cycbot | 67bc474fba12625f5fa89472f784d61d3fc233eab98227f6d1c54921cc18204e

General

Target

67bc474fba12625f5fa89472f784d61d3fc233eab98227f6d1c54921cc18204e.exe
Size

175KB
MD5

d05b7c90ed2ae56fa73cb421900ed293
SHA1

ba98ec9648bda5f3ed09ded67a1ef4c149c121da
SHA256

67bc474fba12625f5fa89472f784d61d3fc233eab98227f6d1c54921cc18204e
SHA512

53f5b8c34a0d7205ea91736708986a01ed2379c7c36ddc045e71b36e14407cb57a3e7dbdc5443d7a521db9fca7601872ed25522ab6cd648dda9610dcac854a99
SSDEEP

3072:XdF23o/kDbA3PMS6zknBXKr1lbQkpEFxwOMkHWKcrE+uTWTH4Cv:Ng3o8DblzknAr1lbd0w4Zj+r

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2784-15-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/2624-16-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/2624-80-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/2088-85-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot
behavioral1/memory/2624-145-0x0000000000400000-0x000000000046E000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	67bc474fba12625f5fa89472f784d61d3fc233eab98227f6d1c54921cc18204e.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2624-2-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2784-13-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2784-12-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2784-15-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2624-16-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2624-80-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2088-83-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2088-85-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2624-145-0x0000000000400000-0x000000000046E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67bc474fba12625f5fa89472f784d61d3fc233eab98227f6d1c54921cc18204e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67bc474fba12625f5fa89472f784d61d3fc233eab98227f6d1c54921cc18204e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67bc474fba12625f5fa89472f784d61d3fc233eab98227f6d1c54921cc18204e.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2784	2624	67bc474fba12625f5fa89472f784d61d3fc233eab98227f6d1c54921cc18204e.exe	30
PID 2624 wrote to memory of 2784	2624	67bc474fba12625f5fa89472f784d61d3fc233eab98227f6d1c54921cc18204e.exe	30
PID 2624 wrote to memory of 2784	2624	67bc474fba12625f5fa89472f784d61d3fc233eab98227f6d1c54921cc18204e.exe	30
PID 2624 wrote to memory of 2784	2624	67bc474fba12625f5fa89472f784d61d3fc233eab98227f6d1c54921cc18204e.exe	30
PID 2624 wrote to memory of 2088	2624	67bc474fba12625f5fa89472f784d61d3fc233eab98227f6d1c54921cc18204e.exe	32
PID 2624 wrote to memory of 2088	2624	67bc474fba12625f5fa89472f784d61d3fc233eab98227f6d1c54921cc18204e.exe	32
PID 2624 wrote to memory of 2088	2624	67bc474fba12625f5fa89472f784d61d3fc233eab98227f6d1c54921cc18204e.exe	32
PID 2624 wrote to memory of 2088	2624	67bc474fba12625f5fa89472f784d61d3fc233eab98227f6d1c54921cc18204e.exe	32

C:\Users\Admin\AppData\Local\Temp\67bc474fba12625f5fa89472f784d61d3fc233eab98227f6d1c54921cc18204e.exe
"C:\Users\Admin\AppData\Local\Temp\67bc474fba12625f5fa89472f784d61d3fc233eab98227f6d1c54921cc18204e.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Users\Admin\AppData\Local\Temp\67bc474fba12625f5fa89472f784d61d3fc233eab98227f6d1c54921cc18204e.exe
  C:\Users\Admin\AppData\Local\Temp\67bc474fba12625f5fa89472f784d61d3fc233eab98227f6d1c54921cc18204e.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2784
- C:\Users\Admin\AppData\Local\Temp\67bc474fba12625f5fa89472f784d61d3fc233eab98227f6d1c54921cc18204e.exe
  C:\Users\Admin\AppData\Local\Temp\67bc474fba12625f5fa89472f784d61d3fc233eab98227f6d1c54921cc18204e.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\9822.999

Filesize
600B

MD5
f2708fb6b768ac861430629ef88f0c0f

SHA1
e39405614774ac4865a5784e340a85df175b7166

SHA256
15573fd3c23c40d16b1bd5655277aeb25bca79013bb0e075302cae03c6c8ccc7

SHA512
68d37535520041849d26b5e42c8ac823f34f7ec86c4e61a1fd6643c5510c4a03e4748d7f99edb5c5431e722b1e7c07180f9d7dc31192404e20b5b8d1f9d0a349

Download Submit
C:\Users\Admin\AppData\Roaming\9822.999

Filesize
996B

MD5
d357578dcd4709bf6b5be34a71257ce9

SHA1
ed5adfea1a3f843a189c5fbd1d90a247e21a4b89

SHA256
bb330ae4fd582b04f203293b8b699eff2011b4c6e42a6c32a4ef88b46b22b0ce

SHA512
812acd6dc3a9ea9ef3b237f1b30cd8888a35db645eb6e42a17865cca84973ff680febf3dbb0be968de31294123305a8ab01818d668270134180b230966dd5d0a

Download Submit
memory/2088-83-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2088-85-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2624-1-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2624-2-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2624-16-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2624-80-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2624-145-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2784-13-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2784-12-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2784-15-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads