cycbot | 30b2f7b57388ffbe29f99042d4d34812e6e8b2e68df5667709c24a589334cade

General

Target

30b2f7b57388ffbe29f99042d4d34812e6e8b2e68df5667709c24a589334cade.exe
Size

167KB
MD5

9e54d1068d912e2ad14d14ca6844114a
SHA1

dab658a004f10cc5af9e1db907c0f24d20a4b45e
SHA256

30b2f7b57388ffbe29f99042d4d34812e6e8b2e68df5667709c24a589334cade
SHA512

35b76faa74db79b700930899bb94d89ca438c58027b406aa4cb74ac537917e113b45d6271abee760230ca103b429bc30952c2422317651660f8b0ba03a1003aa
SSDEEP

3072:1/JT+YPf75ysw4dB6eWth+WU8wTtNUFLwvPITiyTRbd0v0m7:pJy+24dc7h+p8wwFZiSRbd67

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/1556-13-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral2/memory/4816-14-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral2/memory/4816-81-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral2/memory/4312-86-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral2/memory/4816-199-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	30b2f7b57388ffbe29f99042d4d34812e6e8b2e68df5667709c24a589334cade.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4816-2-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/1556-13-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4816-14-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4816-81-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4312-86-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4312-84-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4816-199-0x0000000000400000-0x0000000000445000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30b2f7b57388ffbe29f99042d4d34812e6e8b2e68df5667709c24a589334cade.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30b2f7b57388ffbe29f99042d4d34812e6e8b2e68df5667709c24a589334cade.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30b2f7b57388ffbe29f99042d4d34812e6e8b2e68df5667709c24a589334cade.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 1556	4816	30b2f7b57388ffbe29f99042d4d34812e6e8b2e68df5667709c24a589334cade.exe	82
PID 4816 wrote to memory of 1556	4816	30b2f7b57388ffbe29f99042d4d34812e6e8b2e68df5667709c24a589334cade.exe	82
PID 4816 wrote to memory of 1556	4816	30b2f7b57388ffbe29f99042d4d34812e6e8b2e68df5667709c24a589334cade.exe	82
PID 4816 wrote to memory of 4312	4816	30b2f7b57388ffbe29f99042d4d34812e6e8b2e68df5667709c24a589334cade.exe	88
PID 4816 wrote to memory of 4312	4816	30b2f7b57388ffbe29f99042d4d34812e6e8b2e68df5667709c24a589334cade.exe	88
PID 4816 wrote to memory of 4312	4816	30b2f7b57388ffbe29f99042d4d34812e6e8b2e68df5667709c24a589334cade.exe	88

C:\Users\Admin\AppData\Local\Temp\30b2f7b57388ffbe29f99042d4d34812e6e8b2e68df5667709c24a589334cade.exe
"C:\Users\Admin\AppData\Local\Temp\30b2f7b57388ffbe29f99042d4d34812e6e8b2e68df5667709c24a589334cade.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Users\Admin\AppData\Local\Temp\30b2f7b57388ffbe29f99042d4d34812e6e8b2e68df5667709c24a589334cade.exe
  C:\Users\Admin\AppData\Local\Temp\30b2f7b57388ffbe29f99042d4d34812e6e8b2e68df5667709c24a589334cade.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1556
- C:\Users\Admin\AppData\Local\Temp\30b2f7b57388ffbe29f99042d4d34812e6e8b2e68df5667709c24a589334cade.exe
  C:\Users\Admin\AppData\Local\Temp\30b2f7b57388ffbe29f99042d4d34812e6e8b2e68df5667709c24a589334cade.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\4FC0.A09

Filesize
1KB

MD5
b5863301d91341c5fe031748dcc19812

SHA1
c83fd6c3167e08507f76087e35246d7db3bbc01c

SHA256
3109ee3598d055d1266177dd12d6926946d62b38eb61477ddaa8f2b151954675

SHA512
3c8cb3472fdc41e1c2acc8539547b933c9bbcf69f3dc5fd6e7363c22a223b1d7c47c7468e75696fdde473cad12862d7245d1369d120a337d7918c074e40dd635

Download Submit
C:\Users\Admin\AppData\Roaming\4FC0.A09

Filesize
600B

MD5
d1fc536cfae42daaf2b8456fe850e89a

SHA1
be8c1fcb03c1aa044b1214add2984911737d1a9a

SHA256
7bc38db675933780e49bc9cdb4b3badafdf819eeb83d86975567cbdf148de178

SHA512
90926d85886506f703ddbc069d5f8e3bb450883f004252fee1c546ac552b61827ba2ec7814fdab0112c94a72e0221d548c37fd2d569a736a34a2b939ef3b17d0

Download Submit
C:\Users\Admin\AppData\Roaming\4FC0.A09

Filesize
996B

MD5
217341ce6f9ae226b2928b9799548f7b

SHA1
3859bd4746d9432165c5f4e18b303d412e78f35d

SHA256
6999e6c8a4995066106a37cee7ff5cd9de6b9ae90808ee86533c34bc49fccbe0

SHA512
ccff458822972bc1143350d4af73117819fc34fb502347a21036470b26eed8913cf228bdea37674800fd3566feb4dd169be258059e0bcfe51442f29878e4f1a3

Download Submit
memory/1556-13-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4312-83-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4312-86-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4312-84-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4816-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4816-2-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4816-14-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4816-81-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4816-199-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads