cycbot | 4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1

General

Target

4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exe
Size

186KB
MD5

7911b3c2b5597bade8af33b64cbead69
SHA1

ba3b3b48152c7387481d637d76535b1490f97185
SHA256

4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1
SHA512

391e0216a05ab95fad3adf936accc8770a2238bfa5363f7f178ec0a55063aa93e5eb2460f5cab2399d8c11e98cd07d3397c79d5912846f2341052ec37468501a
SSDEEP

3072:Jz+yYdb/Rs7U5MKTK3jNpp83Jh31+sJcmPmGXxE6E2pfbS1oB0VZhW:pWts7/KTkjNpwJp1vmGXxg2hwoB0

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2740-13-0x0000000000400000-0x0000000000453000-memory.dmp	family_cycbot
behavioral1/memory/2232-14-0x0000000000400000-0x0000000000453000-memory.dmp	family_cycbot
behavioral1/memory/1624-74-0x0000000000400000-0x0000000000453000-memory.dmp	family_cycbot
behavioral1/memory/2232-141-0x0000000000400000-0x0000000000453000-memory.dmp	family_cycbot
behavioral1/memory/2232-168-0x0000000000400000-0x0000000000453000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2232-2-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2740-12-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2740-11-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2740-13-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2232-14-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1624-73-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1624-74-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2232-141-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2232-168-0x0000000000400000-0x0000000000453000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2740	2232	4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exe	31
PID 2232 wrote to memory of 2740	2232	4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exe	31
PID 2232 wrote to memory of 2740	2232	4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exe	31
PID 2232 wrote to memory of 2740	2232	4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exe	31
PID 2232 wrote to memory of 1624	2232	4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exe	33
PID 2232 wrote to memory of 1624	2232	4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exe	33
PID 2232 wrote to memory of 1624	2232	4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exe	33
PID 2232 wrote to memory of 1624	2232	4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exe	33

C:\Users\Admin\AppData\Local\Temp\4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exe
"C:\Users\Admin\AppData\Local\Temp\4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exe
  C:\Users\Admin\AppData\Local\Temp\4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exe startC:\Program Files (x86)\Internet Explorer\D3A0\77D.exe%C:\Program Files (x86)\Internet Explorer\D3A0
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2740
- C:\Users\Admin\AppData\Local\Temp\4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exe
  C:\Users\Admin\AppData\Local\Temp\4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exe startC:\Users\Admin\AppData\Roaming\0D119\48ED3.exe%C:\Users\Admin\AppData\Roaming\0D119
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\0D119\9B7D.D11

Filesize
1KB

MD5
2a89b572b63f19d7deef022d9f98ec64

SHA1
42764e81bfec32d417076b26280142143d091671

SHA256
b9835cc4923376e2fe18cfafaa2904e9f4d3cebd6029df9d073d4fd163f86b31

SHA512
9e3d97aff34e43ff96f3ef322a5c2fc4b0a1be9a3f3f01f932dfc257640948bb7579f0d3c0e13b20d12713296a2c697eba25d399c34a910e4753d77dd011275b

Download Submit
C:\Users\Admin\AppData\Roaming\0D119\9B7D.D11

Filesize
600B

MD5
87520a950a79d8340a0c9b778d02cc92

SHA1
1362dd3f51e37c927a93ce08273b2bfcb5d570b8

SHA256
931eab586ca039c89586a26a3620352d7b33a81e1feb13e6aaa3cdaae9741349

SHA512
7ee718fcae74f35aaf2a017f6dc97a5e931a44b7cf7a16dd8513fc60ab840bc97b74b1c06781a4b3f8f0f2089972f203533ccbffa5758b9202487ee20d2f35b2

Download Submit
C:\Users\Admin\AppData\Roaming\0D119\9B7D.D11

Filesize
996B

MD5
4ef3d9fd2553cd94b767acfda1b1862d

SHA1
b5ea790cdbd506878ed39d9e240d26ca0aac4674

SHA256
0d0d5f9c5e4accaa65a2377a5d84d2b86afbdc7294aee29fa39b5924207d14d7

SHA512
f640dd85b05e104158b05e17ba08a1eb54828ca88bf316e67f6e3c59b2cd2509e86a83845534712b4821329b06aa0f3fd97178f93c4d7b8a66cab84c48a4c11c

Download Submit
memory/1624-73-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1624-74-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2232-14-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2232-1-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2232-141-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2232-2-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2232-168-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2740-11-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2740-13-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2740-12-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing