cycbot | 508aa5c3004bee26836a4cd2f81cf56e22d7b6d9cf9dbb124a375880c16b8bde

General

Target

508aa5c3004bee26836a4cd2f81cf56e22d7b6d9cf9dbb124a375880c16b8bde.exe
Size

182KB
MD5

da609639cd6b332859be2ef83572692b
SHA1

170b8aaaf252402369111bc90836abe17d123d58
SHA256

508aa5c3004bee26836a4cd2f81cf56e22d7b6d9cf9dbb124a375880c16b8bde
SHA512

323e976247969d4c6d85a88f5c970190786dbdeadd25aa866c43e217c6105de3c82e9453345d5e0d096df42df1f7d9f678701cc9efc2f42ce989814024592a16
SSDEEP

3072:ds4J1ymzfWOjnwGOn1UnfsofawcnZ6nf5MrAyIOJEWSfOuE6IGTm/nQ:dHJUEfo13FwuZo4JIHOu2G

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2820-14-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2316-15-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2224-89-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2316-188-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2316-2-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2820-12-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2820-14-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2316-15-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2224-89-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2316-188-0x0000000000400000-0x000000000044E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	508aa5c3004bee26836a4cd2f81cf56e22d7b6d9cf9dbb124a375880c16b8bde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	508aa5c3004bee26836a4cd2f81cf56e22d7b6d9cf9dbb124a375880c16b8bde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	508aa5c3004bee26836a4cd2f81cf56e22d7b6d9cf9dbb124a375880c16b8bde.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2820	2316	508aa5c3004bee26836a4cd2f81cf56e22d7b6d9cf9dbb124a375880c16b8bde.exe	30
PID 2316 wrote to memory of 2820	2316	508aa5c3004bee26836a4cd2f81cf56e22d7b6d9cf9dbb124a375880c16b8bde.exe	30
PID 2316 wrote to memory of 2820	2316	508aa5c3004bee26836a4cd2f81cf56e22d7b6d9cf9dbb124a375880c16b8bde.exe	30
PID 2316 wrote to memory of 2820	2316	508aa5c3004bee26836a4cd2f81cf56e22d7b6d9cf9dbb124a375880c16b8bde.exe	30
PID 2316 wrote to memory of 2224	2316	508aa5c3004bee26836a4cd2f81cf56e22d7b6d9cf9dbb124a375880c16b8bde.exe	32
PID 2316 wrote to memory of 2224	2316	508aa5c3004bee26836a4cd2f81cf56e22d7b6d9cf9dbb124a375880c16b8bde.exe	32
PID 2316 wrote to memory of 2224	2316	508aa5c3004bee26836a4cd2f81cf56e22d7b6d9cf9dbb124a375880c16b8bde.exe	32
PID 2316 wrote to memory of 2224	2316	508aa5c3004bee26836a4cd2f81cf56e22d7b6d9cf9dbb124a375880c16b8bde.exe	32

C:\Users\Admin\AppData\Local\Temp\508aa5c3004bee26836a4cd2f81cf56e22d7b6d9cf9dbb124a375880c16b8bde.exe
"C:\Users\Admin\AppData\Local\Temp\508aa5c3004bee26836a4cd2f81cf56e22d7b6d9cf9dbb124a375880c16b8bde.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\508aa5c3004bee26836a4cd2f81cf56e22d7b6d9cf9dbb124a375880c16b8bde.exe
  C:\Users\Admin\AppData\Local\Temp\508aa5c3004bee26836a4cd2f81cf56e22d7b6d9cf9dbb124a375880c16b8bde.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2820
- C:\Users\Admin\AppData\Local\Temp\508aa5c3004bee26836a4cd2f81cf56e22d7b6d9cf9dbb124a375880c16b8bde.exe
  C:\Users\Admin\AppData\Local\Temp\508aa5c3004bee26836a4cd2f81cf56e22d7b6d9cf9dbb124a375880c16b8bde.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\2C01.CDF

Filesize
1KB

MD5
0733bc90c4c1f6178b45bbd8a9c6e1ec

SHA1
17ba007c9899f529b430129a5fd783aab0c91aa2

SHA256
c8a5b73226f0d8c798b7642eb1da391750d8063b2e5345101be664c67a7ad83d

SHA512
ac48e0723507ab7eed41bccb292f10cbdb413a0e49a943b1beb584af95ca5b7c5207888a86d0b46080bb8bcea00a2d8fdff9076c0da83f5527dab6296510dd28

Download Submit
C:\Users\Admin\AppData\Roaming\2C01.CDF

Filesize
600B

MD5
e2f3f2436020d6baa73931e917aac7df

SHA1
86b4690bdf1fd30619bec42221623e08b4049f95

SHA256
d21e86891c67f1b5f16485ddd95a0d7dc2ee66299aba2c83442eb0fb8e6aff50

SHA512
f6ef06e291fc262d0caeec30ffab130814c024cd9dd7a7ecb62269adbfaf700fefb99c5a84fb4512cb0bf5d58db56196d83ceb672c5ffbbce4a03874d3966bb7

Download Submit
C:\Users\Admin\AppData\Roaming\2C01.CDF

Filesize
996B

MD5
16fe7dad28039f545ba953b6c3e6aecb

SHA1
1c8d37898f1cff03ab1be57f21dc40d2c42e0be4

SHA256
9fc329235ae162312ce7c5a8fa035801300e03dd6c68890468c51505691071c4

SHA512
f9c2a9473db7029bfecf2fa1bb2e35954218b59940bf73f4dfd11b5f9665f829eb220fb729f0a70e5b55f15351b746eb33109f924d55b8ce6a46c745a29a8460

Download Submit
memory/2224-89-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2316-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2316-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2316-15-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2316-188-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2820-12-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2820-14-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing