cycbot | 4d36bdcce13c87c8f6a4315cde9a69e621155f8fb32a65413f793a9faf868572

General

Target

4d36bdcce13c87c8f6a4315cde9a69e621155f8fb32a65413f793a9faf868572N.exe
Size

175KB
MD5

c3798a3caf9ef33e4f58cf8a6a588880
SHA1

4b4db34ec828543ef96feeabbb888a085e492971
SHA256

4d36bdcce13c87c8f6a4315cde9a69e621155f8fb32a65413f793a9faf868572
SHA512

55efbee851752d401960075713027a5c8d9e5586aff1b07b712d83450c2f506284b0252bb89f648c1252a573a7b9ddaec8d709ff89ef893bd7de776c5f506e40
SSDEEP

3072:KeF7Dpd7BzkiXI+wl9N/iqAx9xbWl/3u88Zw8WUL65+V3ZsXng:KeFnpXzkCwbZ/3P8RLWe3uXn

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1692-12-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2960-13-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2960-78-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2664-82-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2960-200-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	4d36bdcce13c87c8f6a4315cde9a69e621155f8fb32a65413f793a9faf868572N.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2960-2-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1692-12-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2960-13-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2960-78-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2664-82-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2664-80-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2960-200-0x0000000000400000-0x0000000000445000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d36bdcce13c87c8f6a4315cde9a69e621155f8fb32a65413f793a9faf868572N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d36bdcce13c87c8f6a4315cde9a69e621155f8fb32a65413f793a9faf868572N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d36bdcce13c87c8f6a4315cde9a69e621155f8fb32a65413f793a9faf868572N.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 1692	2960	4d36bdcce13c87c8f6a4315cde9a69e621155f8fb32a65413f793a9faf868572N.exe	30
PID 2960 wrote to memory of 1692	2960	4d36bdcce13c87c8f6a4315cde9a69e621155f8fb32a65413f793a9faf868572N.exe	30
PID 2960 wrote to memory of 1692	2960	4d36bdcce13c87c8f6a4315cde9a69e621155f8fb32a65413f793a9faf868572N.exe	30
PID 2960 wrote to memory of 1692	2960	4d36bdcce13c87c8f6a4315cde9a69e621155f8fb32a65413f793a9faf868572N.exe	30
PID 2960 wrote to memory of 2664	2960	4d36bdcce13c87c8f6a4315cde9a69e621155f8fb32a65413f793a9faf868572N.exe	33
PID 2960 wrote to memory of 2664	2960	4d36bdcce13c87c8f6a4315cde9a69e621155f8fb32a65413f793a9faf868572N.exe	33
PID 2960 wrote to memory of 2664	2960	4d36bdcce13c87c8f6a4315cde9a69e621155f8fb32a65413f793a9faf868572N.exe	33
PID 2960 wrote to memory of 2664	2960	4d36bdcce13c87c8f6a4315cde9a69e621155f8fb32a65413f793a9faf868572N.exe	33

C:\Users\Admin\AppData\Local\Temp\4d36bdcce13c87c8f6a4315cde9a69e621155f8fb32a65413f793a9faf868572N.exe
"C:\Users\Admin\AppData\Local\Temp\4d36bdcce13c87c8f6a4315cde9a69e621155f8fb32a65413f793a9faf868572N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Local\Temp\4d36bdcce13c87c8f6a4315cde9a69e621155f8fb32a65413f793a9faf868572N.exe
  C:\Users\Admin\AppData\Local\Temp\4d36bdcce13c87c8f6a4315cde9a69e621155f8fb32a65413f793a9faf868572N.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1692
- C:\Users\Admin\AppData\Local\Temp\4d36bdcce13c87c8f6a4315cde9a69e621155f8fb32a65413f793a9faf868572N.exe
  C:\Users\Admin\AppData\Local\Temp\4d36bdcce13c87c8f6a4315cde9a69e621155f8fb32a65413f793a9faf868572N.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\D66C.A44

Filesize
600B

MD5
99e2b20ecd71904837c68e1922d3843c

SHA1
a2f67a30999d6a8f712e46db9815986f02ee1928

SHA256
ac001622205746845333ac54e44a059d2680c66e7cf2c8f1ab4521ef9a59f6c3

SHA512
4b98f7fb9a713d6ca65489a1e8eec384cdd7da404fd69e32413146a25477b18207a96a3ca68285f19ffa90e46ebbf431db1bea95a05d7be2ec35b99be11618fe

Download Submit
C:\Users\Admin\AppData\Roaming\D66C.A44

Filesize
1KB

MD5
c9d21ffd619907041a000c16ec7f6522

SHA1
c38937550b4fdbcc74e785d4d744531c117537b7

SHA256
4f3f90c966f1b56a91778291350ab78f6062d3b9d5c007147d26859e4cbb8bb7

SHA512
a5e6f23585f7a40b747082c0e11037442f758beadca58e5796a421ed67cab9e61623a5ef26f2339b4529a23ea3c41785dfd6bec5c93aa6fa4c0ba0df0350bd98

Download Submit
C:\Users\Admin\AppData\Roaming\D66C.A44

Filesize
996B

MD5
4fea8f7ce9f8ec69f57752b7d3151844

SHA1
47453da777c6e68a72220cd1576e6bf58a5984f8

SHA256
33b23f64ad8194840eb7413b56212d3c7c124785cc96869d03d25d25bd5f1fcf

SHA512
d62b0b9265beb71269287735f984e23bd0fdbf15341268314779f11f09366d71016d21b55510349e7d417b8646e0f85f0dee23518d3596b426abe4bb11759567

Download Submit
memory/1692-12-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2664-82-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2664-80-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2960-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2960-2-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2960-13-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2960-78-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2960-200-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads