bumblebee | 6b2e4c9b0579938ce73bd39874b58a8f67c24f49a188f1f0ae6bcde26fb8b084

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/11/2022, 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eLWCBMEWwlzsBt.bat
Size

1KB
MD5

a8071866320d5925502c2126defdd8e7
SHA1

c27c9e20cb2d75604e4eb706ef1532c45652e1ad
SHA256

a466d8918e30568b17a4e8e35a658070d525a6742a4e211b031e0daec7277a2b
SHA512

588af1181f3b85145f29d8b7c12de425d0285d76d7fdf25a04a097ae5c97556cd9f45fdc3d003c8d2af66fcdd5f0c35db82bae0f4a5daff596ad9953e0f5eee0

Score

10^/10

bumblebee 0111 trojan

Malware Config

Extracted

Family

bumblebee

Botnet

0111

102.151.221.33:443

104.244.77.61:443

212.114.52.124:443

23.106.160.141:443

198.98.56.242:443

23.108.57.5:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 6 IoCs

flow	pid	Process
1	1284	rundll32.exe
3	1284	rundll32.exe
4	1284	rundll32.exe
5	1284	rundll32.exe
6	1284	rundll32.exe
7	1284	rundll32.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1284	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1284	2024	cmd.exe	27
PID 2024 wrote to memory of 1284	2024	cmd.exe	27
PID 2024 wrote to memory of 1284	2024	cmd.exe	27

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\eLWCBMEWwlzsBt.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\system32\rundll32.exe
  rundll32 BOiQKiECaUzWqF.dll,RemoveSettings
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:1284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1284-55-0x0000000001EF0000-0x0000000002039000-memory.dmp

Filesize
1.3MB

Download
memory/1284-56-0x0000000000520000-0x0000000000596000-memory.dmp

Filesize
472KB

Download