cycbot | 75665712ae3afe923a7d3955f6abde69d770915e1394d4461ebe8fb0e5a03c6d

General

Target

75665712ae3afe923a7d3955f6abde69d770915e1394d4461ebe8fb0e5a03c6dN.exe
Size

167KB
MD5

0644a36112dc84e64ec836abcc9d4bf0
SHA1

de42a0d6a0f372f3a3c22f0cd5c4ace55229e415
SHA256

75665712ae3afe923a7d3955f6abde69d770915e1394d4461ebe8fb0e5a03c6d
SHA512

41e61ed4fc76bc3d30eb588383ed1a03dd641468e713aaeae63020e100502d6a88a6ed49a603ee64dd1eb5c58394718fa10092d062358e2294bc9ec91cec58b3
SSDEEP

3072:QOXbTyNkYhsO1d3NTw8RgA/LqNExmHURwslnInWbUt+w/:vyNrhd1w8RDxmHURJlWWbU

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/792-7-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/1820-20-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/792-22-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/1332-92-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/1820-93-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/1820-202-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	75665712ae3afe923a7d3955f6abde69d770915e1394d4461ebe8fb0e5a03c6dN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1820-2-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/792-8-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/792-7-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1820-20-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/792-22-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1332-92-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1820-93-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1820-202-0x0000000000400000-0x000000000048A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	75665712ae3afe923a7d3955f6abde69d770915e1394d4461ebe8fb0e5a03c6dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	75665712ae3afe923a7d3955f6abde69d770915e1394d4461ebe8fb0e5a03c6dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	75665712ae3afe923a7d3955f6abde69d770915e1394d4461ebe8fb0e5a03c6dN.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 792	1820	75665712ae3afe923a7d3955f6abde69d770915e1394d4461ebe8fb0e5a03c6dN.exe	29
PID 1820 wrote to memory of 792	1820	75665712ae3afe923a7d3955f6abde69d770915e1394d4461ebe8fb0e5a03c6dN.exe	29
PID 1820 wrote to memory of 792	1820	75665712ae3afe923a7d3955f6abde69d770915e1394d4461ebe8fb0e5a03c6dN.exe	29
PID 1820 wrote to memory of 792	1820	75665712ae3afe923a7d3955f6abde69d770915e1394d4461ebe8fb0e5a03c6dN.exe	29
PID 1820 wrote to memory of 1332	1820	75665712ae3afe923a7d3955f6abde69d770915e1394d4461ebe8fb0e5a03c6dN.exe	31
PID 1820 wrote to memory of 1332	1820	75665712ae3afe923a7d3955f6abde69d770915e1394d4461ebe8fb0e5a03c6dN.exe	31
PID 1820 wrote to memory of 1332	1820	75665712ae3afe923a7d3955f6abde69d770915e1394d4461ebe8fb0e5a03c6dN.exe	31
PID 1820 wrote to memory of 1332	1820	75665712ae3afe923a7d3955f6abde69d770915e1394d4461ebe8fb0e5a03c6dN.exe	31

C:\Users\Admin\AppData\Local\Temp\75665712ae3afe923a7d3955f6abde69d770915e1394d4461ebe8fb0e5a03c6dN.exe
"C:\Users\Admin\AppData\Local\Temp\75665712ae3afe923a7d3955f6abde69d770915e1394d4461ebe8fb0e5a03c6dN.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Users\Admin\AppData\Local\Temp\75665712ae3afe923a7d3955f6abde69d770915e1394d4461ebe8fb0e5a03c6dN.exe
  C:\Users\Admin\AppData\Local\Temp\75665712ae3afe923a7d3955f6abde69d770915e1394d4461ebe8fb0e5a03c6dN.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:792
- C:\Users\Admin\AppData\Local\Temp\75665712ae3afe923a7d3955f6abde69d770915e1394d4461ebe8fb0e5a03c6dN.exe
  C:\Users\Admin\AppData\Local\Temp\75665712ae3afe923a7d3955f6abde69d770915e1394d4461ebe8fb0e5a03c6dN.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\6586.6D3

Filesize
597B

MD5
54113d05546b47173457d720e3056311

SHA1
09d19f84cb24022748347149b7f8c4e4fb6f454c

SHA256
1f20fa34db083a2e87ab9967eb3c958fd7a4a83fe3c09fd9bfb741c613a25cd4

SHA512
ee8ab9f5b1849e63515f5269d6e5d5da098fff167425dcd995853df06181bb2b3efec610e23ab4e2c11f42f7ad55f59408728514886b4cb68f3a223f1fb8bfa8

Download Submit
C:\Users\Admin\AppData\Roaming\6586.6D3

Filesize
1KB

MD5
6e367a8a13a336db8fffda06a85153ff

SHA1
774383f5733fb99949170c5a16ed766822f36f47

SHA256
6c017411bbe4833a0e96a9bbae03b9251c66627ccdd26afd634cc690d1d1245f

SHA512
d4c74c23c3fbc878b199d1d863eaf32dc24067c3cef71bb2a59268ad0cc96251724b49fecde4ad197a6cb3be1eb16acc52d08569b8799cafc9c53acd306a6ea7

Download Submit
C:\Users\Admin\AppData\Roaming\6586.6D3

Filesize
897B

MD5
a633bead9709dd60731a1a13e225716e

SHA1
74175b98db45a78bcba59ba6ebef7dfbf758cd39

SHA256
286f1b2fd2584842eb42833e16e1bf41953ae761e5a5a9cbad6f370b1e4a467d

SHA512
77242199ac513e683334ab77b09f26b377d59b0d6b4a71d8f82807516724887e2811b90137e8ebd6c0ff3beecea6dd45eb8cbf930f554b67997cccf988c16ee3

Download Submit
C:\Users\Admin\AppData\Roaming\6586.6D3

Filesize
1KB

MD5
7d0e1736aa658a455e540d6ea4d458c2

SHA1
a06eefb940e31e6a66dc6b4fe4cdaa0fa83d13c3

SHA256
78be824109981ffceb7243c7e60f3df5ad555a9b2ae68ad5f7381d653a17b3e9

SHA512
14a699109fae1088962cf602d372ded895006ac1fe8b2322146c09d597cd5eb1b64e38b9870c02e425ec9b245b345a4077517afb3a3512b14171544a2ca08199

Download Submit
memory/792-9-0x00000000002F2000-0x000000000030E000-memory.dmp

Filesize
112KB

Download
memory/792-7-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/792-22-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/792-8-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1332-90-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1332-92-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1820-2-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1820-20-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1820-93-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1820-1-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1820-202-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads