cycbot | 4c102f72cf215c188ed4000a47eb09e8edf82c054a36e0eb3d95093f2adba2e1

General

Target

4c102f72cf215c188ed4000a47eb09e8edf82c054a36e0eb3d95093f2adba2e1N.exe
Size

174KB
MD5

f3b5c71429882508a16b171bfd6e3d50
SHA1

5ba90d177031465c2b8d9f94090884d882ec3d17
SHA256

4c102f72cf215c188ed4000a47eb09e8edf82c054a36e0eb3d95093f2adba2e1
SHA512

d9a64d326b031cc3f400b7134bc39a2d99f57a7590fdcbcc5be794b95b2554947a6d527e4d25540e945a3480fee853e533018b6d51d7d3a0f795f44d587c6073
SSDEEP

3072:2vW+2IUadlM4GD8hzSyM6kb5G1zIRObix0AoMBiOKoYkEI52Ap+hlmlzeHh4/T8I:2vW+Br6epkb5G1MRN0cBiroYI2Qlzb8I

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/316-7-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/2084-15-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/2084-74-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/2664-78-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/2084-180-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot
behavioral1/memory/2084-183-0x0000000000400000-0x000000000048D000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	4c102f72cf215c188ed4000a47eb09e8edf82c054a36e0eb3d95093f2adba2e1N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2084-2-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/316-6-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/316-5-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/316-7-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2084-15-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2084-74-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2664-76-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2664-78-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2084-180-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2084-183-0x0000000000400000-0x000000000048D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c102f72cf215c188ed4000a47eb09e8edf82c054a36e0eb3d95093f2adba2e1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c102f72cf215c188ed4000a47eb09e8edf82c054a36e0eb3d95093f2adba2e1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c102f72cf215c188ed4000a47eb09e8edf82c054a36e0eb3d95093f2adba2e1N.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 316	2084	4c102f72cf215c188ed4000a47eb09e8edf82c054a36e0eb3d95093f2adba2e1N.exe	30
PID 2084 wrote to memory of 316	2084	4c102f72cf215c188ed4000a47eb09e8edf82c054a36e0eb3d95093f2adba2e1N.exe	30
PID 2084 wrote to memory of 316	2084	4c102f72cf215c188ed4000a47eb09e8edf82c054a36e0eb3d95093f2adba2e1N.exe	30
PID 2084 wrote to memory of 316	2084	4c102f72cf215c188ed4000a47eb09e8edf82c054a36e0eb3d95093f2adba2e1N.exe	30
PID 2084 wrote to memory of 2664	2084	4c102f72cf215c188ed4000a47eb09e8edf82c054a36e0eb3d95093f2adba2e1N.exe	32
PID 2084 wrote to memory of 2664	2084	4c102f72cf215c188ed4000a47eb09e8edf82c054a36e0eb3d95093f2adba2e1N.exe	32
PID 2084 wrote to memory of 2664	2084	4c102f72cf215c188ed4000a47eb09e8edf82c054a36e0eb3d95093f2adba2e1N.exe	32
PID 2084 wrote to memory of 2664	2084	4c102f72cf215c188ed4000a47eb09e8edf82c054a36e0eb3d95093f2adba2e1N.exe	32

C:\Users\Admin\AppData\Local\Temp\4c102f72cf215c188ed4000a47eb09e8edf82c054a36e0eb3d95093f2adba2e1N.exe
"C:\Users\Admin\AppData\Local\Temp\4c102f72cf215c188ed4000a47eb09e8edf82c054a36e0eb3d95093f2adba2e1N.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\4c102f72cf215c188ed4000a47eb09e8edf82c054a36e0eb3d95093f2adba2e1N.exe
  C:\Users\Admin\AppData\Local\Temp\4c102f72cf215c188ed4000a47eb09e8edf82c054a36e0eb3d95093f2adba2e1N.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:316
- C:\Users\Admin\AppData\Local\Temp\4c102f72cf215c188ed4000a47eb09e8edf82c054a36e0eb3d95093f2adba2e1N.exe
  C:\Users\Admin\AppData\Local\Temp\4c102f72cf215c188ed4000a47eb09e8edf82c054a36e0eb3d95093f2adba2e1N.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\45A3.44A

Filesize
1KB

MD5
e130c69ab13bbedaa22e38200f30147a

SHA1
a2e2fd2a6f5bc33948a42abb2b3a3386ad9baa6f

SHA256
f2c4d36a0136fc90b7eb70279f59f2ebcc2bc24adb1f3aa3cb986c145ab2e1ca

SHA512
18d417bcf90e36b007e5f9e67067c89abece5ab5fb254585afe1603a9e9eb6e749bbf7e4bd3ac5b604c75414ad022e5e23bb808d8e95eed79b4b7e2050f10bad

Download Submit
C:\Users\Admin\AppData\Roaming\45A3.44A

Filesize
600B

MD5
4a5ff1262cdcdbb9d71ecd86df4ce2df

SHA1
e7dea80a73c88571e5d5d6bbdc0ff881378906c6

SHA256
7a1e90affc42daf8e108fb24485bfb0390ec16aa759e18e32b97d631f1b8f4b1

SHA512
7816b460acaef6fd3b182b7bf88b87ec288c30c5f27aa5c9ba6ac462650cf0b5b7f179698c115f576277363f9c57dbac0792dd9df34404a6bce045923108de76

Download Submit
C:\Users\Admin\AppData\Roaming\45A3.44A

Filesize
996B

MD5
d9a6fe894d364e13ddc371a2199e6826

SHA1
a2706fe8fec06e1ce81620b4f072361ee8c505a5

SHA256
de89c63b06ae6812d538747415515dc0a5ccb540c3a4103468c050a1cf2bf116

SHA512
6f535ac797678f641612a7ab8115c99b94874a195135259908ecb096d12672c399c8176f36807e531e21f60a6a02de58e9577185a5951f8c121d919330b17692

Download Submit
memory/316-5-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/316-7-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/316-6-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2084-15-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2084-1-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2084-74-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2084-2-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2084-180-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2084-183-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2664-76-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2664-78-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads