cycbot | e3a7576bcf3c4dbe622fee504f227b9277464a2052ec949f152da4217149f0ce

General

Target

conhost.exe
Size

170KB
MD5

7ac38de1d2bbed88a7a11e015d12a2a6
SHA1

661e558267e5b301e0df29e88ff12a3d783353d7
SHA256

81ba9b2a1b6cb4955eaa2e98181c0857f5debadf0c2c5db6c73edbebbf5a61ae
SHA512

c02a29345ea4898f5f0b98b3f08558adb0e9cfd681ff1be1979a672005f83107f8b1ede6623719fd9417fb9e8ed42ff9ceac10060ef360a7818959feaef94906
SSDEEP

3072:+YahorLVDXDnvSUldxcNsplALB+VvcS2lagG2ranXx/WU5kqlZJ5tV4fd6hRH:+Do3VDfZcOLAF+Vv2wH2raXpWy5rVwy

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1548-6-0x0000000000400000-0x000000000043E000-memory.dmp	family_cycbot
behavioral1/memory/2968-13-0x0000000000400000-0x000000000043E000-memory.dmp	family_cycbot
behavioral1/memory/2508-76-0x0000000000400000-0x000000000043E000-memory.dmp	family_cycbot
behavioral1/memory/2968-77-0x0000000000400000-0x000000000043E000-memory.dmp	family_cycbot
behavioral1/memory/2968-186-0x0000000000400000-0x000000000043E000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2968-2-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1548-5-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1548-6-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2968-13-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2508-75-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2508-76-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2968-77-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2968-186-0x0000000000400000-0x000000000043E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 1548	2968	conhost.exe	28
PID 2968 wrote to memory of 1548	2968	conhost.exe	28
PID 2968 wrote to memory of 1548	2968	conhost.exe	28
PID 2968 wrote to memory of 1548	2968	conhost.exe	28
PID 2968 wrote to memory of 2508	2968	conhost.exe	30
PID 2968 wrote to memory of 2508	2968	conhost.exe	30
PID 2968 wrote to memory of 2508	2968	conhost.exe	30
PID 2968 wrote to memory of 2508	2968	conhost.exe	30

C:\Users\Admin\AppData\Local\Temp\conhost.exe
"C:\Users\Admin\AppData\Local\Temp\conhost.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Users\Admin\AppData\Local\Temp\conhost.exe
  C:\Users\Admin\AppData\Local\Temp\conhost.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1548
- C:\Users\Admin\AppData\Local\Temp\conhost.exe
  C:\Users\Admin\AppData\Local\Temp\conhost.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\01EB.60A

Filesize
1KB

MD5
4f926180d681bb29230ef31aa736a1dc

SHA1
8f18c014d39f4b1494803990fdb2558937cb4d7c

SHA256
e231e016a873c261cb13a99259d129c89cb32e808d3c9978952dcdca5c30acd3

SHA512
882e39f39e898434a93e85e90c253bf28ece1eb77846404cbd6d73c115a512e4856e43defe005bbbb81c5bb26eab42e62975eb64100884361dfd9f84b4f52be8

Download Submit
C:\Users\Admin\AppData\Roaming\01EB.60A

Filesize
600B

MD5
24dff2fb570c93a8d8338048e5195a79

SHA1
25160bca5215e5068bcc8d7b9131a1f437d2b3bd

SHA256
e907b645e4595edc3e3cc8e6287e3ded8ffe5ebcb793b4a2f60a1b023ab87fdb

SHA512
eb12102c876fae2846bc49977194d42621359ac3747248b042dca3b9d9ab7b2d156bea683459d0617a12bb32d329c1456acf14c25ece125aabb4c2d08152e366

Download Submit
C:\Users\Admin\AppData\Roaming\01EB.60A

Filesize
996B

MD5
8f5a2d625c5efb19d6384346be55e7c4

SHA1
50705f073bffdd16af5f9a66e2a8091e66aca54e

SHA256
415a04f8cf5435dbac53c3ed4a1bbb68f6cdab10f58cbbf651ea58417587c764

SHA512
6dfb25dd0a79fd2843feba1e9fce33701e5d4791caca97acb95764ba2d9aff25d109891e976be2838b9f7ed1d2b9718e60fd0299fcb7401e39792da75b678ccd

Download Submit
memory/1548-5-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1548-6-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2508-75-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2508-76-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2968-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2968-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2968-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2968-77-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2968-186-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads