cycbot | aed46d0e262989a0fefdd65700d7109b829cf4d8cc1a17092bbfb84ad739851f

General

Target

aed46d0e262989a0fefdd65700d7109b829cf4d8cc1a17092bbfb84ad739851fN.exe
Size

208KB
MD5

cf7a5130034b2de74ab09fcfefc74840
SHA1

e08cb54301c8e9123a48e7311c37d3459b7ab465
SHA256

aed46d0e262989a0fefdd65700d7109b829cf4d8cc1a17092bbfb84ad739851f
SHA512

06098d3c1324a7b59a500c05a8b7472badbba9775004d6c3a2ac675523ff27ceaf000c90c70bcac8f00d146555141212a32f2d19a1ad7316a242a542d9728a42
SSDEEP

6144:+6ZwzttVIx4DEsbMH1x5PFfXlKtxfeTY5yBsfK:IGx4Drbm1fPJAtxm3my

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2808-7-0x0000000000400000-0x000000000044D000-memory.dmp	family_cycbot
behavioral1/memory/2876-16-0x0000000000400000-0x000000000044D000-memory.dmp	family_cycbot
behavioral1/memory/2360-71-0x0000000000400000-0x000000000044D000-memory.dmp	family_cycbot
behavioral1/memory/2876-182-0x0000000000400000-0x000000000044D000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2876-2-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2808-5-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2808-7-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2876-16-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2360-71-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2876-182-0x0000000000400000-0x000000000044D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aed46d0e262989a0fefdd65700d7109b829cf4d8cc1a17092bbfb84ad739851fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aed46d0e262989a0fefdd65700d7109b829cf4d8cc1a17092bbfb84ad739851fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aed46d0e262989a0fefdd65700d7109b829cf4d8cc1a17092bbfb84ad739851fN.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2808	2876	aed46d0e262989a0fefdd65700d7109b829cf4d8cc1a17092bbfb84ad739851fN.exe	30
PID 2876 wrote to memory of 2808	2876	aed46d0e262989a0fefdd65700d7109b829cf4d8cc1a17092bbfb84ad739851fN.exe	30
PID 2876 wrote to memory of 2808	2876	aed46d0e262989a0fefdd65700d7109b829cf4d8cc1a17092bbfb84ad739851fN.exe	30
PID 2876 wrote to memory of 2808	2876	aed46d0e262989a0fefdd65700d7109b829cf4d8cc1a17092bbfb84ad739851fN.exe	30
PID 2876 wrote to memory of 2360	2876	aed46d0e262989a0fefdd65700d7109b829cf4d8cc1a17092bbfb84ad739851fN.exe	32
PID 2876 wrote to memory of 2360	2876	aed46d0e262989a0fefdd65700d7109b829cf4d8cc1a17092bbfb84ad739851fN.exe	32
PID 2876 wrote to memory of 2360	2876	aed46d0e262989a0fefdd65700d7109b829cf4d8cc1a17092bbfb84ad739851fN.exe	32
PID 2876 wrote to memory of 2360	2876	aed46d0e262989a0fefdd65700d7109b829cf4d8cc1a17092bbfb84ad739851fN.exe	32

C:\Users\Admin\AppData\Local\Temp\aed46d0e262989a0fefdd65700d7109b829cf4d8cc1a17092bbfb84ad739851fN.exe
"C:\Users\Admin\AppData\Local\Temp\aed46d0e262989a0fefdd65700d7109b829cf4d8cc1a17092bbfb84ad739851fN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\aed46d0e262989a0fefdd65700d7109b829cf4d8cc1a17092bbfb84ad739851fN.exe
  C:\Users\Admin\AppData\Local\Temp\aed46d0e262989a0fefdd65700d7109b829cf4d8cc1a17092bbfb84ad739851fN.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2808
- C:\Users\Admin\AppData\Local\Temp\aed46d0e262989a0fefdd65700d7109b829cf4d8cc1a17092bbfb84ad739851fN.exe
  C:\Users\Admin\AppData\Local\Temp\aed46d0e262989a0fefdd65700d7109b829cf4d8cc1a17092bbfb84ad739851fN.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\E4EF.CDE

Filesize
1KB

MD5
d74b58c4faa0797ad29d437a0c5808e8

SHA1
5cb6d38ea3acae74fe3ea0c87e46063be7ede13c

SHA256
6d03846b182841cd9a0a4e3c9b966e6bf88c1491aa3a4d9979e59cd96b3fdbfd

SHA512
e144456920898265714aaa33f9321d7cdc826f7ef42e5457e5dc44bee05f8118dc07d108d16f06d8b0b0692bb7d53fdfeebcaa7dd6d87e277793d6bce005a905

Download Submit
C:\Users\Admin\AppData\Roaming\E4EF.CDE

Filesize
600B

MD5
fdd4a9856beb8725c1c1135e459795d1

SHA1
a30b1608e0bb6343b482d29c32d18dce66471654

SHA256
2b5ecb5cf5c8a8195809a9a67aae88223e07a80c92215d1e3f591fdc046c979a

SHA512
8bf925651ce344a6c7462eeba4a94c8b7205301db515a29c71fbb0c15691343a064e8d059dc6b1dcab9c003095b7b388474dd6fdc1bdcbae49c00fbc40368643

Download Submit
C:\Users\Admin\AppData\Roaming\E4EF.CDE

Filesize
996B

MD5
b95f33bd88aaca99e919c0806a5ac90c

SHA1
c26bab6d4075daeae2b625b81db7688c9fcdde84

SHA256
60d100fc3fec6b881a8c1e3846a4a25ca5a0ff9762bef19fe0cc33fb162fa584

SHA512
8281dcf61256170ca55c4b41f3c4ebf9765042824fd991d63cd71c4aa2db9b5a8bcbfb9b8c03e9182969c32e56d818cff6b15d235717fad68b874ee79f2b6f99

Download Submit
memory/2360-71-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2808-5-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2808-7-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2876-1-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2876-2-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2876-16-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2876-182-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing