cycbot | fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd

General

Target

fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd.exe
Size

170KB
MD5

d5624689ee615f9503b4d85f151044a7
SHA1

de0fd513a529c8f5f736ab4b82c7b18e7bdb1df9
SHA256

fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd
SHA512

203c1caa587760ce8fca0c89c16d3291fc85bd9a8452ebc7a01c591223236d5a54b7ceaf4f0243c90a88ff2f0f6f2d42c15cf2771e335a8b6978503255394edb
SSDEEP

3072:YBj3OovdbTMucfSTk5trgIOtComxDBqdpD:YBDP2uRTEXOtZmaX

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/3496-14-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral2/memory/5076-15-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral2/memory/2124-74-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral2/memory/5076-194-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5076-2-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3496-8-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3496-14-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/5076-15-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2124-73-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2124-74-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/5076-194-0x0000000000400000-0x000000000046B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 3496	5076	fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd.exe	82
PID 5076 wrote to memory of 3496	5076	fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd.exe	82
PID 5076 wrote to memory of 3496	5076	fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd.exe	82
PID 5076 wrote to memory of 2124	5076	fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd.exe	87
PID 5076 wrote to memory of 2124	5076	fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd.exe	87
PID 5076 wrote to memory of 2124	5076	fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd.exe	87

C:\Users\Admin\AppData\Local\Temp\fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd.exe
"C:\Users\Admin\AppData\Local\Temp\fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Users\Admin\AppData\Local\Temp\fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd.exe
  C:\Users\Admin\AppData\Local\Temp\fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3496
- C:\Users\Admin\AppData\Local\Temp\fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd.exe
  C:\Users\Admin\AppData\Local\Temp\fccc86ae3430b5816c891e8b8425bd49fc8f0e9d7fa523199b67d9c279d2e4dd.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\F4F2.338

Filesize
1KB

MD5
78c1eff2ae2d1932c544286a913b542a

SHA1
b0388380cfa0d7c1ae93a73a34e3f6aa0a2b837e

SHA256
b9a37c292a198bcd5799786ddd30fefe145f1de6af09ebf83bcb9892f319e42f

SHA512
aa8b1cf45bbba86745a9ad937f63db4cfddaed181fddca12a6cb6422cfe07aaa6aee1de848eed7f5b7b74b7cb874d444d8968e6ae318322475280c14db7940d0

Download Submit
C:\Users\Admin\AppData\Roaming\F4F2.338

Filesize
600B

MD5
f3835465eeafe0b37ae4ca06f710b246

SHA1
08990c25c26ad2ac1e6f19e4d5029d4530fb13d6

SHA256
3f3291779d3f3b4a04c48ef027f4eae9acb27ea1dd04a0eb45cb49e4a773bc5e

SHA512
37d07dfc96630032ed3ad271c2880ddbadf180325366c755267fc212717ef6676a3ab636ad5affe2b26dcc3382eacabbd3d6782ec34fb904b9109b1a5c32223b

Download Submit
C:\Users\Admin\AppData\Roaming\F4F2.338

Filesize
996B

MD5
64c465910c4b6779e1dc1b2856593823

SHA1
a684afa183018c940e38fe2f6a51575863bc89a4

SHA256
7b203e1aa21d5cb7df29f47af4679647bc8feb643120b0859d0fa5ec0071421f

SHA512
af70d0f091367ca4595d55a0226068d5e33560481c63c26a67210435d4b4bb88f9371ebe9c819e91ce96186fcb0204a284bce9bbe610dad1518b590b9f5a5814

Download Submit
memory/2124-73-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2124-72-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2124-74-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3496-8-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3496-14-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/5076-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/5076-2-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/5076-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/5076-194-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing