bumblebee | d1d9d5c8ac57cabcd8c6e92cdff2f5e04913d224fd3a153a3b1234b1ba94745d

Analysis

max time kernel
150s
max time network
162s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
31/10/2022, 19:01

Target

YBnruijYBbnbMK.bat
Size

1KB
MD5

76bdd5d90645d4d05142e52c32ba5691
SHA1

a7a8427a3333e9aa4bc4f1afe2003c30d489384c
SHA256

872a7741ca7f2cac261346385be38b91a582ec26c4160472b7b8769da884a55d
SHA512

083d71cae8b0eec7c31cfbca1f2b71ce20d7c3632ff345d154fa071348d4bef3e660abd3bd854470100e38ee4de967ba3814d1ee906e7299db20626c15fa8c1b

Score

10^/10

Family

bumblebee

Botnet

2710vm

23.106.160.141:443

198.98.56.242:443

104.244.77.61:443

rc4.plain

Blocklisted process makes network request 6 IoCs

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1728	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 580 wrote to memory of 1728	580	cmd.exe	29
PID 580 wrote to memory of 1728	580	cmd.exe	29
PID 580 wrote to memory of 1728	580	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\YBnruijYBbnbMK.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:580
- C:\Windows\system32\rundll32.exe
  rundll32 vEzFDEkEeKmEBW.dll,AppLoad
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:1728

memory/1728-55-0x0000000001FA0000-0x00000000020E9000-memory.dmp

Filesize
1.3MB

Download
memory/1728-56-0x0000000001DB0000-0x0000000001EF5000-memory.dmp

Filesize
1.3MB

Download