cycbot | 31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095

General

Target

31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe
Size

165KB
MD5

cd0e91bba7713d1a7c66d50c4f9aed90
SHA1

fc4dde2537881ce341b8054fe64a9659a235bfaa
SHA256

31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095
SHA512

2a1eb564056bb3ea26d4ec36ba1c88482ec7fb26b788dbcde7389f654400403519d0d9c82ec544694e668ddbebba0b3a28ca4e70bf0e452764a6b5ada50615a5
SSDEEP

3072:EfkfcHxa/ZrtSBnZ+k2/d7V2g855t1dRTvydaDgA+XtZ4X:akfcHxaRhS7+kId/85zLRxgAiZ4

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/2928-18-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral2/memory/2520-19-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral2/memory/2520-72-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral2/memory/1344-75-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral2/memory/2520-184-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2520-1-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/2928-17-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/2928-18-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/2520-19-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/2520-72-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/1344-74-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/1344-75-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/2520-184-0x0000000000400000-0x0000000000445000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2928	2520	31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe	84
PID 2520 wrote to memory of 2928	2520	31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe	84
PID 2520 wrote to memory of 2928	2520	31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe	84
PID 2520 wrote to memory of 1344	2520	31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe	85
PID 2520 wrote to memory of 1344	2520	31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe	85
PID 2520 wrote to memory of 1344	2520	31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe	85

C:\Users\Admin\AppData\Local\Temp\31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe
"C:\Users\Admin\AppData\Local\Temp\31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Local\Temp\31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe
  C:\Users\Admin\AppData\Local\Temp\31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2928
- C:\Users\Admin\AppData\Local\Temp\31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe
  C:\Users\Admin\AppData\Local\Temp\31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\C915.BE5

Filesize
1KB

MD5
307c49262d13e33386fc157b72571ca4

SHA1
c0ff90e2942312119bf8e511e58d71ff0f29b8da

SHA256
fd739d20683d941173009e1c867dae81f1cc33586341fff900519928e69eed6b

SHA512
aeb233baa4bb88a9f5111d4dd0eec781588f8a930d6771daaf089e02ec108f2d71c3ff3eeb1b9e7db0cfc994cb53803e89453b5c47cb16c1525d1a8a8b6dea22

Download Submit
C:\Users\Admin\AppData\Roaming\C915.BE5

Filesize
897B

MD5
9ed8d85c4687b5da8da0adc74049771d

SHA1
4a37c7b4aac3167680b688ea7d904c3c9b10543b

SHA256
88ed9921bde8746306cfe34512f764e8591905934b1444693f4dc5368f507dc6

SHA512
d096693ad2d5058553ee6033595a4baac40a7db3dfef025bf86fa8c5504995f533725a94a759457d0ab2baf11242245725d524f43f6bc29abd5e42e3b6876a4f

Download Submit
C:\Users\Admin\AppData\Roaming\C915.BE5

Filesize
1KB

MD5
633c7ac80a09523c4d52711651025bff

SHA1
b8054fa6a035274756c8906895b9d46e77acb4f4

SHA256
2a895c528bfc05e56aab02467b891665f2fd03dc17ef59fc83bb6e39b78ecd3a

SHA512
afefb23ddb220d7049c8d786d22f2043178c6fd5a60e87f56537fbf17fa7b39af65b5fca8b87e04de8437cc019e2668488458daf966a8e2c9a5deea5631805b2

Download Submit
C:\Users\Admin\AppData\Roaming\C915.BE5

Filesize
597B

MD5
3e8c2045570149b2003e090d0624e200

SHA1
f39996dfde1340d76262f6975c72c3dfac773037

SHA256
59f8ca440d8b52b33a434db5e5bf90336972afada2ef542bb9704b07dd74c3e7

SHA512
ac57465e72bad48fcb262ffb3e8d90a4eae589511950695e653693f71be12275b33b5207165fe61b620d8b611bb73c27ac46e8827df7205c96e1dc491fc694be

Download Submit
memory/1344-75-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1344-74-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2520-19-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2520-72-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2520-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2520-184-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2928-18-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2928-17-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2928-16-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads