cycbot | bd8c4f03932fa0171cf1fbd040d50269c1e3b7c7d84b04975753b3247e4652db

General

Target

bd8c4f03932fa0171cf1fbd040d50269c1e3b7c7d84b04975753b3247e4652dbN.exe
Size

187KB
MD5

f038c8abcb879e38bf27acb8db28e2a0
SHA1

1c1fc5e80fd8b284607cfbaf9b8bf9b0cc58cdb4
SHA256

bd8c4f03932fa0171cf1fbd040d50269c1e3b7c7d84b04975753b3247e4652db
SHA512

637d73485aed793f9bada597a58593d8f5a0a9fbae862e7dea46fc6864c933bd5f84babcc1355d7418c5d147bc10732bb1e6408ad2792ed744011a8775d60f8d
SSDEEP

3072:fb9fR6vPhkm9gDdMM9T4wYkgVGIeuK9RWZBmVPKCuoyH:fb9J6BkDdMMCwYkgwbu2VVPnuoU

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2704-15-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2740-16-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2260-86-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2740-180-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2740-2-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2704-15-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2704-13-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2740-16-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2260-86-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2260-85-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2740-180-0x0000000000400000-0x000000000044E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd8c4f03932fa0171cf1fbd040d50269c1e3b7c7d84b04975753b3247e4652dbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd8c4f03932fa0171cf1fbd040d50269c1e3b7c7d84b04975753b3247e4652dbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd8c4f03932fa0171cf1fbd040d50269c1e3b7c7d84b04975753b3247e4652dbN.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2704	2740	bd8c4f03932fa0171cf1fbd040d50269c1e3b7c7d84b04975753b3247e4652dbN.exe	30
PID 2740 wrote to memory of 2704	2740	bd8c4f03932fa0171cf1fbd040d50269c1e3b7c7d84b04975753b3247e4652dbN.exe	30
PID 2740 wrote to memory of 2704	2740	bd8c4f03932fa0171cf1fbd040d50269c1e3b7c7d84b04975753b3247e4652dbN.exe	30
PID 2740 wrote to memory of 2704	2740	bd8c4f03932fa0171cf1fbd040d50269c1e3b7c7d84b04975753b3247e4652dbN.exe	30
PID 2740 wrote to memory of 2260	2740	bd8c4f03932fa0171cf1fbd040d50269c1e3b7c7d84b04975753b3247e4652dbN.exe	32
PID 2740 wrote to memory of 2260	2740	bd8c4f03932fa0171cf1fbd040d50269c1e3b7c7d84b04975753b3247e4652dbN.exe	32
PID 2740 wrote to memory of 2260	2740	bd8c4f03932fa0171cf1fbd040d50269c1e3b7c7d84b04975753b3247e4652dbN.exe	32
PID 2740 wrote to memory of 2260	2740	bd8c4f03932fa0171cf1fbd040d50269c1e3b7c7d84b04975753b3247e4652dbN.exe	32

C:\Users\Admin\AppData\Local\Temp\bd8c4f03932fa0171cf1fbd040d50269c1e3b7c7d84b04975753b3247e4652dbN.exe
"C:\Users\Admin\AppData\Local\Temp\bd8c4f03932fa0171cf1fbd040d50269c1e3b7c7d84b04975753b3247e4652dbN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Local\Temp\bd8c4f03932fa0171cf1fbd040d50269c1e3b7c7d84b04975753b3247e4652dbN.exe
  C:\Users\Admin\AppData\Local\Temp\bd8c4f03932fa0171cf1fbd040d50269c1e3b7c7d84b04975753b3247e4652dbN.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2704
- C:\Users\Admin\AppData\Local\Temp\bd8c4f03932fa0171cf1fbd040d50269c1e3b7c7d84b04975753b3247e4652dbN.exe
  C:\Users\Admin\AppData\Local\Temp\bd8c4f03932fa0171cf1fbd040d50269c1e3b7c7d84b04975753b3247e4652dbN.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\8584.9FB

Filesize
1KB

MD5
a9edf14acdc9dd1e94f1db4c01a87489

SHA1
d4a57d1a38bce831c70be40663faca71e156390b

SHA256
0cd3d532d59ab2a0a6ba53e21c30af2d74d0edbdb8d567306dcc1abc6a0f15f0

SHA512
676a60228fca9ad3c0b1fc25b120d64c0739db8ddc7ab0374ad63dfbffa0ca65ceaeadde1c7a95aa4dbdd1c2f126d828ee4b44e4f0f1be1160038619061fbfec

Download Submit
C:\Users\Admin\AppData\Roaming\8584.9FB

Filesize
600B

MD5
1695b47d5ad96e21017a0ded9a988ebf

SHA1
596392394ef5d1fa811923d402709d849b9936d3

SHA256
93fbf15a1d44ff5c3063ec257c70ab1e61a3e7200a7d2b6a67c41cd82192f952

SHA512
9e92226dfa33d47090756b272029c03d03b78ce011141c2aeb1d2382769738bedbb13f9e4757a87e06ab877e452ec8ded49be3b10df7429d88bb13522f694fb6

Download Submit
C:\Users\Admin\AppData\Roaming\8584.9FB

Filesize
996B

MD5
91f3beaf6cb58b8d61b26947f99970ea

SHA1
4243e538b65f60f39a8b325e084a3e4dd9fd7c0b

SHA256
9606d7dc405c76dd537a54e2d6e3007a8875c01ff6dbb2c2ed4a723c670daab5

SHA512
1e6b078c66f3c8bf630b1df304a137cb3f3084cfabac9e21c414d5ca033113630426e170e2b554eadc4f995654cd7192f07fbfcc93e6db75d69699399d4a746f

Download Submit
memory/2260-86-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2260-85-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2704-15-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2704-12-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2704-13-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2740-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2740-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2740-16-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2740-180-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing