cycbot | 76c7ac6e39553fe1143d39d648b1ac4f9783805e59ade5c0e2ca155af3905d72

General

Target

76c7ac6e39553fe1143d39d648b1ac4f9783805e59ade5c0e2ca155af3905d72N.exe
Size

179KB
MD5

c798c1b9cba4ffcd33671c47941ea9f0
SHA1

82c5fe85508987cfd549bbc668c51a0c9ddd829c
SHA256

76c7ac6e39553fe1143d39d648b1ac4f9783805e59ade5c0e2ca155af3905d72
SHA512

3deb22f84c56c1200c76e0fe94adc609ae1d8c2912b0e0971a57cad02beba87cc2ed1ba2be2afcffc5e4c043ea08be7dae70b958f811ba22f9f12fa198f11fe6
SSDEEP

3072:L8svOQUkW/hGG03dj2bLYZurqqMR96F0AXNErDCHC1u815Se6gFprk:L/vOQfSGG0xeYZufMR9ATNEb1l5Syr

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/3988-14-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/4084-16-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/4084-17-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral2/memory/4340-125-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral2/memory/4084-300-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4084-3-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/3988-14-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/3988-13-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/4084-16-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/4084-17-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/4340-123-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/4340-125-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/4084-300-0x0000000000400000-0x0000000000454000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76c7ac6e39553fe1143d39d648b1ac4f9783805e59ade5c0e2ca155af3905d72N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76c7ac6e39553fe1143d39d648b1ac4f9783805e59ade5c0e2ca155af3905d72N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76c7ac6e39553fe1143d39d648b1ac4f9783805e59ade5c0e2ca155af3905d72N.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4084 wrote to memory of 3988	4084	76c7ac6e39553fe1143d39d648b1ac4f9783805e59ade5c0e2ca155af3905d72N.exe	83
PID 4084 wrote to memory of 3988	4084	76c7ac6e39553fe1143d39d648b1ac4f9783805e59ade5c0e2ca155af3905d72N.exe	83
PID 4084 wrote to memory of 3988	4084	76c7ac6e39553fe1143d39d648b1ac4f9783805e59ade5c0e2ca155af3905d72N.exe	83
PID 4084 wrote to memory of 4340	4084	76c7ac6e39553fe1143d39d648b1ac4f9783805e59ade5c0e2ca155af3905d72N.exe	91
PID 4084 wrote to memory of 4340	4084	76c7ac6e39553fe1143d39d648b1ac4f9783805e59ade5c0e2ca155af3905d72N.exe	91
PID 4084 wrote to memory of 4340	4084	76c7ac6e39553fe1143d39d648b1ac4f9783805e59ade5c0e2ca155af3905d72N.exe	91

C:\Users\Admin\AppData\Local\Temp\76c7ac6e39553fe1143d39d648b1ac4f9783805e59ade5c0e2ca155af3905d72N.exe
"C:\Users\Admin\AppData\Local\Temp\76c7ac6e39553fe1143d39d648b1ac4f9783805e59ade5c0e2ca155af3905d72N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Users\Admin\AppData\Local\Temp\76c7ac6e39553fe1143d39d648b1ac4f9783805e59ade5c0e2ca155af3905d72N.exe
  C:\Users\Admin\AppData\Local\Temp\76c7ac6e39553fe1143d39d648b1ac4f9783805e59ade5c0e2ca155af3905d72N.exe startC:\Program Files (x86)\LP\14EA\E87.exe%C:\Program Files (x86)\LP\14EA
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3988
- C:\Users\Admin\AppData\Local\Temp\76c7ac6e39553fe1143d39d648b1ac4f9783805e59ade5c0e2ca155af3905d72N.exe
  C:\Users\Admin\AppData\Local\Temp\76c7ac6e39553fe1143d39d648b1ac4f9783805e59ade5c0e2ca155af3905d72N.exe startC:\Users\Admin\AppData\Roaming\AD1D4\F0D14.exe%C:\Users\Admin\AppData\Roaming\AD1D4
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AD1D4\414D.D1D

Filesize
300B

MD5
181e8de1b02f11c297eb4944657854ba

SHA1
86d837427639462a821ef412677b2639b7ffb116

SHA256
2938884f2654ee8b417c2fabfc318903cb0daf88f8fa73da226fb9793f6cd28a

SHA512
b8b99e9bad4f81da1e43732a19ccac463deca592785f430a29e923d80b2d57f9ae6e8dc0010fc74a18719325b0305701ff4d3f6502a686233c760f54e60fe738

Download Submit
C:\Users\Admin\AppData\Roaming\AD1D4\414D.D1D

Filesize
996B

MD5
5dd8147e0fe858f97b78257d07bd4545

SHA1
2b702c415560fbe2e86d19a112cb53ab935a4679

SHA256
0e0fc735a9af3fe45ba2a8ec21d56bd5673cd2643c5e701249e79361c28a73af

SHA512
b9f8fc8919e18b9fbd5891384192b873fe3d7d9186e169af9569620c316a222a6337ffe5f04bbc5a3eec841b7f44704c7f54bba2e2971d37f828176c20833cc1

Download Submit
C:\Users\Admin\AppData\Roaming\AD1D4\414D.D1D

Filesize
600B

MD5
4c712c4aa567d5afc26657756d27eedc

SHA1
828e486bdffce8ad696363aea692956f9e5e3050

SHA256
45f75c57ec239d56b537d7a5b7c0d5ccc1ea08b822bdfb36d4c5e0fb4c659fc2

SHA512
7456919b98168b4d391547aa280d98e11d4f25eb3b71d0760b800ebb839d3388433d892e3f509fdd7373677d6ba118215b510d74384410f02370d1200686ea7e

Download Submit
C:\Users\Admin\AppData\Roaming\AD1D4\414D.D1D

Filesize
1KB

MD5
7716a849770a6ab32277eaabb83d6136

SHA1
8e14ab815e57a642f251eb915501ba2e5a72581a

SHA256
4e2bb970914f31e2ed2a1513642abc8534074e41ef300473cb3ce5c92c8fc6b8

SHA512
4889330c5854c62315ee6f3ef2b39c0964d51fb1f18bf1d600ab9220ebb2c6fd73e21b752eff006c8768e7446cb17a33d98cf7a0a92b3ee44ba3e1ba1d16e619

Download Submit
memory/3988-14-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3988-13-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4084-16-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4084-17-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4084-0-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4084-3-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4084-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4084-300-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4340-123-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4340-125-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing