cycbot | dd3693e034ca9b32d866d4215d67d2c6e6cd0b758c57499d941458a62344e0ea

General

Target

dd3693e034ca9b32d866d4215d67d2c6e6cd0b758c57499d941458a62344e0ea.exe
Size

197KB
MD5

c5828e12d2e3d70cd73e8868f603abaa
SHA1

c22e8fddb6af667521428aaaa35ef8711b1130a7
SHA256

dd3693e034ca9b32d866d4215d67d2c6e6cd0b758c57499d941458a62344e0ea
SHA512

d4229c12c974f2a796e4aef38e3e39f970403c2df308d59e75e5c099aa354dc426bea204035ca5fdf11b805489ff99de1df6a8d5f71741971318d99f78b3f503
SSDEEP

3072:AjB33b++Q0Yg5l5D+H/AWVEDbqrB1YSEh0TAMvRKThRuxEBylvAoDrIb75GMYyRF:Aj4+QpE+BEsbbvRWexEk1tIkMBxM

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2376-8-0x0000000000400000-0x000000000048B000-memory.dmp	family_cycbot
behavioral1/memory/2376-10-0x0000000000400000-0x000000000048B000-memory.dmp	family_cycbot
behavioral1/memory/2432-22-0x0000000000400000-0x000000000048B000-memory.dmp	family_cycbot
behavioral1/memory/800-93-0x0000000000400000-0x000000000048B000-memory.dmp	family_cycbot
behavioral1/memory/2432-94-0x0000000000400000-0x000000000048B000-memory.dmp	family_cycbot
behavioral1/memory/2432-200-0x0000000000400000-0x000000000048B000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	dd3693e034ca9b32d866d4215d67d2c6e6cd0b758c57499d941458a62344e0ea.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2432-2-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2376-7-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2376-8-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2376-10-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2432-22-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/800-93-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2432-94-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2432-200-0x0000000000400000-0x000000000048B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd3693e034ca9b32d866d4215d67d2c6e6cd0b758c57499d941458a62344e0ea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd3693e034ca9b32d866d4215d67d2c6e6cd0b758c57499d941458a62344e0ea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd3693e034ca9b32d866d4215d67d2c6e6cd0b758c57499d941458a62344e0ea.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2376	2432	dd3693e034ca9b32d866d4215d67d2c6e6cd0b758c57499d941458a62344e0ea.exe	30
PID 2432 wrote to memory of 2376	2432	dd3693e034ca9b32d866d4215d67d2c6e6cd0b758c57499d941458a62344e0ea.exe	30
PID 2432 wrote to memory of 2376	2432	dd3693e034ca9b32d866d4215d67d2c6e6cd0b758c57499d941458a62344e0ea.exe	30
PID 2432 wrote to memory of 2376	2432	dd3693e034ca9b32d866d4215d67d2c6e6cd0b758c57499d941458a62344e0ea.exe	30
PID 2432 wrote to memory of 800	2432	dd3693e034ca9b32d866d4215d67d2c6e6cd0b758c57499d941458a62344e0ea.exe	32
PID 2432 wrote to memory of 800	2432	dd3693e034ca9b32d866d4215d67d2c6e6cd0b758c57499d941458a62344e0ea.exe	32
PID 2432 wrote to memory of 800	2432	dd3693e034ca9b32d866d4215d67d2c6e6cd0b758c57499d941458a62344e0ea.exe	32
PID 2432 wrote to memory of 800	2432	dd3693e034ca9b32d866d4215d67d2c6e6cd0b758c57499d941458a62344e0ea.exe	32

C:\Users\Admin\AppData\Local\Temp\dd3693e034ca9b32d866d4215d67d2c6e6cd0b758c57499d941458a62344e0ea.exe
"C:\Users\Admin\AppData\Local\Temp\dd3693e034ca9b32d866d4215d67d2c6e6cd0b758c57499d941458a62344e0ea.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Local\Temp\dd3693e034ca9b32d866d4215d67d2c6e6cd0b758c57499d941458a62344e0ea.exe
  C:\Users\Admin\AppData\Local\Temp\dd3693e034ca9b32d866d4215d67d2c6e6cd0b758c57499d941458a62344e0ea.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2376
- C:\Users\Admin\AppData\Local\Temp\dd3693e034ca9b32d866d4215d67d2c6e6cd0b758c57499d941458a62344e0ea.exe
  C:\Users\Admin\AppData\Local\Temp\dd3693e034ca9b32d866d4215d67d2c6e6cd0b758c57499d941458a62344e0ea.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\6A6E.4D5

Filesize
597B

MD5
9a3336c51a790e8dcbfe78dc01062b6b

SHA1
72747e024125fb97f88f5fb875513b9c977299f3

SHA256
a1b160d69789d45e5e97c3748f5cb13bafca6fbadbc8e06ea1cc50e5d65b5970

SHA512
65c1946d09b23cf4a2447c3154b9ccb4d38aed3db4750aebb0f6f50936457785ad9d3f42b64adf15c7db5f75bd6e566ce45240c5019fc1fd48a59a02fd60bcef

Download Submit
C:\Users\Admin\AppData\Roaming\6A6E.4D5

Filesize
1KB

MD5
0ff35ea297b07464307c6a424a82198d

SHA1
7464b78d5aa35094be1da5800fecf017a41dff79

SHA256
73386eda48d93d133005205a7d0f9e5ddd06133ea28cd5ec67904e988a37e104

SHA512
2b19cef1e9eb94dda5d091830e3e53ace185b31cc462796ad8a9092cbb02a1956589c9c1b19d8e8c079fda650b0a8a2d0b797af380a9a410b7f46a34136132c4

Download Submit
C:\Users\Admin\AppData\Roaming\6A6E.4D5

Filesize
897B

MD5
0b2528422d9910da7788de15aedb8a2f

SHA1
5876fc61998f6ff1567527190b60adbc334b8686

SHA256
d7ebf6be7ea3b76e5ec8a6ab8afe4369c57cfbe70d51e6d49edef86865d35c86

SHA512
6d31a5577e78ec10798cc93ee9801e771e286892594852df9a3018c79ae8e20c98696bec43b790986dc76dc3d68d5287d84c6bff63817d07fd2383c4f965a765

Download Submit
C:\Users\Admin\AppData\Roaming\6A6E.4D5

Filesize
1KB

MD5
f72bc908a0110a085655d32d8e0b9fb4

SHA1
a2926b3f26bb4b6bf429dbbb482745ec1f8e56ff

SHA256
b115f21bc7b26111886767c024940d8db5232412c82cf1dbbd4676d9da731851

SHA512
83a936d43e1db0f9cc350385590201010cd1b5bb81744eb0ceec6a57c87b7a048f4d2376005d1aa3633fd4ea23a09542450b977f23402cc27950d111e5ce1b9d

Download Submit
memory/800-93-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/800-91-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2376-8-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2376-10-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2376-7-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2432-22-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2432-1-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2432-94-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2432-2-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2432-200-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads