bumblebee | 3fdf1be957886affcc289f411ab91d634bb46e1537fc5e58f72c70bbd376d528

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 19:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

run.bat
Size

32B
MD5

515ab1b36d62a9fe2853d29dffe5ce79
SHA1

a2e397c2f9ae044146eb57e43dd4dc4851af5e55
SHA256

e029e5c7e6f01937cec6f8e7c175ee17b99155905224261f42584165d3202070
SHA512

e9b085733214043adcce9b23055dd783cc9582d0ddb6d1fc8c0ae7ecb3b262d389ddb07ee980d9fc23589d58d1bb0ce031c584c99944181b8db527a3f114e6a2

Score

10^/10

bumblebee 0311t2 trojan

Malware Config

Extracted

Family

bumblebee

Botnet

0311t2

39.65.8.170:443

103.144.139.156:443

107.189.30.231:443

91.245.254.101:443

194.135.33.127:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 7 IoCs

flow	pid	Process
1	1148	rundll32.exe
3	1148	rundll32.exe
4	1148	rundll32.exe
5	1148	rundll32.exe
6	1148	rundll32.exe
9	1148	rundll32.exe
10	1148	rundll32.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1148	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 1148	1460	cmd.exe	28
PID 1460 wrote to memory of 1148	1460	cmd.exe	28
PID 1460 wrote to memory of 1148	1460	cmd.exe	28

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\run.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\system32\rundll32.exe
  rundll32.exe /s bb.dll,BasicLoad
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:1148

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1148-55-0x0000000002270000-0x00000000023B9000-memory.dmp

Filesize
1.3MB

Download
memory/1148-56-0x00000000020B0000-0x0000000002126000-memory.dmp

Filesize
472KB

Download