bumblebee | 48d585ca3a477ef7e8f0983735903335d9a5327f5fc434c222b6f551f7c0dc68 | Triage

Sharing

General

Target

AcrobatInstaller.lnk
Size

1KB
Sample

221117-tqbb3aeh55
MD5

f115333f8c6d19a22743ad549019db28
SHA1

e00bbf362c53f58af8b66dedbd44e84a46c97411
SHA256

48d585ca3a477ef7e8f0983735903335d9a5327f5fc434c222b6f551f7c0dc68
SHA512

ff7e372b39c7829e6303eaa642a3b36a45f5eeadfcb832bd692a0b14c5d67b108161c0826d8d475a8c6d595f5199e95e39d697d245a90e486ff191b369d7c90a

Score

10^/10

bumblebee 1011t1 trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://cruds-club.com/AcrobatInstaller.hta

Extracted

Family

bumblebee

Botnet

1011t1

C2

64.44.135.140:443

103.144.139.150:443

146.70.149.43:443

rc4.plain

Targets

- Target
  
  AcrobatInstaller.lnk
- Size
  
  1KB
- MD5
  
  f115333f8c6d19a22743ad549019db28
- SHA1
  
  e00bbf362c53f58af8b66dedbd44e84a46c97411
- SHA256
  
  48d585ca3a477ef7e8f0983735903335d9a5327f5fc434c222b6f551f7c0dc68
- SHA512
  
  ff7e372b39c7829e6303eaa642a3b36a45f5eeadfcb832bd692a0b14c5d67b108161c0826d8d475a8c6d595f5199e95e39d697d245a90e486ff191b369d7c90a
Score

10^/10

bumblebee 1011t1 trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

bumblebee1011t1trojan

behavioral3

bumblebee1011t1trojan