bumblebee | bd9f0668b465891dbacd4fe217df1ea91042b2c711b2d26fdbb057ece06e830b | Triage

Analysis

max time kernel
134s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2022 21:42

Sharing

Report Analysis Logs

General

Target

maidservant/immortalized.dll
Size

884KB
MD5

f3ba88cfcbd3dce3103017c95b399c8e
SHA1

ecd6d0e7d686c967fa214db346a3e11cc0e0ad25
SHA256

58f17afc6299d6eb6f0c0321d4748758df368b03b8fc9bcd808b487d351e1c27
SHA512

7fa318016886c6f08cdeb78510e43d420d61b732269a504ba6fb31cf884cba1eabed954fe4ef8f82e5231eaad306a34198c598b313ae24c6b2db330b066a8f3c
SSDEEP

24576:AF1A7ynR+djiZJmZqNd8fBpO8ZCK0zCXAfV4/:AF1znQJOsW8DOYAz1fVs

Score

10^/10

bumblebee 0211r trojan

Malware Config

Extracted

Family

bumblebee

Botnet

0211r

C2

193.109.120.156:443

192.111.146.184:443

104.219.233.113:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 6 IoCs

flow	pid	Process
37	4808	rundll32.exe
100	4808	rundll32.exe
106	4808	rundll32.exe
107	4808	rundll32.exe
108	4808	rundll32.exe
109	4808	rundll32.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4808	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\maidservant\immortalized.dll,#1
1⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
PID:4808

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4808-132-0x000002B27E6B0000-0x000002B27E7F9000-memory.dmp

Filesize
1.3MB

Download
memory/4808-133-0x000002B27CBD0000-0x000002B27CC46000-memory.dmp

Filesize
472KB

Download