cycbot | 1e1bdfd4e612a1d832ec913ced852a906b28863e77f23b011013bd86ce1bbe6c

General

Target

1e1bdfd4e612a1d832ec913ced852a906b28863e77f23b011013bd86ce1bbe6c.exe
Size

188KB
MD5

7ee39b38f507ed65c497c49f2f6f0504
SHA1

7580cbfc8913a8f7d3582958bd428fd281882db2
SHA256

1e1bdfd4e612a1d832ec913ced852a906b28863e77f23b011013bd86ce1bbe6c
SHA512

a40fb026f693c715215de45286d10defff6cd5684f86f24ea0aa2b87f0c121ac3491d17b73ec049b8f9f39b93e0a449dd5775cf08e6bdc917f81a686675ab081
SSDEEP

3072:2s/pebp6nCyce+ORB7ur9WMQn+OQVm24KsOz8p5UhrJHWnTA+ims:9LPceHRBQWqwXEz8puRWnTy

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/3648-14-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/3844-15-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/544-79-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral2/memory/3844-189-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3844-2-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/3648-12-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/3648-14-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/3844-15-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/544-77-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/544-79-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/3844-189-0x0000000000400000-0x000000000044E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e1bdfd4e612a1d832ec913ced852a906b28863e77f23b011013bd86ce1bbe6c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e1bdfd4e612a1d832ec913ced852a906b28863e77f23b011013bd86ce1bbe6c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e1bdfd4e612a1d832ec913ced852a906b28863e77f23b011013bd86ce1bbe6c.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3844 wrote to memory of 3648	3844	1e1bdfd4e612a1d832ec913ced852a906b28863e77f23b011013bd86ce1bbe6c.exe	83
PID 3844 wrote to memory of 3648	3844	1e1bdfd4e612a1d832ec913ced852a906b28863e77f23b011013bd86ce1bbe6c.exe	83
PID 3844 wrote to memory of 3648	3844	1e1bdfd4e612a1d832ec913ced852a906b28863e77f23b011013bd86ce1bbe6c.exe	83
PID 3844 wrote to memory of 544	3844	1e1bdfd4e612a1d832ec913ced852a906b28863e77f23b011013bd86ce1bbe6c.exe	92
PID 3844 wrote to memory of 544	3844	1e1bdfd4e612a1d832ec913ced852a906b28863e77f23b011013bd86ce1bbe6c.exe	92
PID 3844 wrote to memory of 544	3844	1e1bdfd4e612a1d832ec913ced852a906b28863e77f23b011013bd86ce1bbe6c.exe	92

C:\Users\Admin\AppData\Local\Temp\1e1bdfd4e612a1d832ec913ced852a906b28863e77f23b011013bd86ce1bbe6c.exe
"C:\Users\Admin\AppData\Local\Temp\1e1bdfd4e612a1d832ec913ced852a906b28863e77f23b011013bd86ce1bbe6c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3844
- C:\Users\Admin\AppData\Local\Temp\1e1bdfd4e612a1d832ec913ced852a906b28863e77f23b011013bd86ce1bbe6c.exe
  C:\Users\Admin\AppData\Local\Temp\1e1bdfd4e612a1d832ec913ced852a906b28863e77f23b011013bd86ce1bbe6c.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3648
- C:\Users\Admin\AppData\Local\Temp\1e1bdfd4e612a1d832ec913ced852a906b28863e77f23b011013bd86ce1bbe6c.exe
  C:\Users\Admin\AppData\Local\Temp\1e1bdfd4e612a1d832ec913ced852a906b28863e77f23b011013bd86ce1bbe6c.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\F026.8AD

Filesize
1KB

MD5
af0f780be1f06b8816c77eeb659f573e

SHA1
3e4185851d9aaeceae7868e51a219d473602c842

SHA256
172ec4d6e3eceb8d5ca8b1c901a686049de9ce54a879b4ca46927fed5eadc9bd

SHA512
d3fb6d1af07e97bcecfd91de58552af7eb1be2431703a7e6c0563ececa0ffe6b16fcb658e1d9c1a8bd3bbc5eb6cafa30eb076751a2835bdc17441067cc01cf05

Download Submit
C:\Users\Admin\AppData\Roaming\F026.8AD

Filesize
600B

MD5
4502cd2a0fb57e8f0f674509a5eededc

SHA1
9897dbc8f0174bccf19a7c3d7efdbdb54bfb78d7

SHA256
1dd3f510e57f6c8da04286c1910082e9a81a02ad5d0353268f9f3709d77baa95

SHA512
f0daa0694ba83528af65dc6f6d0370889ba786a04abde9d2ac5c26b12daa8d058e575daeb50ab8aeee257e89252c2cdf925d5d33db526faddb3f457896111259

Download Submit
memory/544-77-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/544-79-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3648-12-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3648-14-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3844-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3844-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3844-15-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3844-189-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing