cycbot | a793e45bc5702bcd117fe4efed6095d38933acfde9b91c9e10c3e2d11cd1ff08

General

Target

a793e45bc5702bcd117fe4efed6095d38933acfde9b91c9e10c3e2d11cd1ff08.exe
Size

192KB
MD5

494ff3a7ff00cade6e861ec93ad2a299
SHA1

7e1cc006af5e1d1606b2625f6e3788cb8cd1f183
SHA256

a793e45bc5702bcd117fe4efed6095d38933acfde9b91c9e10c3e2d11cd1ff08
SHA512

74d793b358934afad45a94cc39afac9539e077b8d1754f6d202fe4f78ed25b291b344613ed0259c25aca7bcdcebdb95a00ad8ccda4a0151c1fc38852b98ce82f
SSDEEP

3072:nmiMyXlfGaXTmpu8E9XsoLPCrCo0RIyE0qzvv8jsRkZNeVOq4NkgTOliJzsTn7bz:nmwVxX6o8EBKCNOLvWZyMNkow4A/2

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1784-9-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2420-14-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/824-87-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/824-88-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2420-89-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot
behavioral1/memory/2420-170-0x0000000000400000-0x0000000000490000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	a793e45bc5702bcd117fe4efed6095d38933acfde9b91c9e10c3e2d11cd1ff08.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2420-2-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1784-9-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2420-14-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/824-87-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/824-88-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2420-89-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2420-170-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a793e45bc5702bcd117fe4efed6095d38933acfde9b91c9e10c3e2d11cd1ff08.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 1784	2420	a793e45bc5702bcd117fe4efed6095d38933acfde9b91c9e10c3e2d11cd1ff08.exe	31
PID 2420 wrote to memory of 1784	2420	a793e45bc5702bcd117fe4efed6095d38933acfde9b91c9e10c3e2d11cd1ff08.exe	31
PID 2420 wrote to memory of 1784	2420	a793e45bc5702bcd117fe4efed6095d38933acfde9b91c9e10c3e2d11cd1ff08.exe	31
PID 2420 wrote to memory of 1784	2420	a793e45bc5702bcd117fe4efed6095d38933acfde9b91c9e10c3e2d11cd1ff08.exe	31
PID 2420 wrote to memory of 824	2420	a793e45bc5702bcd117fe4efed6095d38933acfde9b91c9e10c3e2d11cd1ff08.exe	33
PID 2420 wrote to memory of 824	2420	a793e45bc5702bcd117fe4efed6095d38933acfde9b91c9e10c3e2d11cd1ff08.exe	33
PID 2420 wrote to memory of 824	2420	a793e45bc5702bcd117fe4efed6095d38933acfde9b91c9e10c3e2d11cd1ff08.exe	33
PID 2420 wrote to memory of 824	2420	a793e45bc5702bcd117fe4efed6095d38933acfde9b91c9e10c3e2d11cd1ff08.exe	33

C:\Users\Admin\AppData\Local\Temp\a793e45bc5702bcd117fe4efed6095d38933acfde9b91c9e10c3e2d11cd1ff08.exe
"C:\Users\Admin\AppData\Local\Temp\a793e45bc5702bcd117fe4efed6095d38933acfde9b91c9e10c3e2d11cd1ff08.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\a793e45bc5702bcd117fe4efed6095d38933acfde9b91c9e10c3e2d11cd1ff08.exe
  C:\Users\Admin\AppData\Local\Temp\a793e45bc5702bcd117fe4efed6095d38933acfde9b91c9e10c3e2d11cd1ff08.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:1784
- C:\Users\Admin\AppData\Local\Temp\a793e45bc5702bcd117fe4efed6095d38933acfde9b91c9e10c3e2d11cd1ff08.exe
  C:\Users\Admin\AppData\Local\Temp\a793e45bc5702bcd117fe4efed6095d38933acfde9b91c9e10c3e2d11cd1ff08.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\6567.F9B

Filesize
600B

MD5
118646bad580bc27be4343a9ad56d388

SHA1
444326701559df0a37f3d06f352e189371e1d1ff

SHA256
dc1c625733ad9dc23d141fe8f8f8ed2c1aa93e4778e04b38dca9e1944294285f

SHA512
5d669e581302f9c64bd48242852d20d81a359ebd7644485b743d86adb7c16d252765a9adbdaa8e8a3ba3476e9be1623d43367e3d9aa33033f0780a3c5aa8a96d

Download Submit
C:\Users\Admin\AppData\Roaming\6567.F9B

Filesize
1KB

MD5
e693e39912949196475ff4ddd2faa4c8

SHA1
e82a88ca9d48afc1b97d112f968b3c94d65044ca

SHA256
531936a1dd041cc2f3546327d0f4f228e59d9ec3326ae18db4e973a2b7208f60

SHA512
114c9057969d5042b07d7e97d413a792afe727ed110e3cceac1c079bf7b1fc2280b56164304a9d501fc1f5e86bebf37aa67c3e3e5bc86904556a070170a267c6

Download Submit
C:\Users\Admin\AppData\Roaming\6567.F9B

Filesize
996B

MD5
f40f8401ab2c57eaad7cc198ca79b79c

SHA1
d42b8407e543cd251517b9a70d656b0bba64e3b5

SHA256
f4383e3e17ac0fa3e85c02b03d3e305e23075d2414844bea86c68bbb70a3d7cd

SHA512
8f23bbc7128571cd846f9c7d21f4433f176a80a1311eb3a194b2ffd35e7358867ad7b601dcba0e9c3a2fc809f9c1f41175539b4599cd2555e49b62cef3c4c341

Download Submit
memory/824-85-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/824-87-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/824-88-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1784-9-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2420-1-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2420-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2420-14-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2420-89-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2420-170-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads