cycbot | 0998d9a19f0405001758994e4aa09028bc2667ce91423a2e57cd23cd9bb2f3b5

General

Target

0998d9a19f0405001758994e4aa09028bc2667ce91423a2e57cd23cd9bb2f3b5.exe
Size

187KB
MD5

43442a194efe5da915a27ca5fee56acd
SHA1

d502bfe2fe033e0710c3efcf0d25fb18d30e3d4f
SHA256

0998d9a19f0405001758994e4aa09028bc2667ce91423a2e57cd23cd9bb2f3b5
SHA512

fd82e85cf4f475d7ff38dc120c26034b65b07eb353ce608aefe0a35ba3af6f340a41e15d4cc02ae1fb8c011098d13bde911696c79f87e17ebfd7ffff3fbf66cb
SSDEEP

3072:fb9fR6vPhkm9gDdMM9T4wYkgVGIeuK9RWZBmVPKCuoyHS:fb9J6BkDdMMCwYkgwbu2VVPnuoUS

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2692-11-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2284-16-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/704-91-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2284-192-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2284-2-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2692-8-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2692-9-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2692-11-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2284-16-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/704-89-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/704-91-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2284-192-0x0000000000400000-0x000000000044E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0998d9a19f0405001758994e4aa09028bc2667ce91423a2e57cd23cd9bb2f3b5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0998d9a19f0405001758994e4aa09028bc2667ce91423a2e57cd23cd9bb2f3b5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0998d9a19f0405001758994e4aa09028bc2667ce91423a2e57cd23cd9bb2f3b5.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2692	2284	0998d9a19f0405001758994e4aa09028bc2667ce91423a2e57cd23cd9bb2f3b5.exe	28
PID 2284 wrote to memory of 2692	2284	0998d9a19f0405001758994e4aa09028bc2667ce91423a2e57cd23cd9bb2f3b5.exe	28
PID 2284 wrote to memory of 2692	2284	0998d9a19f0405001758994e4aa09028bc2667ce91423a2e57cd23cd9bb2f3b5.exe	28
PID 2284 wrote to memory of 2692	2284	0998d9a19f0405001758994e4aa09028bc2667ce91423a2e57cd23cd9bb2f3b5.exe	28
PID 2284 wrote to memory of 704	2284	0998d9a19f0405001758994e4aa09028bc2667ce91423a2e57cd23cd9bb2f3b5.exe	30
PID 2284 wrote to memory of 704	2284	0998d9a19f0405001758994e4aa09028bc2667ce91423a2e57cd23cd9bb2f3b5.exe	30
PID 2284 wrote to memory of 704	2284	0998d9a19f0405001758994e4aa09028bc2667ce91423a2e57cd23cd9bb2f3b5.exe	30
PID 2284 wrote to memory of 704	2284	0998d9a19f0405001758994e4aa09028bc2667ce91423a2e57cd23cd9bb2f3b5.exe	30

C:\Users\Admin\AppData\Local\Temp\0998d9a19f0405001758994e4aa09028bc2667ce91423a2e57cd23cd9bb2f3b5.exe
"C:\Users\Admin\AppData\Local\Temp\0998d9a19f0405001758994e4aa09028bc2667ce91423a2e57cd23cd9bb2f3b5.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Users\Admin\AppData\Local\Temp\0998d9a19f0405001758994e4aa09028bc2667ce91423a2e57cd23cd9bb2f3b5.exe
  C:\Users\Admin\AppData\Local\Temp\0998d9a19f0405001758994e4aa09028bc2667ce91423a2e57cd23cd9bb2f3b5.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2692
- C:\Users\Admin\AppData\Local\Temp\0998d9a19f0405001758994e4aa09028bc2667ce91423a2e57cd23cd9bb2f3b5.exe
  C:\Users\Admin\AppData\Local\Temp\0998d9a19f0405001758994e4aa09028bc2667ce91423a2e57cd23cd9bb2f3b5.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\91E6.771

Filesize
300B

MD5
c39f7bfe21354b9cb82dac308ae191b5

SHA1
8c72cc748a50a7e60412a69a6f0fdd363c73c788

SHA256
dc34ffb89fb097b62ce1ec105c71e42e3045290c29455744861397625e2deb39

SHA512
f2d2b1dd366f3f82f728a0326076001dc44fa607906aeb3595e544d2d2bd818f333bcd101043afa2743086eb4ddd7ab7712049d73cf0639fd425e9669688031f

Download Submit
C:\Users\Admin\AppData\Roaming\91E6.771

Filesize
1KB

MD5
a97bae59bf21e210abd14d80c09e44d1

SHA1
a4e50ff817c14431c36b21cabddf55345dff5db4

SHA256
4cb5e11bfd7b6622dc66fb3f4a354f301f85ad207e6ab621576253a96a3ffa46

SHA512
308bd657b63bfc186bc82a902435141c10b2046be0eef948c49f22649663009fe67ba1b20a729a58e5b9a231425a0f83a424ab2cd96ebb8ce5065e496201161b

Download Submit
C:\Users\Admin\AppData\Roaming\91E6.771

Filesize
600B

MD5
c8c6ee108a0b25f2fa60c1c96818fdfd

SHA1
e9c73812a3080431ca0a12dd2d763db75f7e83cb

SHA256
3f8d5d246eb0da443f1db5c774d4806af71d48bf100142f6982613fdab3a1448

SHA512
4ac2a8911e4819f3512c755fd5cca578de38ec1d13135ec33dffe9d6d361e3413ac748eac5e14ba5339e7f0e19d1db395611a0d23515e3ccf1af1fc8e6e447fd

Download Submit
C:\Users\Admin\AppData\Roaming\91E6.771

Filesize
996B

MD5
5f99c91f91214e759ad50e338c7269dc

SHA1
c12c497b88e1730f2dccee79b44a9a15681626c5

SHA256
2cc0c0430b4d653281a967c680afd059dc40597d26662f2b838f16c416be60fe

SHA512
fb2f8bf05c53d21256bfb4a698fcde96939a6adf2be1c3959390a58d97a2cd87f7bdfc4f6e6195fee73224061e3f2be39a5b410ce679daf852cc03b189c15ade

Download Submit
memory/704-91-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/704-89-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2284-16-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2284-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2284-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2284-192-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2692-11-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2692-9-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2692-8-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing