bumblebee | 18ab01e312f13b5dcf847ffce6f2536083c24d7ed2195ddb84b5c106ff11fc24

Analysis

max time kernel
138s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 21:07

Target

PDbfQsNCbKysMm.bat
Size

1KB
MD5

e41202ae491aedc10e4ee319a045be15
SHA1

2f719f9c05f92c31135b75da8e6e803b71843c05
SHA256

bad4aed36b4167a0f00a72f8598cc9dab2069e0f908be9b58b72d10690aea622
SHA512

82dff15c383a23592b3e3d00ccc85d4bebf61e4821ebe8b855ddfd0a3ae953a49b791d3e57537ae255990d9956a6284820b67c6da105e10be7e730078a28a1fc

Score

10^/10

Family

bumblebee

Botnet

0711

85.239.52.15:443

85.239.54.192:443

85.239.52.113:443

rc4.plain

Blocklisted process makes network request 6 IoCs

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2784	rundll32.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 2784	1508	cmd.exe	82
PID 1508 wrote to memory of 2784	1508	cmd.exe	82

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PDbfQsNCbKysMm.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\system32\rundll32.exe
  rundll32 mGntZOOiFtyWBy.dll,csvcrun
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:2784

memory/2784-133-0x000001D3D56B0000-0x000001D3D5726000-memory.dmp

Filesize
472KB

Download
memory/2784-134-0x000001D3D5870000-0x000001D3D59B9000-memory.dmp

Filesize
1.3MB

Download
memory/2784-135-0x000001D3D56B0000-0x000001D3D5726000-memory.dmp

Filesize
472KB

Download