cycbot | 69cb39599ec6dc8f303ce5c4d31ada8077ad4b75bccb19225693ea7fd85b2788

General

Target

VirusShare_007ba442f5b2c76a737322525c270aa6.exe
Size

177KB
MD5

007ba442f5b2c76a737322525c270aa6
SHA1

a272d5e80c3165b7498e08d772694df3269cc822
SHA256

69cb39599ec6dc8f303ce5c4d31ada8077ad4b75bccb19225693ea7fd85b2788
SHA512

20870db83147b4602bafaf797bbe0353f4df598405373c6682e65c581be4a9980286cd205edf9147a6956ac03df8db7ee723b0316215991838341b6252f0aba8
SSDEEP

3072:ifQ/bZMoraTj2oQVGqsgWhlmSm5cHCuy5XDtaFyC/qxfoDXqaQOyCqwDi:cuDtFsVvmTeuXDEf/jDX9QOyCqB

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2468-6-0x0000000000400000-0x0000000000463000-memory.dmp	family_cycbot
behavioral1/memory/2468-7-0x0000000000400000-0x0000000000463000-memory.dmp	family_cycbot
behavioral1/memory/2124-14-0x0000000000400000-0x0000000000463000-memory.dmp	family_cycbot
behavioral1/memory/2416-72-0x0000000000400000-0x0000000000463000-memory.dmp	family_cycbot
behavioral1/memory/2416-74-0x0000000000400000-0x0000000000463000-memory.dmp	family_cycbot
behavioral1/memory/2124-160-0x0000000000400000-0x0000000000463000-memory.dmp	family_cycbot
behavioral1/memory/2124-199-0x0000000000400000-0x0000000000463000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2124-2-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2468-6-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2468-5-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2468-7-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2124-14-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2416-72-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2416-74-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2124-160-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2124-199-0x0000000000400000-0x0000000000463000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VirusShare_007ba442f5b2c76a737322525c270aa6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VirusShare_007ba442f5b2c76a737322525c270aa6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VirusShare_007ba442f5b2c76a737322525c270aa6.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2468	2124	VirusShare_007ba442f5b2c76a737322525c270aa6.exe	29
PID 2124 wrote to memory of 2468	2124	VirusShare_007ba442f5b2c76a737322525c270aa6.exe	29
PID 2124 wrote to memory of 2468	2124	VirusShare_007ba442f5b2c76a737322525c270aa6.exe	29
PID 2124 wrote to memory of 2468	2124	VirusShare_007ba442f5b2c76a737322525c270aa6.exe	29
PID 2124 wrote to memory of 2416	2124	VirusShare_007ba442f5b2c76a737322525c270aa6.exe	31
PID 2124 wrote to memory of 2416	2124	VirusShare_007ba442f5b2c76a737322525c270aa6.exe	31
PID 2124 wrote to memory of 2416	2124	VirusShare_007ba442f5b2c76a737322525c270aa6.exe	31
PID 2124 wrote to memory of 2416	2124	VirusShare_007ba442f5b2c76a737322525c270aa6.exe	31

C:\Users\Admin\AppData\Local\Temp\VirusShare_007ba442f5b2c76a737322525c270aa6.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_007ba442f5b2c76a737322525c270aa6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\VirusShare_007ba442f5b2c76a737322525c270aa6.exe
  C:\Users\Admin\AppData\Local\Temp\VirusShare_007ba442f5b2c76a737322525c270aa6.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2468
- C:\Users\Admin\AppData\Local\Temp\VirusShare_007ba442f5b2c76a737322525c270aa6.exe
  C:\Users\Admin\AppData\Local\Temp\VirusShare_007ba442f5b2c76a737322525c270aa6.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FF43.551

Filesize
1KB

MD5
6832c7144c80ae26a2a58936f1864b7c

SHA1
95bebd78c9739be2b214f96ead48bd60aa1d7579

SHA256
2f054bef9fc0fdeee3ade75cd787d690614982e39e5c77438cf74d9ec8acfbd6

SHA512
988c07b70f83bc4af8f7a60878b6a2cba1eadbdf73f8f06f27d7bf3175d8be2b7634e328ae9bbda834db4b105a16cff89748aec31387198e2a61c555a67a26f1

Download Submit
C:\Users\Admin\AppData\Roaming\FF43.551

Filesize
600B

MD5
e59d093b706b2c6fffeccacd5799aa3e

SHA1
522cb31d7e3613e245ed3bc12b9713f6ae888bce

SHA256
9e3c9dc6d33f0b45be3080a5ea303d7db955954e57605c4b25f485db7d1cda87

SHA512
d4c67c3d727df9789c99594db665a74b30e91e13b8a8104b09bed26d5534d4691d6e9a35c84f8485403d7fe4bfe67bfe94e0be527c5f4031dce4d70bfd1e46e4

Download Submit
C:\Users\Admin\AppData\Roaming\FF43.551

Filesize
996B

MD5
0d9237e1f00fbec532831b2b04f961f0

SHA1
799a117656944a7ac9736c73523b1341c7500667

SHA256
201a15290227fa31ad041cd7521127334b2dca16b4e0e9207e362801b1d6a785

SHA512
cec05b9e0a018eda6184a7c1bc6e06056ca8ad9a3ba58472aa63f81ae8a33e1f1598392ea4b75ca4379ca00cc553790d45e6e05af17140450a9bd577993cd507

Download Submit
memory/2124-14-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2124-1-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2124-2-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2124-160-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2124-199-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2416-72-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2416-74-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2468-5-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2468-7-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2468-6-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download

Analysis

Sharing