cycbot | 85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a

General

Target

85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe
Size

175KB
MD5

9d5aab67a846e6041c559f827996e562
SHA1

c066222ff58ef75101703b38d35caf5fb16c811c
SHA256

85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a
SHA512

c69b4a69bcb3888d960e8bebecf9fc6af37b6c10ef50a14da31be034f7ea39f662938c250b95f61cf19638439239f28bdb29d5a1c396b1c3338ffdaf7e5e8a8d
SSDEEP

3072:KeF7Dpd7BzkiXI+wl9N/iqAx9xbWl/3u88Zw8WUL65+V3ZsXngi:KeFnpXzkCwbZ/3P8RLWe3uXnf

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2116-13-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/1552-14-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/1160-83-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/1552-84-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/1552-205-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1552-3-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2116-12-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2116-13-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1552-14-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1160-81-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1160-83-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1552-84-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1552-205-0x0000000000400000-0x0000000000445000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 2116	1552	85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe	30
PID 1552 wrote to memory of 2116	1552	85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe	30
PID 1552 wrote to memory of 2116	1552	85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe	30
PID 1552 wrote to memory of 2116	1552	85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe	30
PID 1552 wrote to memory of 1160	1552	85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe	32
PID 1552 wrote to memory of 1160	1552	85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe	32
PID 1552 wrote to memory of 1160	1552	85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe	32
PID 1552 wrote to memory of 1160	1552	85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe	32

C:\Users\Admin\AppData\Local\Temp\85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe
"C:\Users\Admin\AppData\Local\Temp\85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\AppData\Local\Temp\85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe
  C:\Users\Admin\AppData\Local\Temp\85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2116
- C:\Users\Admin\AppData\Local\Temp\85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe
  C:\Users\Admin\AppData\Local\Temp\85b41b6e00372fc722a5e7960b1bb0046b8a97566abc4a3f1072c3b3fe31277a.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\F87F.1E2

Filesize
1KB

MD5
60b1bfa3865a96fef98464a8763bd638

SHA1
a97e931c18536facf241dc6c0db32d5c1ac8e9d6

SHA256
a2910441c14e12b6b69d094c43c35b061e27a8f405a1e01ae420ee174636f173

SHA512
9586977889bed23b68db5aa8d0998f0097a3652fcc4b726aeb09165bdeac4d0c765e92899d1d72b833d04c6bbe39ecc591a08f816ef4d9355e524610808f6505

Download Submit
C:\Users\Admin\AppData\Roaming\F87F.1E2

Filesize
1KB

MD5
25a798a2584329806e8c6049fa075fcb

SHA1
0a52f5581ec65eda6aff88c3c861afcf4d23df31

SHA256
4660646e1a013ff10550d15a12258beb812249576a859366d7b0d0390b4110c9

SHA512
4a2e4c0670bc286ae000032e8f1fe470495d23d51d2c61e33a435f1a78939307abf347c2fb0fb80568dd90dbf66e9a822a9f43a77fd6016f5d2e938dce24939e

Download Submit
C:\Users\Admin\AppData\Roaming\F87F.1E2

Filesize
600B

MD5
156b9400143fc40721e0fcf3b465fa58

SHA1
3996edd664fa57bd3a5e459393ac164141f9c308

SHA256
0ffb8332bcf7cc3d2e6a93fbf55a0087fb66d650228fe9df162a4d494ecdeffa

SHA512
d08d8c361490376e7dd50586cbdbd0adaac4b9544c53b945a2666db1d2296e0a710c4ef55c969a335d7280ee0ae114ac33ab8f0b5d0ea17fde713541c662d12f

Download Submit
C:\Users\Admin\AppData\Roaming\F87F.1E2

Filesize
996B

MD5
8d3ca18473673458f893fe690679ad1d

SHA1
d8bd23424f545abe7935bdf6b301f8a0260b0cdf

SHA256
72747db5036771c8b7bd192db6ef1144877865bd77e04bfbec40b001de4e3964

SHA512
1ff0b027821eeb662ff3897b00c5a6bb8155c1f48963ce18768dce46f1c244855acda3ffc039dd17c8c832985bd7d507b1035c5f40352ea8ac3669b36c239aa8

Download Submit
memory/1160-81-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1160-83-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1552-14-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1552-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1552-84-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1552-3-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1552-205-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2116-13-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2116-12-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads