bumblebee | 40c255ea500f2de3136057c9ba88dd3875f7b15bd2fb72540f9f6d85bcc755e4

Analysis

max time kernel
133s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
08-11-2022 19:06

Target

XAnbADuUedJlBE.bat
Size

1KB
MD5

8ae47905093ff8acd0fc3f023a30bbdc
SHA1

184fc76e91488b8ad5b3041153ba8d9a98eafc07
SHA256

7dfb2ecf76c386504119056d20f3a65d83f7bb3f297e2f63aa63b2e205c72105
SHA512

24e7ad5726e69f160dee69d103f6674bf929813763d1d2ae46bdd6132b3e8851de67c8171a53223a05dd1fcc9823becaefd108b7db8ab185d2a8bc8a3b150346

Score

10^/10

Family

bumblebee

Botnet

0811

104.219.233.127:443

192.236.194.101:443

146.70.161.82:443

rc4.plain

Blocklisted process makes network request 6 IoCs

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4424	rundll32.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 4424	4204	cmd.exe	83
PID 4204 wrote to memory of 4424	4204	cmd.exe	83

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\XAnbADuUedJlBE.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Windows\system32\rundll32.exe
  rundll32 uDzpJZuAIMIPqQ.dll,PUpdate
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:4424

memory/4424-133-0x0000026254DC0000-0x0000026254E36000-memory.dmp

Filesize
472KB

Download
memory/4424-134-0x00000262568A0000-0x00000262569E9000-memory.dmp

Filesize
1.3MB

Download
memory/4424-135-0x0000026254DC0000-0x0000026254E36000-memory.dmp

Filesize
472KB

Download