Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

LDYwFaCKXIhkuX.dll

windows7-x64

10

LDYwFaCKXIhkuX.dll

windows10-2004-x64

10

pBLiwECeuZiHFL.bat

windows7-x64

10

pBLiwECeuZiHFL.bat

windows10-2004-x64

10

required d...ts.lnk

windows7-x64

10

required d...ts.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    02/11/2022, 17:35 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pBLiwECeuZiHFL.bat

  • Size

    1KB

  • MD5

    ff1583c2c367477eb0873a15201cbcee

  • SHA1

    8e24b760fdfa2e45eccf800644749b5942f79b4f

  • SHA256

    c4730df817cb9010496afb25668619249e8e93a64d860783c7a49675c7c4fe0b

  • SHA512

    ed2b5744269509359be16ae35dc08b9eb2ca1c8e4876de3605f2a7486774d16cbf8207288ec9d82c34ddd49f81f903618d996d91df65ac5a46792b5036867a12

Score
10/10
bumblebee0211trojan

Malware Config

Extracted

Family

bumblebee

Botnet

0211

C2

176.223.165.119:443

51.75.63.234:443

104.168.171.189:443
rc4.plain
1
eCUmnQerTx

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

    trojanbumblebee
  • Blocklisted process makes network request 7 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\pBLiwECeuZiHFL.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\system32\rundll32.exe
      rundll32 LDYwFaCKXIhkuX.dll,Qruncore
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      PID:1240

Network

  • flag-de
    GET
    https://176.223.165.119/gatew
    rundll32.exe
    Remote address:
    176.223.165.119:443
    Request
    GET /gatew HTTP/1.1
    Upgrade: websocket
    Connection: upgrade
    Sec-WebSocket-Key: w8JVOkX9X1EjA0+LZTAVxg==
    Sec-WebSocket-Version: 13
    Host: 176.223.165.119
    User-Agent: zzGugbSNnO epDpR
    Response
    HTTP/1.0 403 Forbidden
    Cache-Control: no-cache
    Connection: close
    Content-Type: text/html
  • 170.184.190.127:377
    rundll32.exe
    152 B
     3
  • 48.87.156.188:333
    rundll32.exe
    152 B
     3
  • 176.223.165.119:443
    https://176.223.165.119/gatew
    tls, http
    rundll32.exe
    814 B
     1.8kB
     8
    7

    HTTP Request

    GET https://176.223.165.119/gatew

    HTTP Response

    403
  • 7.58.186.136:424
    rundll32.exe
    152 B
     3
  • 172.158.172.125:454
    rundll32.exe
    152 B
     3
  • 176.185.82.194:146
    rundll32.exe
    152 B
     3
  • 176.231.143.168:239
    rundll32.exe
    52 B
     1
No results found

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1240-55-0x0000000001F60000-0x00000000020A9000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1240-56-0x0000000000470000-0x00000000004E6000-memory.dmp

    Filesize

    472KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.