bumblebee | 99482cc76a3f020bbca4609e4b4d39e3577543443898941b916079dc9b738fb3 | Triage

Analysis

max time kernel
135s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2022 18:59

Sharing

Report Analysis Logs

General

Target

notrobassfir/imposing.dll
Size

884KB
MD5

f695e7d84ac6d462adc55118cda0c792
SHA1

c70ecce2819cc317cba891580310d2d307fef0f2
SHA256

033bb9e1fb03ff19cc9378bd90c6356213873491943d253acfb0ae6c46f18469
SHA512

09511d94a4934c26a0d5789e27aa8fe6354a4246bca412111d595698dd305ed5c5f41ae9c8315e08545d2991751d67522bc4f41f1fd4c5fd933fe51a09485d2c
SSDEEP

24576:TjwHkcqYk13VTnKisg1YJnFvbkE6FElPNoG:TjwHkcqLVTnJpYReRCXo

Score

10^/10

bumblebee 0211r trojan

Malware Config

Extracted

Family

bumblebee

Botnet

0211r

C2

193.109.120.156:443

192.111.146.184:443

104.219.233.113:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 6 IoCs

flow	pid	Process
18	4092	rundll32.exe
29	4092	rundll32.exe
32	4092	rundll32.exe
40	4092	rundll32.exe
41	4092	rundll32.exe
45	4092	rundll32.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4092	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\notrobassfir\imposing.dll,#1
1⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
PID:4092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4092-132-0x00000239895A0000-0x0000023989616000-memory.dmp

Filesize
472KB

Download
memory/4092-133-0x0000023989760000-0x00000239898A9000-memory.dmp

Filesize
1.3MB

Download
memory/4092-134-0x00000239895A0000-0x0000023989616000-memory.dmp

Filesize
472KB

Download