cycbot | e3a7576bcf3c4dbe622fee504f227b9277464a2052ec949f152da4217149f0ce

General

Target

dwm.exe
Size

176KB
MD5

e767c8cc82455adeb3449c6f4b52eecf
SHA1

96ae33d589e81d7732bddd480165712e593619a6
SHA256

ab1bc691bfbe5f8bb76938bcf024678dc8505dcd4c0cc811d6db5eb0f5174537
SHA512

914192a5c92c1aac13d3e726ba7c512dc8cd8f34b98809b1d56ada8382f3e39219cd043404472e02e98ceb590d3a0456d76c051edaa19e9cf0e15f6e23f4398a
SSDEEP

3072:ZyMyARFdjQh68vOj+OdgHzMC5oWQWqGbItt7QPL+aD1L4K:ZyMy68Q+OdqZoWzbktJQzXD1kK

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral5/memory/2892-6-0x0000000000400000-0x0000000000485000-memory.dmp	family_cycbot
behavioral5/memory/2744-14-0x0000000000400000-0x0000000000485000-memory.dmp	family_cycbot
behavioral5/memory/2632-69-0x0000000000400000-0x0000000000485000-memory.dmp	family_cycbot
behavioral5/memory/2744-70-0x0000000000400000-0x0000000000485000-memory.dmp	family_cycbot
behavioral5/memory/2744-159-0x0000000000400000-0x0000000000485000-memory.dmp	family_cycbot
behavioral5/memory/2744-198-0x0000000000400000-0x0000000000485000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	dwm.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral5/memory/2744-2-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral5/memory/2892-7-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral5/memory/2892-6-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral5/memory/2892-5-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral5/memory/2744-14-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral5/memory/2632-68-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral5/memory/2632-69-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral5/memory/2744-70-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral5/memory/2744-159-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral5/memory/2744-198-0x0000000000400000-0x0000000000485000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwm.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2892	2744	dwm.exe	30
PID 2744 wrote to memory of 2892	2744	dwm.exe	30
PID 2744 wrote to memory of 2892	2744	dwm.exe	30
PID 2744 wrote to memory of 2892	2744	dwm.exe	30
PID 2744 wrote to memory of 2632	2744	dwm.exe	32
PID 2744 wrote to memory of 2632	2744	dwm.exe	32
PID 2744 wrote to memory of 2632	2744	dwm.exe	32
PID 2744 wrote to memory of 2632	2744	dwm.exe	32

C:\Users\Admin\AppData\Local\Temp\dwm.exe
"C:\Users\Admin\AppData\Local\Temp\dwm.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Users\Admin\AppData\Local\Temp\dwm.exe
  C:\Users\Admin\AppData\Local\Temp\dwm.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2892
- C:\Users\Admin\AppData\Local\Temp\dwm.exe
  C:\Users\Admin\AppData\Local\Temp\dwm.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\D962.0CA

Filesize
1KB

MD5
684b18c833050fc5fb7491455f98e278

SHA1
dc05db73090bdc374bd06ff92003d1561c24f2ae

SHA256
cc65485c68fa9040f6f15f5f6769b55c8e09ac73b8ae0222ae92316d6795bef1

SHA512
41cf8a3176422850c7b9b07377dcab08f09da21f2159b971de1aa20a259e5cb650151e83cf5a5aff5466506c60169038c4c1d1757b9bd13c79445d1fee904937

Download Submit
C:\Users\Admin\AppData\Roaming\D962.0CA

Filesize
600B

MD5
04871bf519b778c99d19c191e26e16c8

SHA1
19f5597d5b25086b2696edd1b89fba18c6bd4ce9

SHA256
ed457382fa3e35ac383b10d63606488be42b2e5b44e06622553c629d2634f195

SHA512
4d22cb0ea1892f713c85c022b82dafb111dfa1274f97afbd5f67491818d964b11c2ebfcd2e5438448d904daa087169cfb0a749af662301ed69f10a23ce010284

Download Submit
C:\Users\Admin\AppData\Roaming\D962.0CA

Filesize
996B

MD5
a2aaa3107145604b9dc5626ffac1e258

SHA1
bdab0610e41f5c4501bd75d66aa63662a8f2c92a

SHA256
49b6b028051cef9de4286c1683b5585cb66723ec4b61009438dbfcec99aadf25

SHA512
c7af2c46c160530ad23ca08af9ed9af61eb7f8c127802c64f289219b959dfe26f231a45fc4b38de49360b8e14ee437c509e67986a489283e20e4869defbfb0c7

Download Submit
memory/2632-69-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2632-68-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2744-70-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2744-14-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2744-1-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2744-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2744-159-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2744-198-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2892-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2892-6-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2892-7-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads