cycbot | 7c03f715a4a3497a11ea8a556d85cd3877b0f6728745be9ecab7759b3e7cccbd

General

Target

7c03f715a4a3497a11ea8a556d85cd3877b0f6728745be9ecab7759b3e7cccbd.exe
Size

165KB
MD5

6f17717ee482e58f181ded2b5d2cea52
SHA1

7d4a117b40974ac656dc7ac100d9634cbd8ce97d
SHA256

7c03f715a4a3497a11ea8a556d85cd3877b0f6728745be9ecab7759b3e7cccbd
SHA512

0b7c8830f90914ad5b5f170b6244d8d2625b05e50f5f20d143c61e7860f53c181394d8469356af3c17ee61942610ecdcae094a5d1d4cdda841ad8f69ef93ade0
SSDEEP

3072:5iEEum9D4z1AUW/UM07G/zzNc08xqNuAFDCyuaDn7No2BuRaYEszmnws1R:5Guz1AUQUh7Grm0tNusCZ+u2Bm9gnws

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1872-17-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2348-18-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral1/memory/2348-19-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2348-120-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/848-122-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral1/memory/2348-277-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\CACE1\\37C9A.exe"	7c03f715a4a3497a11ea8a556d85cd3877b0f6728745be9ecab7759b3e7cccbd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2348-3-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/1872-14-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/1872-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/1872-17-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2348-18-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2348-19-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2348-120-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/848-122-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/848-123-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2348-277-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c03f715a4a3497a11ea8a556d85cd3877b0f6728745be9ecab7759b3e7cccbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c03f715a4a3497a11ea8a556d85cd3877b0f6728745be9ecab7759b3e7cccbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c03f715a4a3497a11ea8a556d85cd3877b0f6728745be9ecab7759b3e7cccbd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 1872	2348	7c03f715a4a3497a11ea8a556d85cd3877b0f6728745be9ecab7759b3e7cccbd.exe	30
PID 2348 wrote to memory of 1872	2348	7c03f715a4a3497a11ea8a556d85cd3877b0f6728745be9ecab7759b3e7cccbd.exe	30
PID 2348 wrote to memory of 1872	2348	7c03f715a4a3497a11ea8a556d85cd3877b0f6728745be9ecab7759b3e7cccbd.exe	30
PID 2348 wrote to memory of 1872	2348	7c03f715a4a3497a11ea8a556d85cd3877b0f6728745be9ecab7759b3e7cccbd.exe	30
PID 2348 wrote to memory of 848	2348	7c03f715a4a3497a11ea8a556d85cd3877b0f6728745be9ecab7759b3e7cccbd.exe	33
PID 2348 wrote to memory of 848	2348	7c03f715a4a3497a11ea8a556d85cd3877b0f6728745be9ecab7759b3e7cccbd.exe	33
PID 2348 wrote to memory of 848	2348	7c03f715a4a3497a11ea8a556d85cd3877b0f6728745be9ecab7759b3e7cccbd.exe	33
PID 2348 wrote to memory of 848	2348	7c03f715a4a3497a11ea8a556d85cd3877b0f6728745be9ecab7759b3e7cccbd.exe	33

C:\Users\Admin\AppData\Local\Temp\7c03f715a4a3497a11ea8a556d85cd3877b0f6728745be9ecab7759b3e7cccbd.exe
"C:\Users\Admin\AppData\Local\Temp\7c03f715a4a3497a11ea8a556d85cd3877b0f6728745be9ecab7759b3e7cccbd.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Local\Temp\7c03f715a4a3497a11ea8a556d85cd3877b0f6728745be9ecab7759b3e7cccbd.exe
  C:\Users\Admin\AppData\Local\Temp\7c03f715a4a3497a11ea8a556d85cd3877b0f6728745be9ecab7759b3e7cccbd.exe startC:\Program Files (x86)\LP\9A6C\EB5.exe%C:\Program Files (x86)\LP\9A6C
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1872
- C:\Users\Admin\AppData\Local\Temp\7c03f715a4a3497a11ea8a556d85cd3877b0f6728745be9ecab7759b3e7cccbd.exe
  C:\Users\Admin\AppData\Local\Temp\7c03f715a4a3497a11ea8a556d85cd3877b0f6728745be9ecab7759b3e7cccbd.exe startC:\Program Files (x86)\E11BE\lvvm.exe%C:\Program Files (x86)\E11BE
  2⤵
  - System Location Discovery: System Language Discovery
  PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\CACE1\11BE.ACE

Filesize
996B

MD5
2a5bb5a0ccb7b4ad1a30378f56b8962b

SHA1
07441cc67c2f7334099955fa1f69c62e5047acb3

SHA256
a9957f35b8a35b1c583059dfd7b0cb1434622af3d02951c515da09d00a25e368

SHA512
2c5c52063a7d826f4c1af9a3a9020142f92b298aa88606a63b5d7500962f1b3d4513f5949ed9c36544c884e3eb716b740261b4ee047fd8fbf180fdd85bcddd71

Download Submit
C:\Users\Admin\AppData\Roaming\CACE1\11BE.ACE

Filesize
600B

MD5
7699b4666aaa8b3a178e249a6f575d5a

SHA1
3eb938a9800658153098da9e0194cde557830e7b

SHA256
048bdf589ccbe3372b6f2c6c7fdf5ab2f3122a0a7c14754d8118490d4be6ebf0

SHA512
2a7dec9c903e0513080a68f0dfe6d6a3e31681930384fb6f48ab8d0dd4f1a16149aa9c8c0362c934043c846805b49962eed44e5cbeb315f4b62e82eba9e3a0fc

Download Submit
C:\Users\Admin\AppData\Roaming\CACE1\11BE.ACE

Filesize
1KB

MD5
ee7dd943516ebe39bcbf633a22beb579

SHA1
e48005564d96a7ae17bcf2ac63e7793eef75eee9

SHA256
f4e0b7dba021cc34e42ef5489982eec0161abf6b39b90ae7cbb8ded8255a72e4

SHA512
3875082612a141aa239558057f010c6653734896fcc8e16129d837b3ebac207aa3f6ac69b2b28ee59c73a49fa6eb091213af10ed41c91d17e02c0969270c9d57

Download Submit
memory/848-123-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/848-122-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1872-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1872-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1872-17-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2348-18-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2348-120-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2348-19-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2348-0-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2348-3-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2348-2-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2348-277-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads