bumblebee | 8635911b8839322e420f9b53a075642e91ef3c71176109ab0a73df78345b56ae | Triage

Analysis

max time kernel
1791s
max time network
1798s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-11-2022 18:54

Sharing

Report Analysis Logs

General

Target

bb.dll
Size

966KB
MD5

6e780435da8461940fc822f31b7368d2
SHA1

1f9467a1495ee143588e9b53f0a5b1ebe311d4b5
SHA256

0a4af4996a5f1c091cde6b18907c08fe31f373d7477d2f524161a45d130a1fac
SHA512

76d9bf6522278d9b9d7f3979bccbb894684cea1e87c034fcd71860e969fc367f6a7a42f67184296cdeb5f77a2893c307868f8bd0f6c4d0f548a09549b05833fe
SSDEEP

12288:+s+DiK3N/x/8rwMAImFetO29Qvnr7iL7/FXQ6e4HP5kGpmaJTWPa5bi5pguM649J:+FgxAIyDvn9kqCtwWi5iukff

Score

10^/10

bumblebee 0311t2 trojan

Malware Config

Extracted

Family

bumblebee

Botnet

0311t2

C2

39.65.8.170:443

103.144.139.156:443

107.189.30.231:443

91.245.254.101:443

194.135.33.127:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 64 IoCs

flow	pid	Process
1	1764	rundll32.exe
3	1764	rundll32.exe
4	1764	rundll32.exe
5	1764	rundll32.exe
6	1764	rundll32.exe
9	1764	rundll32.exe
12	1764	rundll32.exe
13	1764	rundll32.exe
16	1764	rundll32.exe
19	1764	rundll32.exe
22	1764	rundll32.exe
25	1764	rundll32.exe
28	1764	rundll32.exe
29	1764	rundll32.exe
30	1764	rundll32.exe
31	1764	rundll32.exe
32	1764	rundll32.exe
35	1764	rundll32.exe
36	1764	rundll32.exe
39	1764	rundll32.exe
40	1764	rundll32.exe
43	1764	rundll32.exe
44	1764	rundll32.exe
45	1764	rundll32.exe
48	1764	rundll32.exe
51	1764	rundll32.exe
52	1764	rundll32.exe
55	1764	rundll32.exe
56	1764	rundll32.exe
57	1764	rundll32.exe
58	1764	rundll32.exe
59	1764	rundll32.exe
60	1764	rundll32.exe
61	1764	rundll32.exe
62	1764	rundll32.exe
63	1764	rundll32.exe
64	1764	rundll32.exe
65	1764	rundll32.exe
66	1764	rundll32.exe
67	1764	rundll32.exe
68	1764	rundll32.exe
69	1764	rundll32.exe
70	1764	rundll32.exe
71	1764	rundll32.exe
72	1764	rundll32.exe
73	1764	rundll32.exe
74	1764	rundll32.exe
75	1764	rundll32.exe
76	1764	rundll32.exe
77	1764	rundll32.exe
78	1764	rundll32.exe
79	1764	rundll32.exe
80	1764	rundll32.exe
81	1764	rundll32.exe
82	1764	rundll32.exe
83	1764	rundll32.exe
84	1764	rundll32.exe
85	1764	rundll32.exe
86	1764	rundll32.exe
87	1764	rundll32.exe
88	1764	rundll32.exe
89	1764	rundll32.exe
90	1764	rundll32.exe
91	1764	rundll32.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1764	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bb.dll,#1
1⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
PID:1764

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1764-54-0x0000000001F10000-0x0000000002059000-memory.dmp

Filesize
1.3MB

Download
memory/1764-55-0x0000000001CA0000-0x0000000001D16000-memory.dmp

Filesize
472KB

Download