bumblebee | 18ab01e312f13b5dcf847ffce6f2536083c24d7ed2195ddb84b5c106ff11fc24

Analysis

max time kernel
143s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-11-2022 21:07

Target

PDbfQsNCbKysMm.bat
Size

1KB
MD5

e41202ae491aedc10e4ee319a045be15
SHA1

2f719f9c05f92c31135b75da8e6e803b71843c05
SHA256

bad4aed36b4167a0f00a72f8598cc9dab2069e0f908be9b58b72d10690aea622
SHA512

82dff15c383a23592b3e3d00ccc85d4bebf61e4821ebe8b855ddfd0a3ae953a49b791d3e57537ae255990d9956a6284820b67c6da105e10be7e730078a28a1fc

Score

10^/10

Family

bumblebee

Botnet

0711

85.239.52.15:443

85.239.54.192:443

85.239.52.113:443

rc4.plain

Blocklisted process makes network request 6 IoCs

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1284	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1284	2016	cmd.exe	28
PID 2016 wrote to memory of 1284	2016	cmd.exe	28
PID 2016 wrote to memory of 1284	2016	cmd.exe	28

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\PDbfQsNCbKysMm.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\system32\rundll32.exe
  rundll32 mGntZOOiFtyWBy.dll,csvcrun
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:1284

memory/1284-55-0x0000000002010000-0x0000000002159000-memory.dmp

Filesize
1.3MB

Download
memory/1284-56-0x00000000001B0000-0x0000000000226000-memory.dmp

Filesize
472KB

Download