cycbot | 946e8ff61e80aeec138f70fd244eecd7e7afbfb799ee73b20a1a92f9fc939c25

General

Target

946e8ff61e80aeec138f70fd244eecd7e7afbfb799ee73b20a1a92f9fc939c25.exe
Size

200KB
MD5

6aca963aaa7d2f49985d1d718d5006ab
SHA1

0e6fd5804a3bc8b904eb7849fc2e6eedd1d823e1
SHA256

946e8ff61e80aeec138f70fd244eecd7e7afbfb799ee73b20a1a92f9fc939c25
SHA512

bc638dc67fb722802c0d2e3e67a810524a08ca44cc4f8c93c3c1854919f829675ff18d61a70e37a0298a6ed452f1bf2357e1ee265d38392528cf69a98e143faf
SSDEEP

6144:8Mz73Q1X5oRzlOu8oUh/3wf2GR34t34jyUY:8o7345oRYlho+GR34hMW

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2200-6-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/1064-14-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/772-90-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/1064-91-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/1064-194-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	946e8ff61e80aeec138f70fd244eecd7e7afbfb799ee73b20a1a92f9fc939c25.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1064-2-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2200-5-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2200-6-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/1064-14-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/772-90-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/772-89-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/1064-91-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/1064-194-0x0000000000400000-0x000000000048D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	946e8ff61e80aeec138f70fd244eecd7e7afbfb799ee73b20a1a92f9fc939c25.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	946e8ff61e80aeec138f70fd244eecd7e7afbfb799ee73b20a1a92f9fc939c25.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	946e8ff61e80aeec138f70fd244eecd7e7afbfb799ee73b20a1a92f9fc939c25.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 2200	1064	946e8ff61e80aeec138f70fd244eecd7e7afbfb799ee73b20a1a92f9fc939c25.exe	30
PID 1064 wrote to memory of 2200	1064	946e8ff61e80aeec138f70fd244eecd7e7afbfb799ee73b20a1a92f9fc939c25.exe	30
PID 1064 wrote to memory of 2200	1064	946e8ff61e80aeec138f70fd244eecd7e7afbfb799ee73b20a1a92f9fc939c25.exe	30
PID 1064 wrote to memory of 2200	1064	946e8ff61e80aeec138f70fd244eecd7e7afbfb799ee73b20a1a92f9fc939c25.exe	30
PID 1064 wrote to memory of 772	1064	946e8ff61e80aeec138f70fd244eecd7e7afbfb799ee73b20a1a92f9fc939c25.exe	32
PID 1064 wrote to memory of 772	1064	946e8ff61e80aeec138f70fd244eecd7e7afbfb799ee73b20a1a92f9fc939c25.exe	32
PID 1064 wrote to memory of 772	1064	946e8ff61e80aeec138f70fd244eecd7e7afbfb799ee73b20a1a92f9fc939c25.exe	32
PID 1064 wrote to memory of 772	1064	946e8ff61e80aeec138f70fd244eecd7e7afbfb799ee73b20a1a92f9fc939c25.exe	32

C:\Users\Admin\AppData\Local\Temp\946e8ff61e80aeec138f70fd244eecd7e7afbfb799ee73b20a1a92f9fc939c25.exe
"C:\Users\Admin\AppData\Local\Temp\946e8ff61e80aeec138f70fd244eecd7e7afbfb799ee73b20a1a92f9fc939c25.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Local\Temp\946e8ff61e80aeec138f70fd244eecd7e7afbfb799ee73b20a1a92f9fc939c25.exe
  C:\Users\Admin\AppData\Local\Temp\946e8ff61e80aeec138f70fd244eecd7e7afbfb799ee73b20a1a92f9fc939c25.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2200
- C:\Users\Admin\AppData\Local\Temp\946e8ff61e80aeec138f70fd244eecd7e7afbfb799ee73b20a1a92f9fc939c25.exe
  C:\Users\Admin\AppData\Local\Temp\946e8ff61e80aeec138f70fd244eecd7e7afbfb799ee73b20a1a92f9fc939c25.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\205F.19B

Filesize
1KB

MD5
a6cdddc00bfbad9babd87d82fbc97944

SHA1
e05bb7fa9dd3ae6e41c10d8d53f7b8943eecb045

SHA256
052a2077b8054d58e6f56b62956e728e82d455c2acfc15993675f0b14c68ad12

SHA512
b9e1609b18ef6ed8e5fe6818e114ab3541a281c43a549eca6a17bc1a01d20ecf5dca4a0775256270e740232624fe343c9ef394fbfad69ea7d7b3f5ef357d734b

Download Submit
C:\Users\Admin\AppData\Roaming\205F.19B

Filesize
600B

MD5
48e3147f4d59296c49e54598ab7d2edc

SHA1
531800e0175ed3e0a69bbd6072be8cc1f7e39f78

SHA256
5ef581bc8a19af534bec2e9fa1994f7f7a195a7eaf6581ac10681f8b485e6b2c

SHA512
37cdb41eba6a881a3478176ec57b27259ea491a5777a9c897cf7014ceaa4df00718c799edd820e634154d9f91d2a8d93fbd1fe4c0528813b58249697e4b318d1

Download Submit
C:\Users\Admin\AppData\Roaming\205F.19B

Filesize
996B

MD5
8e8e9191ff06c81b0432791d7d131bf8

SHA1
f03b66bb5fbd32c1d643522600e19627b562678e

SHA256
0c7896a6690bd66fa10603b432d3ad62d2e8908c238ea5b976a76674505001e1

SHA512
ef40285ffcfb50c3d1a37ecbe1c7e9b756c631dd606db4e51d0ce5cdb1a9fe2ea9c3cb876afea49fa65d7059d8e5f12a57fb501b7d0b9067fe3b3bb9552af8d7

Download Submit
memory/772-89-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/772-87-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/772-90-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1064-14-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1064-1-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1064-91-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1064-2-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1064-194-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2200-6-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2200-5-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads