cycbot | e67f13d57adc43efa0fec72de5064930d958c20616c3bf437cc8365a765f363c

General

Target

e67f13d57adc43efa0fec72de5064930d958c20616c3bf437cc8365a765f363c.exe
Size

164KB
MD5

d9969bf00cee00beb8b45dc47832c456
SHA1

c8d82754bbc952410a1364d54339707122976ece
SHA256

e67f13d57adc43efa0fec72de5064930d958c20616c3bf437cc8365a765f363c
SHA512

e03706fe761304b25e8ec8147c1663ca3361fc9d97150f2f2af22edb91c26bb077ee9910a0033f0d4d745f993024c72416747cc5cc576c518f22d4d8b4944906
SSDEEP

3072:Nq2QaPFCJm5y/MC/ikf4jNDAL0nAftn6s4GASe:NJPF7kMCfM1AeAft6L3

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2892-15-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2448-16-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2300-82-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2448-83-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2448-192-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	e67f13d57adc43efa0fec72de5064930d958c20616c3bf437cc8365a765f363c.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2448-2-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2892-15-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2448-16-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2300-80-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2300-82-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2448-83-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2448-192-0x0000000000400000-0x0000000000445000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e67f13d57adc43efa0fec72de5064930d958c20616c3bf437cc8365a765f363c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e67f13d57adc43efa0fec72de5064930d958c20616c3bf437cc8365a765f363c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e67f13d57adc43efa0fec72de5064930d958c20616c3bf437cc8365a765f363c.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2892	2448	e67f13d57adc43efa0fec72de5064930d958c20616c3bf437cc8365a765f363c.exe	30
PID 2448 wrote to memory of 2892	2448	e67f13d57adc43efa0fec72de5064930d958c20616c3bf437cc8365a765f363c.exe	30
PID 2448 wrote to memory of 2892	2448	e67f13d57adc43efa0fec72de5064930d958c20616c3bf437cc8365a765f363c.exe	30
PID 2448 wrote to memory of 2892	2448	e67f13d57adc43efa0fec72de5064930d958c20616c3bf437cc8365a765f363c.exe	30
PID 2448 wrote to memory of 2300	2448	e67f13d57adc43efa0fec72de5064930d958c20616c3bf437cc8365a765f363c.exe	32
PID 2448 wrote to memory of 2300	2448	e67f13d57adc43efa0fec72de5064930d958c20616c3bf437cc8365a765f363c.exe	32
PID 2448 wrote to memory of 2300	2448	e67f13d57adc43efa0fec72de5064930d958c20616c3bf437cc8365a765f363c.exe	32
PID 2448 wrote to memory of 2300	2448	e67f13d57adc43efa0fec72de5064930d958c20616c3bf437cc8365a765f363c.exe	32

C:\Users\Admin\AppData\Local\Temp\e67f13d57adc43efa0fec72de5064930d958c20616c3bf437cc8365a765f363c.exe
"C:\Users\Admin\AppData\Local\Temp\e67f13d57adc43efa0fec72de5064930d958c20616c3bf437cc8365a765f363c.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Users\Admin\AppData\Local\Temp\e67f13d57adc43efa0fec72de5064930d958c20616c3bf437cc8365a765f363c.exe
  C:\Users\Admin\AppData\Local\Temp\e67f13d57adc43efa0fec72de5064930d958c20616c3bf437cc8365a765f363c.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2892
- C:\Users\Admin\AppData\Local\Temp\e67f13d57adc43efa0fec72de5064930d958c20616c3bf437cc8365a765f363c.exe
  C:\Users\Admin\AppData\Local\Temp\e67f13d57adc43efa0fec72de5064930d958c20616c3bf437cc8365a765f363c.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\0293.737

Filesize
1KB

MD5
6b33deb7d8cd0ade71d5115d89e7998e

SHA1
68f4b2721de3cf20ebad18a56037271e1ddaa7ae

SHA256
eaa4f5aab8839b3173d7b2a9685378ca107b71a76b8ae372ccac62e4e48addbd

SHA512
cabeb9ddd491cc23578c8952c80e2113239a6f56e2fa16de21a481d876a11d218b863529af8eba65ee55b703534b258593e120ae54e54f184cda66c7a451041d

Download Submit
C:\Users\Admin\AppData\Roaming\0293.737

Filesize
600B

MD5
74f67a57ad287842c7da1cf1cfc432b6

SHA1
b46792f2753119d50d25f677a662a570d9b05aa9

SHA256
dbff57d212cc194d8831efbc4d76e73e5bf3d6b5d7a71e1cf6a4b927302bc11a

SHA512
82d7f4f8b1a6186e5059b145ae4b99a8759fed60dacc1856f48d3c04ffe7c7feab768d5285eb5b0b253cc886c932e8bd363b7078c428dbfd2c19fc5eed5f2a62

Download Submit
C:\Users\Admin\AppData\Roaming\0293.737

Filesize
996B

MD5
3099d3a7151449cb3f1e2e5283e1ab3f

SHA1
df91d9254db3640f6b2d33963ab025261fd329c8

SHA256
929bd77271afa65c4d3a67276a1a08cf7036ccb3cf0e7afbf0f53b0ff9e3133f

SHA512
1efdb0e93d2e9e28bf1d297a6cab63833805666a7c8e8a15d981e81766fbb24b4ecfe0ef877c3146ef3990de4b5d2d44a047e57ca06fc9b4a25b17f4a65e9323

Download Submit
memory/2300-82-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2300-79-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2300-80-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2448-16-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2448-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2448-83-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2448-2-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2448-192-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2892-14-0x0000000000546000-0x000000000055F000-memory.dmp

Filesize
100KB

Download
memory/2892-15-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2892-12-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads