cycbot | 79a4a5e6feb6a56fad15ac7049336242b44922690825f76fb21e2c6bcfa18063

General

Target

79a4a5e6feb6a56fad15ac7049336242b44922690825f76fb21e2c6bcfa18063.exe
Size

174KB
MD5

b16a5e17b688d20385e514eac377f8e4
SHA1

2e6ed391beba18046245e8a8f51d3cad9ae71077
SHA256

79a4a5e6feb6a56fad15ac7049336242b44922690825f76fb21e2c6bcfa18063
SHA512

1784a3b1f3d91f01fef9db54462fdbf6612228d0586617f2d854ccd608ffb505471564bd9403f3b080d3b914819e7a2302c5b28a33e241572984285cb7eb6e7a
SSDEEP

3072:C22Azyo0VnGnAvTuXXwedA4Hk7iRnLQ9E594BeKLI8GB:C2vQnG0iLA4fnLQ9k94y

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2868-14-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/3012-15-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/1472-82-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/3012-83-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/3012-189-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	79a4a5e6feb6a56fad15ac7049336242b44922690825f76fb21e2c6bcfa18063.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3012-2-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2868-12-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2868-14-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/3012-15-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1472-82-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/3012-83-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/3012-189-0x0000000000400000-0x0000000000445000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79a4a5e6feb6a56fad15ac7049336242b44922690825f76fb21e2c6bcfa18063.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79a4a5e6feb6a56fad15ac7049336242b44922690825f76fb21e2c6bcfa18063.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79a4a5e6feb6a56fad15ac7049336242b44922690825f76fb21e2c6bcfa18063.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2868	3012	79a4a5e6feb6a56fad15ac7049336242b44922690825f76fb21e2c6bcfa18063.exe	30
PID 3012 wrote to memory of 2868	3012	79a4a5e6feb6a56fad15ac7049336242b44922690825f76fb21e2c6bcfa18063.exe	30
PID 3012 wrote to memory of 2868	3012	79a4a5e6feb6a56fad15ac7049336242b44922690825f76fb21e2c6bcfa18063.exe	30
PID 3012 wrote to memory of 2868	3012	79a4a5e6feb6a56fad15ac7049336242b44922690825f76fb21e2c6bcfa18063.exe	30
PID 3012 wrote to memory of 1472	3012	79a4a5e6feb6a56fad15ac7049336242b44922690825f76fb21e2c6bcfa18063.exe	32
PID 3012 wrote to memory of 1472	3012	79a4a5e6feb6a56fad15ac7049336242b44922690825f76fb21e2c6bcfa18063.exe	32
PID 3012 wrote to memory of 1472	3012	79a4a5e6feb6a56fad15ac7049336242b44922690825f76fb21e2c6bcfa18063.exe	32
PID 3012 wrote to memory of 1472	3012	79a4a5e6feb6a56fad15ac7049336242b44922690825f76fb21e2c6bcfa18063.exe	32

C:\Users\Admin\AppData\Local\Temp\79a4a5e6feb6a56fad15ac7049336242b44922690825f76fb21e2c6bcfa18063.exe
"C:\Users\Admin\AppData\Local\Temp\79a4a5e6feb6a56fad15ac7049336242b44922690825f76fb21e2c6bcfa18063.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\79a4a5e6feb6a56fad15ac7049336242b44922690825f76fb21e2c6bcfa18063.exe
  C:\Users\Admin\AppData\Local\Temp\79a4a5e6feb6a56fad15ac7049336242b44922690825f76fb21e2c6bcfa18063.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2868
- C:\Users\Admin\AppData\Local\Temp\79a4a5e6feb6a56fad15ac7049336242b44922690825f76fb21e2c6bcfa18063.exe
  C:\Users\Admin\AppData\Local\Temp\79a4a5e6feb6a56fad15ac7049336242b44922690825f76fb21e2c6bcfa18063.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\26D1.59D

Filesize
1KB

MD5
9b6b4494a3776591d9d20cf57726b34b

SHA1
92f14ae88d9933fa12a46835748c835b33bc9395

SHA256
05bc80cc90339f5d64469d51517329aee801ac7fd7570d66400d6a6a0959065e

SHA512
86ac011b16fff7b3f82a0883ab86ab8e7fa03dc13b489906263360d21f4cd36cbe82b37a0dea130b4722d53eebb08b331a3c9c3bef5b3c38cd96217cf4b32015

Download Submit
C:\Users\Admin\AppData\Roaming\26D1.59D

Filesize
600B

MD5
d3b0ab960e97c05fd3c97c5c39e52159

SHA1
bb96b80bd8ac13f937bd114c373469efb7da9f8a

SHA256
8701fb83fa66c891f70dbba5187ee33f44a4221c9a118a983e6d29df8c065327

SHA512
e06d40003cfad460dcac49e77078e0f9ca4db602726c7cf0ffb2ccab98245395f75f01d5ae7b84404b9bb641c9fed34cdf9755b9463488a0f45e072d13f39de9

Download Submit
C:\Users\Admin\AppData\Roaming\26D1.59D

Filesize
996B

MD5
5b58f5f3b614b425af4040d8a96ee6c4

SHA1
dfb556b75ab2b1eded5b573f03e8910ab5f14009

SHA256
915c6771f1cc644493d50c7af6c3445dddd25967f8afdb69c5fc7ab66fd64bb9

SHA512
b737adb3359ac946e44cf0d6643355b8f482e90d1dfe4b60ca1f38e9a5caadeac85016fdb3c77091cf62f51c2c3f99f4ef61b323cb1d23a3412ed87a76a46534

Download Submit
memory/1472-82-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2868-12-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2868-14-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3012-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3012-2-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3012-15-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3012-83-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3012-189-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads