cycbot | a7d2335f5ae0c8d56b61a575f63d67adf75531b612f79159fe1ab188f6c95305

General

Target

a7d2335f5ae0c8d56b61a575f63d67adf75531b612f79159fe1ab188f6c95305N.exe
Size

185KB
MD5

e755860f7cecd6e6d29b4d05a9d57850
SHA1

1c763d478a8e15dde9b14df33b572c1e8e73c6c3
SHA256

a7d2335f5ae0c8d56b61a575f63d67adf75531b612f79159fe1ab188f6c95305
SHA512

bc129288c4f80da85ca4617789717c713e761ed106e40d90420d88bb5f5a58d48221373e916bffd5dd8f50c26ce093cc21c20e036512066b9584a9e1aec30766
SSDEEP

3072:pLNmKrY2wW7KultckLEael5a00ciGS6725W8ZRfCdzvFVK6/U8WRG5OXc:x1rN37KYtc1Nl5aYMi20SCNvn/iRAO

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2680-18-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/1660-19-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/1036-84-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/1660-85-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/1660-156-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	a7d2335f5ae0c8d56b61a575f63d67adf75531b612f79159fe1ab188f6c95305N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1660-2-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2680-17-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2680-18-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1660-19-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1036-83-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1036-84-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1660-85-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1660-156-0x0000000000400000-0x000000000046C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a7d2335f5ae0c8d56b61a575f63d67adf75531b612f79159fe1ab188f6c95305N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a7d2335f5ae0c8d56b61a575f63d67adf75531b612f79159fe1ab188f6c95305N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a7d2335f5ae0c8d56b61a575f63d67adf75531b612f79159fe1ab188f6c95305N.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 2680	1660	a7d2335f5ae0c8d56b61a575f63d67adf75531b612f79159fe1ab188f6c95305N.exe	29
PID 1660 wrote to memory of 2680	1660	a7d2335f5ae0c8d56b61a575f63d67adf75531b612f79159fe1ab188f6c95305N.exe	29
PID 1660 wrote to memory of 2680	1660	a7d2335f5ae0c8d56b61a575f63d67adf75531b612f79159fe1ab188f6c95305N.exe	29
PID 1660 wrote to memory of 2680	1660	a7d2335f5ae0c8d56b61a575f63d67adf75531b612f79159fe1ab188f6c95305N.exe	29
PID 1660 wrote to memory of 1036	1660	a7d2335f5ae0c8d56b61a575f63d67adf75531b612f79159fe1ab188f6c95305N.exe	31
PID 1660 wrote to memory of 1036	1660	a7d2335f5ae0c8d56b61a575f63d67adf75531b612f79159fe1ab188f6c95305N.exe	31
PID 1660 wrote to memory of 1036	1660	a7d2335f5ae0c8d56b61a575f63d67adf75531b612f79159fe1ab188f6c95305N.exe	31
PID 1660 wrote to memory of 1036	1660	a7d2335f5ae0c8d56b61a575f63d67adf75531b612f79159fe1ab188f6c95305N.exe	31

C:\Users\Admin\AppData\Local\Temp\a7d2335f5ae0c8d56b61a575f63d67adf75531b612f79159fe1ab188f6c95305N.exe
"C:\Users\Admin\AppData\Local\Temp\a7d2335f5ae0c8d56b61a575f63d67adf75531b612f79159fe1ab188f6c95305N.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\AppData\Local\Temp\a7d2335f5ae0c8d56b61a575f63d67adf75531b612f79159fe1ab188f6c95305N.exe
  C:\Users\Admin\AppData\Local\Temp\a7d2335f5ae0c8d56b61a575f63d67adf75531b612f79159fe1ab188f6c95305N.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2680
- C:\Users\Admin\AppData\Local\Temp\a7d2335f5ae0c8d56b61a575f63d67adf75531b612f79159fe1ab188f6c95305N.exe
  C:\Users\Admin\AppData\Local\Temp\a7d2335f5ae0c8d56b61a575f63d67adf75531b612f79159fe1ab188f6c95305N.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5BDD.210

Filesize
597B

MD5
e423490e84fa17e0321a9b3b9aa20c04

SHA1
04d1f3aef3893a71e57ed5cb383eb3ae8b231c56

SHA256
bc6cb7b96a0cc236197ee76bab3c5878ffab31c0c47ce4d4390f1de64fe80668

SHA512
116fefc2ef74c93a70d906786c9fb311be7af651e37a7ae26933cc62642421f145d2a06e43aa00c4d175905aeaaab15ca59f8fc0c15fd6882855a5a65d048d08

Download Submit
C:\Users\Admin\AppData\Roaming\5BDD.210

Filesize
1KB

MD5
c53051db388f97ce6a5140dc70393506

SHA1
e5f58a87b8e672c00f30592840843a7239cf4227

SHA256
4fa4b45a21ba3eb8439f0eb3dc0bdf32ded3bfdc65767d545ec6b8d49497a091

SHA512
5cf0a110b1c34813292eb1f08842e6986b680b30a3f9c7bf3ab7041cd8232e4a4fcc3c26a148064a4b9b40bc7aabfcd080f9f78c52180130c86315727bf71950

Download Submit
C:\Users\Admin\AppData\Roaming\5BDD.210

Filesize
897B

MD5
b2dc3b47710ffda287560472a16f5e8a

SHA1
b723aa19b7cba9c61551856b7e48fac4fe1c8f5d

SHA256
edcdbd59b4b9921cb4fe6851696feb6c10d5d428f1efcf6b87e5866615d945fb

SHA512
3f83a91d39a48b08865d19ec0888f0b5dac5b9e6fa252dd10a67d8e79569a992d8d4d7a92aa7f3ecdae88aa869e65ec55796a669d19a5323b3f1e705220a354f

Download Submit
C:\Users\Admin\AppData\Roaming\5BDD.210

Filesize
1KB

MD5
264d2613cb405f6b6bada90fabbacad6

SHA1
8d267a7e5f8ab772bc68eba9d218b4f00068df38

SHA256
594e35c211d418ecef88447df2995aab5fac0cda67925896c2f7a70f49ee6e17

SHA512
26ef93ebbefc94661e1afa24264cb9a581f52e0efbfd0580554040f0f6d94f6687af2c20b2b452aa18593c7c801bbe10276b0ee77c33833ca26d3db4105d6c56

Download Submit
memory/1036-84-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1036-83-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1036-82-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1660-19-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1660-1-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1660-85-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1660-156-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1660-2-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2680-18-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2680-17-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads