cycbot | 5277841615325fd8093218175146b54f9baea02b92c1951cfff8e3f156f7f871

General

Target

5277841615325fd8093218175146b54f9baea02b92c1951cfff8e3f156f7f871.exe
Size

183KB
MD5

d35e0b4f895b3dbd84aebc6f3dda1613
SHA1

d30c0c8b5f1a5f893f6f912ed53ed89149370913
SHA256

5277841615325fd8093218175146b54f9baea02b92c1951cfff8e3f156f7f871
SHA512

7b5bd4bf25d568e992cd67b89d23b0ae16f99a9559e0d036af5c7f1a8f6c9ccdbb7656f2dfc7580bb9830d8f6ed41a26e2b3644df76b6f15b1ecda11e73ffe79
SSDEEP

3072:fYHpYZ/JsSGzKm76/2iBm86QWmfK6uNEIXV5AnLATyCILNM+f6I/weymDVtlSyj:fYHpMBs7Pe+iMsK6uDV5nkBBiI/weymR

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2112-1-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/2332-10-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/2112-15-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/2240-84-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/2112-190-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2112-1-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2332-8-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2332-7-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2332-10-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2112-15-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2240-83-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2240-84-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2112-190-0x0000000000400000-0x000000000044F000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5277841615325fd8093218175146b54f9baea02b92c1951cfff8e3f156f7f871.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5277841615325fd8093218175146b54f9baea02b92c1951cfff8e3f156f7f871.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5277841615325fd8093218175146b54f9baea02b92c1951cfff8e3f156f7f871.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2332	2112	5277841615325fd8093218175146b54f9baea02b92c1951cfff8e3f156f7f871.exe	30
PID 2112 wrote to memory of 2332	2112	5277841615325fd8093218175146b54f9baea02b92c1951cfff8e3f156f7f871.exe	30
PID 2112 wrote to memory of 2332	2112	5277841615325fd8093218175146b54f9baea02b92c1951cfff8e3f156f7f871.exe	30
PID 2112 wrote to memory of 2332	2112	5277841615325fd8093218175146b54f9baea02b92c1951cfff8e3f156f7f871.exe	30
PID 2112 wrote to memory of 2240	2112	5277841615325fd8093218175146b54f9baea02b92c1951cfff8e3f156f7f871.exe	32
PID 2112 wrote to memory of 2240	2112	5277841615325fd8093218175146b54f9baea02b92c1951cfff8e3f156f7f871.exe	32
PID 2112 wrote to memory of 2240	2112	5277841615325fd8093218175146b54f9baea02b92c1951cfff8e3f156f7f871.exe	32
PID 2112 wrote to memory of 2240	2112	5277841615325fd8093218175146b54f9baea02b92c1951cfff8e3f156f7f871.exe	32

C:\Users\Admin\AppData\Local\Temp\5277841615325fd8093218175146b54f9baea02b92c1951cfff8e3f156f7f871.exe
"C:\Users\Admin\AppData\Local\Temp\5277841615325fd8093218175146b54f9baea02b92c1951cfff8e3f156f7f871.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\5277841615325fd8093218175146b54f9baea02b92c1951cfff8e3f156f7f871.exe
  C:\Users\Admin\AppData\Local\Temp\5277841615325fd8093218175146b54f9baea02b92c1951cfff8e3f156f7f871.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2332
- C:\Users\Admin\AppData\Local\Temp\5277841615325fd8093218175146b54f9baea02b92c1951cfff8e3f156f7f871.exe
  C:\Users\Admin\AppData\Local\Temp\5277841615325fd8093218175146b54f9baea02b92c1951cfff8e3f156f7f871.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\CCDC.D17

Filesize
1KB

MD5
693575be39ca480b71623220854664dd

SHA1
962c4ebb38fbc857c4d9902a257518c4949d5ca4

SHA256
7be1f76c35dc6a9ded802d9ed2cc82818ab7ecadb6ed05d8565044d54cf912da

SHA512
ca53483e2d270d3cbdee224f4373e50b02c0b8bae0b4aebf243f94e6cd5b54ca7aa0cf09c95492f01dd0cf42a6922c0512796789ee82ae027dd9cfe5564e08d5

Download Submit
C:\Users\Admin\AppData\Roaming\CCDC.D17

Filesize
600B

MD5
31703a4c1d19288ccbe1df900c08a7c9

SHA1
b262132341ad8a03df3fad168f49d7c8a24ee390

SHA256
3d13d4723b15dab79eea38c122625e9c7bd6a5ab63ead09398126cf9200d832e

SHA512
700ea0e8b09ea33acb720374f04080753c89123f38b668e6abfa8d6b63fe8e928ee44b9ffc9513f17cf1ec25cb4cd933a2a7cc8a38dd6a774c7773cf7542f274

Download Submit
C:\Users\Admin\AppData\Roaming\CCDC.D17

Filesize
996B

MD5
6362bc2d80a8d6a27c2042c6429bf5b3

SHA1
b50db6b83a4b4b8079fb42ee4946a863c41ce79f

SHA256
a16a4639093ba9663e452408c2adc1e5369ee24e97f3d7a4ae84269dc52e1b56

SHA512
71a5eea4a7bda29694818356df870697644d57548af449eaa73fcbfecde4b4ca3b8e576ce0ffd3a49d0787eb0e5c4cb4ef0394e183e807560253da1de4048232

Download Submit
memory/2112-1-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2112-15-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2112-190-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2240-82-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2240-83-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2240-84-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2332-8-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2332-7-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2332-10-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing