d4bd152e

SHA1
0649f765d79b8ac723b803ed931396952140d1fb

SHA256
6ce461f3bd832c399d7fde90d92d395f0d1ccaa446f18cc212f9f41a1a31931a

SHA512
06cb57e6e13cb816a600f1818f8b345f1cd09f6a334a437f2d9a41d46b4b7cbdc9943135503a74a4b00d492506f9661c9989baec5cc8f1697b0749cffb3273a4

Download Submit
C:\Users\Admin\AppData\Roaming\C906.C7A

Filesize
1KB

MD5
2712f6de9197dbea8423e5148df72d08

SHA1
faee491ba3c43a89c4c1bc61ecccaa1b40c75e5d

SHA256
3b99ee89077e14304d6222455facda18523e6c3659d9263e15d0e0a8cd01888b

SHA512
1e9bc65b6b8d3784d225f12a844b5541aa7f8b9a5c2e07275274ab375225c30066fb890b086ad6324a6f506b1622292c298d317b56fa0ace24e3cbd9c8b9ef31

Download Submit
C:\Users\Admin\AppData\Roaming\C906.C7A

Filesize
996B

MD5
9e879b794c1f6ed0ae16bc0526154346

SHA1
cccb9d16317093d209f7f67165626d7e224eb459

SHA256
cb52cf01728ecc8a4afee2bbcfd111b190caf3bcf32948ab1389edec48e722c4

SHA512
4452d42d1f57a9379f18a9974a051be9c1938c5bc7341b9fbe39fb0025cd8d5c8a7a22d782ac78c7c4d7372b67fc98369778eb1cb23d58bce01d7c4214397fc1

Download Submit
memory/748-12-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/748-13-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/928-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/928-79-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/960-1-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/960-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/960-14-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/960-77-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/960-193-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads