bumblebee | 12df68306288f11609ff1b5cac904fcaeab3f5561bcbf0f09c2bf439c6daeadc | Triage

Sharing

General

Target

files.zip
Size

687KB
Sample

221117-c58sfade63
MD5

330ecf8b86b729b4c7c3cf1556739db3
SHA1

dd1655ee02d97110496eadf18997412fa9dbeaad
SHA256

12df68306288f11609ff1b5cac904fcaeab3f5561bcbf0f09c2bf439c6daeadc
SHA512

67c413868ea103c7a537fc76ea585fd790fbf517f1aec0251f563fddc1adf2daee7896fee25850f3403f133112f1fc2451b6cddacefaf5ae520e28930c20d260
SSDEEP

12288:UO3vAFIFP1pZG5tf+d6RToVXUWvZcmu0zpHG1JC9Luq2wiRXkWm3bXc9t7XwBB6E:UOo2tLGH+GTEXUWv11z1AJkuAihuX8tU

Score

10^/10

bumblebee 15repl trojan

Malware Config

Extracted

Family

bumblebee

Botnet

15repl

C2

23.108.57.200:443

103.144.139.158:443

23.106.160.52:443

rc4.plain

Targets

- Target
  
  TdndchBWGClEyG.dll
- Size
  
  836KB
- MD5
  
  4ec372d945f4279858d8ed93a83154b8
- SHA1
  
  8c1818a64979a128808c971f5d66702fdf964660
- SHA256
  
  8533d14d0d29dc3534591363aab48c0857f855a416855042de18fc428a9adeb6
- SHA512
  
  8b5725b16875c372522a41ec9ef8839ccc45a3d4840176bab6bd527a4cac85490407fb8ccb8226f5b8be610127bc573ddd40872246ab4a72c85016089d25ecd3
- SSDEEP
  
  12288:EjFKLyV6iAV2xGu8AcsufT43mFdWOhV5dP4nODbBYRjRYBmCkvLBxa1FiTCci1JZ:EjFKOVBA/u8jPT2pOgOmpxndx3TCc
Score

10^/10

bumblebee 15repl trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral1 behavioral2
- Target
  
  required documents.lnk
- Size
  
  995B
- MD5
  
  32718d69a0919473c89e529b04a7cd38
- SHA1
  
  d0c4c19cf77676d2827e9b9596796583d95dce37
- SHA256
  
  d3c9dc14d8396686cb3c12b1a483ca30943d731f733614fda85e1039bff611c5
- SHA512
  
  b1119c69fb1c1205250a10ab4893072b4ed45f38f5b0af9fdfa8a6c442f738571cd09b5767345ce47414681475bd9e57fc1526185493c9c30cb8311c96e2c4ba
Score

10^/10

bumblebee 15repl trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral3 behavioral4
- Target
  
  wabPTLAqdTmbJu.bat
- Size
  
  1KB
- MD5
  
  9cf24d2ca62c63bf523c2ec835a26e9f
- SHA1
  
  6e665d29117d318abf8318beaac265818ee990c3
- SHA256
  
  9e847e0113ee63ea0bbb3e873a5a33013b45a249fb734a50bf16df986f9cfe4d
- SHA512
  
  0b19e3460218c43aa00c6244cc34aa6bf786e5157db61e7d5df1adb506cd6606c163b2c6392bc84129c16daa2eb74f8d3d32e769ca5d404807f2464cab3be5d1
Score

10^/10

bumblebee 15repl trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral5 behavioral6

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bumblebee15repltrojan

behavioral2

bumblebee15repltrojan

behavioral3

bumblebee15repltrojan

behavioral4

bumblebee15repltrojan

behavioral5

bumblebee15repltrojan

behavioral6

bumblebee15repltrojan