bumblebee | 2911bdd99140387cbc8761826aacc3c9de0ccb511255aa58790955d8337e2edf

Resubmissions

18-11-2022 10:31

221118-mkb8vada8z 10

18-11-2022 01:25

221118-bsyw2agc55 3

Analysis

max time kernel
140s
max time network
153s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
18-11-2022 10:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UkBuGFiaRxAAfl.dll
Size

970KB
MD5

a779d5cf3fa450bdf0f540054861ba62
SHA1

4fe25852f69640e87e240b5e4bc46fdfc76782c7
SHA256

2911bdd99140387cbc8761826aacc3c9de0ccb511255aa58790955d8337e2edf
SHA512

1db51d312dfa647038d2c0c9afbd11852b4bdb177a07894f84db04d3547a3d06257900c597f9bb514bfcdcfd027fbcbe22552dbf73262f8f6e30920025ea3f50
SSDEEP

12288:ZZ33fS04yxlif6aS8dqJJzkvyo4w9faJ+1NEDeX4d8FWkPQz8028ez+R7Fnjmz2q:ZZ33agIddqFY9CJ+1V4oWdY8ec7BjI4

Score

10^/10

bumblebee 1711 trojan

Malware Config

Extracted

Family

bumblebee

Botnet

1711

193.200.16.175:443

54.37.130.195:443

64.44.97.58:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	1704	rundll32.exe
4	1704	rundll32.exe
5	1704	rundll32.exe
6	1704	rundll32.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1704	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1712	1764	WerFault.exe	15

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1508	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1508	AUDIODG.EXE
Token: 33	1508	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1508	AUDIODG.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 1712	1764	rundll32.exe	28
PID 1764 wrote to memory of 1712	1764	rundll32.exe	28
PID 1764 wrote to memory of 1712	1764	rundll32.exe	28
PID 932 wrote to memory of 1628	932	cmd.exe	34
PID 932 wrote to memory of 1628	932	cmd.exe	34
PID 932 wrote to memory of 1628	932	cmd.exe	34
PID 932 wrote to memory of 1704	932	cmd.exe	35
PID 932 wrote to memory of 1704	932	cmd.exe	35
PID 932 wrote to memory of 1704	932	cmd.exe	35

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\UkBuGFiaRxAAfl.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1764 -s 84
  2⤵
  - Program crash
  PID:1712

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1412

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1c0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:932
- C:\Windows\system32\rundll32.exe
  rundll32.exe UkBuGFiaRxAAfl.dll #1
  2⤵
  PID:1628
- C:\Windows\system32\rundll32.exe
  rundll32.exe UkBuGFiaRxAAfl.dll #2
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:1704

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1412-55-0x000007FEFB9C1000-0x000007FEFB9C3000-memory.dmp

Filesize
8KB

Download
memory/1704-58-0x0000000001F20000-0x0000000002069000-memory.dmp

Filesize
1.3MB

Download
memory/1704-59-0x0000000001D60000-0x0000000001DD8000-memory.dmp

Filesize
480KB

Download