Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    files.zip

  • Size

    687KB

  • Sample

    221117-c58sfade63

  • MD5

    330ecf8b86b729b4c7c3cf1556739db3

  • SHA1

    dd1655ee02d97110496eadf18997412fa9dbeaad

  • SHA256

    12df68306288f11609ff1b5cac904fcaeab3f5561bcbf0f09c2bf439c6daeadc

  • SHA512

    67c413868ea103c7a537fc76ea585fd790fbf517f1aec0251f563fddc1adf2daee7896fee25850f3403f133112f1fc2451b6cddacefaf5ae520e28930c20d260

  • SSDEEP

    12288:UO3vAFIFP1pZG5tf+d6RToVXUWvZcmu0zpHG1JC9Luq2wiRXkWm3bXc9t7XwBB6E:UOo2tLGH+GTEXUWv11z1AJkuAihuX8tU

Score
10/10

Malware Config

Extracted

Family

bumblebee

Botnet

15repl

C2

23.108.57.200:443

103.144.139.158:443

23.106.160.52:443

rc4.plain

Targets

    • Target

      TdndchBWGClEyG.dll

    • Size

      836KB

    • MD5

      4ec372d945f4279858d8ed93a83154b8

    • SHA1

      8c1818a64979a128808c971f5d66702fdf964660

    • SHA256

      8533d14d0d29dc3534591363aab48c0857f855a416855042de18fc428a9adeb6

    • SHA512

      8b5725b16875c372522a41ec9ef8839ccc45a3d4840176bab6bd527a4cac85490407fb8ccb8226f5b8be610127bc573ddd40872246ab4a72c85016089d25ecd3

    • SSDEEP

      12288:EjFKLyV6iAV2xGu8AcsufT43mFdWOhV5dP4nODbBYRjRYBmCkvLBxa1FiTCci1JZ:EjFKOVBA/u8jPT2pOgOmpxndx3TCc

    Score
    10/10
    • BumbleBee

      BumbleBee is a webshell malware written in C++.

    • Blocklisted process makes network request

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Target

      required documents.lnk

    • Size

      995B

    • MD5

      32718d69a0919473c89e529b04a7cd38

    • SHA1

      d0c4c19cf77676d2827e9b9596796583d95dce37

    • SHA256

      d3c9dc14d8396686cb3c12b1a483ca30943d731f733614fda85e1039bff611c5

    • SHA512

      b1119c69fb1c1205250a10ab4893072b4ed45f38f5b0af9fdfa8a6c442f738571cd09b5767345ce47414681475bd9e57fc1526185493c9c30cb8311c96e2c4ba

    Score
    10/10
    • BumbleBee

      BumbleBee is a webshell malware written in C++.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Target

      wabPTLAqdTmbJu.bat

    • Size

      1KB

    • MD5

      9cf24d2ca62c63bf523c2ec835a26e9f

    • SHA1

      6e665d29117d318abf8318beaac265818ee990c3

    • SHA256

      9e847e0113ee63ea0bbb3e873a5a33013b45a249fb734a50bf16df986f9cfe4d

    • SHA512

      0b19e3460218c43aa00c6244cc34aa6bf786e5157db61e7d5df1adb506cd6606c163b2c6392bc84129c16daa2eb74f8d3d32e769ca5d404807f2464cab3be5d1

    Score
    10/10
    • BumbleBee

      BumbleBee is a webshell malware written in C++.

    • Blocklisted process makes network request

    • Suspicious use of NtCreateThreadExHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks