cycbot | 02453b088c4789a664a7c5deea78e455d8d8681c266d58a569120d70cf7b9e55

General

Target

02453b088c4789a664a7c5deea78e455d8d8681c266d58a569120d70cf7b9e55.exe
Size

194KB
MD5

f63d833c10db768188e7d27c6440f021
SHA1

3dd44f62b6851518eb44008810f31f41efd715f6
SHA256

02453b088c4789a664a7c5deea78e455d8d8681c266d58a569120d70cf7b9e55
SHA512

e1d72af631620fd583146df64fce5b0df0bd8dbc39a498a29c669e210a902dd5cc5f47454142609845ef595dff5adeba85aff7b1d59fd3c3929e1ca9961fe585
SSDEEP

3072:5aIAIURcG02hGZ3yMAx4AvS/1JjU+hGGhVTOEPttEvuMu8asuiUh/b49neFiFaoB:5mTRx0z3yMQDS/XjzYi/lkBN7JCDZ4t

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2480-4-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2480-6-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1820-14-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2268-76-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1820-182-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process
PID 1820 set thread context of 0	1820	02453b088c4789a664a7c5deea78e455d8d8681c266d58a569120d70cf7b9e55.exe
PID 2480 set thread context of 0	2480	02453b088c4789a664a7c5deea78e455d8d8681c266d58a569120d70cf7b9e55.exe
PID 2268 set thread context of 0	2268	02453b088c4789a664a7c5deea78e455d8d8681c266d58a569120d70cf7b9e55.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1820-1-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2480-4-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2480-6-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1820-14-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2268-76-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1820-182-0x0000000000400000-0x000000000046A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	02453b088c4789a664a7c5deea78e455d8d8681c266d58a569120d70cf7b9e55.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	02453b088c4789a664a7c5deea78e455d8d8681c266d58a569120d70cf7b9e55.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	02453b088c4789a664a7c5deea78e455d8d8681c266d58a569120d70cf7b9e55.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2480	1820	02453b088c4789a664a7c5deea78e455d8d8681c266d58a569120d70cf7b9e55.exe	30
PID 1820 wrote to memory of 2480	1820	02453b088c4789a664a7c5deea78e455d8d8681c266d58a569120d70cf7b9e55.exe	30
PID 1820 wrote to memory of 2480	1820	02453b088c4789a664a7c5deea78e455d8d8681c266d58a569120d70cf7b9e55.exe	30
PID 1820 wrote to memory of 2480	1820	02453b088c4789a664a7c5deea78e455d8d8681c266d58a569120d70cf7b9e55.exe	30
PID 1820 wrote to memory of 2268	1820	02453b088c4789a664a7c5deea78e455d8d8681c266d58a569120d70cf7b9e55.exe	32
PID 1820 wrote to memory of 2268	1820	02453b088c4789a664a7c5deea78e455d8d8681c266d58a569120d70cf7b9e55.exe	32
PID 1820 wrote to memory of 2268	1820	02453b088c4789a664a7c5deea78e455d8d8681c266d58a569120d70cf7b9e55.exe	32
PID 1820 wrote to memory of 2268	1820	02453b088c4789a664a7c5deea78e455d8d8681c266d58a569120d70cf7b9e55.exe	32

C:\Users\Admin\AppData\Local\Temp\02453b088c4789a664a7c5deea78e455d8d8681c266d58a569120d70cf7b9e55.exe
"C:\Users\Admin\AppData\Local\Temp\02453b088c4789a664a7c5deea78e455d8d8681c266d58a569120d70cf7b9e55.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Users\Admin\AppData\Local\Temp\02453b088c4789a664a7c5deea78e455d8d8681c266d58a569120d70cf7b9e55.exe
  C:\Users\Admin\AppData\Local\Temp\02453b088c4789a664a7c5deea78e455d8d8681c266d58a569120d70cf7b9e55.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2480
- C:\Users\Admin\AppData\Local\Temp\02453b088c4789a664a7c5deea78e455d8d8681c266d58a569120d70cf7b9e55.exe
  C:\Users\Admin\AppData\Local\Temp\02453b088c4789a664a7c5deea78e455d8d8681c266d58a569120d70cf7b9e55.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\B5D7.2F9

Filesize
1KB

MD5
698912a8658797ac3ad22a199e8abe37

SHA1
2dd36be0d1689b70e1e32510c5d3c5686ab0305f

SHA256
53098a06078120e859e8a1c71f81fa68ac94e23aeb6da3a9a41e2f3e6ec7f493

SHA512
c88726623d2197dcbf6549af1090f5ee9535bb41770a7dbfab500245097aebfd716bec4b7df6c9b43dd50e47c58e488a114da0c0650d83f54bff2754f80643c2

Download Submit
C:\Users\Admin\AppData\Roaming\B5D7.2F9

Filesize
600B

MD5
15eb18c0b03e3b9904e3bdcc48329f76

SHA1
325be6b7238d7add5fd6c405d62859f3b07e0d05

SHA256
62aa6ae43b7b35cde5a3840d9fb4b23cfcc164081cdd6d369d240d02f16ae6d2

SHA512
6e2deba97034b5b978ffeb7c80281b7d2daba1c113c92016e003ff4e2cb04f51baec933eb4d7e67c434a9dc10be5e5b21102e5dee019912fae42ec9d4cd423aa

Download Submit
C:\Users\Admin\AppData\Roaming\B5D7.2F9

Filesize
996B

MD5
50a217783cf9dd0358323785453b41f6

SHA1
25d693eac5e91cffcb6605fb32d95a8f3ed17157

SHA256
194bb9e40693a00762c9f902757e607c7ec8a667eb7ef2a6e2c91682c4ae6668

SHA512
d8598630208c3b65786a203c54ed1bfeadf036a6c94f6daa178273f69c95086213a9d7ddf61201181e20d2bd29921ef8f36cbe4a7943072eef535801910c4ba1

Download Submit
memory/1820-1-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1820-14-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1820-182-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2268-75-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2268-76-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2480-4-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2480-6-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing