cycbot | 85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a

General

Target

85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe
Size

175KB
MD5

9d5aab67a846e6041c559f827996e562
SHA1

c066222ff58ef75101703b38d35caf5fb16c811c
SHA256

85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a
SHA512

c69b4a69bcb3888d960e8bebecf9fc6af37b6c10ef50a14da31be034f7ea39f662938c250b95f61cf19638439239f28bdb29d5a1c396b1c3338ffdaf7e5e8a8d
SSDEEP

3072:KeF7Dpd7BzkiXI+wl9N/iqAx9xbWl/3u88Zw8WUL65+V3ZsXngi:KeFnpXzkCwbZ/3P8RLWe3uXnf

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2040-14-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2100-15-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2100-86-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/1808-90-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2100-211-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2100-2-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2040-12-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2040-14-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2100-15-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2100-86-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1808-88-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1808-90-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2100-211-0x0000000000400000-0x0000000000445000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2040	2100	85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe	31
PID 2100 wrote to memory of 2040	2100	85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe	31
PID 2100 wrote to memory of 2040	2100	85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe	31
PID 2100 wrote to memory of 2040	2100	85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe	31
PID 2100 wrote to memory of 1808	2100	85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe	33
PID 2100 wrote to memory of 1808	2100	85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe	33
PID 2100 wrote to memory of 1808	2100	85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe	33
PID 2100 wrote to memory of 1808	2100	85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe	33

C:\Users\Admin\AppData\Local\Temp\85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe
"C:\Users\Admin\AppData\Local\Temp\85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe
  C:\Users\Admin\AppData\Local\Temp\85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2040
- C:\Users\Admin\AppData\Local\Temp\85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe
  C:\Users\Admin\AppData\Local\Temp\85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\7041.4B2

Filesize
1KB

MD5
a25b55f168722108ebcac442f33c62b0

SHA1
68a11fbee6793724d085daab096c1dab4664e550

SHA256
40b0a26f685672a6fa9755abe68c1d62325faecbdc35a6d9e6985adedb0888c5

SHA512
497fc740a939c320d803722fbc8f9888bb783d4cf3e27b13ccc3d9a52a345f342813e654d2a14f17794e6fa6d5414951425df0526523c10e90141ecbb29fce38

Download Submit
C:\Users\Admin\AppData\Roaming\7041.4B2

Filesize
600B

MD5
5580a6ab1d76c4dafbad30dad22838fc

SHA1
49a4d6b1479f7846fba0d96b217ec030c00d3087

SHA256
40cec79af4d3ea3ba37aa58b358792eef3d2b33e5f064443e26da6ffa62c27a3

SHA512
a8565372ca4803297c0840fa8ec7502ddd7ada5acf4cb168ccbedace6cb87f31e3d828b05c22c896d0efbeb7672f71d46fb798ef2f02a5a2cd7903e2ab1e2cca

Download Submit
C:\Users\Admin\AppData\Roaming\7041.4B2

Filesize
996B

MD5
9d784ebc8d6701eb20b6a2acf26d5048

SHA1
18161401a540b606e7b892c0f448524b484c0682

SHA256
1444571bcdb22e505e6e533a6df1095f9f0ebe5e9ef1cb66d65ef714c896fca4

SHA512
343a77793c1d12dfb665467f7ec5c862538be262717e223a7b0c79671e84ec6cd3917bf04ded91afc97b541f82132e5002c66ee6b062dda553a6b589d988e8c6

Download Submit
memory/1808-88-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1808-90-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2040-12-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2040-14-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2100-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2100-2-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2100-15-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2100-86-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2100-211-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads