cycbot | fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd

General

Target

fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd.exe
Size

170KB
MD5

d5624689ee615f9503b4d85f151044a7
SHA1

de0fd513a529c8f5f736ab4b82c7b18e7bdb1df9
SHA256

fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd
SHA512

203c1caa587760ce8fca0c89c16d3291fc85bd9a8452ebc7a01c591223236d5a54b7ceaf4f0243c90a88ff2f0f6f2d42c15cf2771e335a8b6978503255394edb
SSDEEP

3072:YBj3OovdbTMucfSTk5trgIOtComxDBqdpD:YBDP2uRTEXOtZmaX

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2352-15-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/2352-14-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/2824-16-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/2764-89-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/2824-206-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2824-2-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2352-12-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2352-15-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2352-14-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2824-16-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2764-87-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2764-89-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2824-206-0x0000000000400000-0x000000000046B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2352	2824	fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd.exe	30
PID 2824 wrote to memory of 2352	2824	fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd.exe	30
PID 2824 wrote to memory of 2352	2824	fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd.exe	30
PID 2824 wrote to memory of 2352	2824	fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd.exe	30
PID 2824 wrote to memory of 2764	2824	fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd.exe	32
PID 2824 wrote to memory of 2764	2824	fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd.exe	32
PID 2824 wrote to memory of 2764	2824	fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd.exe	32
PID 2824 wrote to memory of 2764	2824	fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd.exe	32

C:\Users\Admin\AppData\Local\Temp\fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd.exe
"C:\Users\Admin\AppData\Local\Temp\fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\AppData\Local\Temp\fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd.exe
  C:\Users\Admin\AppData\Local\Temp\fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2352
- C:\Users\Admin\AppData\Local\Temp\fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd.exe
  C:\Users\Admin\AppData\Local\Temp\fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\78AD.819

Filesize
1KB

MD5
4bc723564e3db344b41b17eb0dad6d18

SHA1
4ef3f0f7a117965110803f9b8ecbd2991a05b058

SHA256
1cfd375bcf0ef1c312e9507131aadf6eb1d15f1a0f68ff3628ed9c93ccb43f62

SHA512
110d0d0ef75f3b645978bbe8678603e2ad1f8df5be565cbdd4ed57e21e9f05dc483a2a73fd59b44caeeec29d8c9715d897dd225131880764ea7fbbb51a847766

Download Submit
C:\Users\Admin\AppData\Roaming\78AD.819

Filesize
600B

MD5
6a5ba347ac3cef70ac70c1a6ba34dd73

SHA1
2c7031baa1c84c8a9049eb34b6958e537c18fc38

SHA256
b82953de217891e51292cf81b9d4a5e96c6cbfe189da868f91bf7519bb2d81ce

SHA512
ec82c7ef2970e0b11905ff22b78bb03b8956e149bd0b6c9d62ab1df7673f68d033445919e463cca7d2f51e1aaba0d632db5054692720e037e8b8cc53b664b94f

Download Submit
C:\Users\Admin\AppData\Roaming\78AD.819

Filesize
996B

MD5
ed8f9ff3a281e7f7314bc9711ec4257a

SHA1
4decf8418aa10fed451fede2d7c3eb108a7cf95d

SHA256
e574457d144f792e6e1b1fcab2844ecb3981ce5f8b329e7ee3882e791afaaecc

SHA512
171aa41262a62686e57ea5aac8984369d57cc896216aa8beab809ff80c67255efaf16fce3f9fe081473648c2dc8ff5e60c0632f5c8742e0130e3310ef56b3335

Download Submit
memory/2352-12-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2352-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2352-14-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2764-87-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2764-89-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2824-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2824-2-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2824-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2824-206-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing