Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

evwvwet543yc0.dll

windows7-x64

10

evwvwet543yc0.dll

windows10-1703-x64

10

Analysis

  • max time kernel
    863s
  • max time network
    1219s
  • platform
    windows10-1703_x64
  • resource
    win10-20220901-en
  • resource tags

    arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31/10/2022, 20:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    evwvwet543yc0.dll

  • Size

    2.8MB

  • MD5

    63a316eba32ceedb0a6f2c02499fee0d

  • SHA1

    c95091727e0b80206bc08fe6f5419f7fa0b6a719

  • SHA256

    5c15151a29fab8a2d58fa55aa6c88a58a456b0a6bc959b843e9ceb2295c61885

  • SHA512

    9d17db2d937cffee92c1897e26db01bc1d41262f4aae4fcb6746ddc897a00e901686dab876a3fa48a682efcd617b05dfaa0522f066f6dfca7a54fbda921917ac

  • SSDEEP

    49152:AY1LnDpAyAelZQtflyyyuSXfiCC8M7vZ+x1BxkJj52DTUFPRAK8hVgi:3pDAZlyyyuSXfiCC8M7vZ+x1BxkJjKUq

Score
10/10
bumblebee2809trojan

Malware Config

Extracted

Family

bumblebee

Botnet

2809

C2

224.56.150.48:443

209.141.41.150:443

192.119.68.104:443

51.83.249.124:443
rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

    trojanbumblebee
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\evwvwet543yc0.dll,#1
    1⤵
      PID:4616
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:520
      • C:\Windows\system32\rundll32.exe
        rundll32 evwvwet543yc0.dll,#3
        2⤵
        • Suspicious use of NtCreateThreadExHideFromDebugger
        PID:2932
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2932 -s 76
          3⤵
          • Program crash
          PID:4036
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4600
      • C:\Windows\system32\rundll32.exe
        rundll32 evwvwet543yc0.dll,#3
        2⤵
        • Suspicious use of NtCreateThreadExHideFromDebugger
        PID:4512
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 4512 -s 100
          3⤵
          • Program crash
          PID:2988

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2932-121-0x000002697F4C0000-0x000002697F613000-memory.dmp

      Filesize

      1.3MB

      Download