bumblebee | 68c45ecdd246af91511001d1e6cd8ba7dc28713663ba86386c942cc3af07a66a | Triage

Analysis

max time kernel
136s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 09:50

Sharing

Report Analysis Logs

General

Target

maidservant/heedlessness.dll
Size

883KB
MD5

0d8b2bd512ec93a266ffb0eead07cfdc
SHA1

a9c4f7ef2e38f0051ea241cf3c0a9f16ecbad14e
SHA256

4cd62e4c1642e835def5cc284a2f81b0124f0126719be659e6439d14fb17841d
SHA512

c403b8f708d9b3eb49d1d6a07f20a00efdafd62c46655f3517515cd2cd2922ae86473d657676685b372b1fa04c9b38e22de8378c34548c275a7397af5d53f05b
SSDEEP

24576:wvDDsTC8SzD4CqlvwzB/HG0sA9XzjbJG6GMAR0D:wvDDsTSH4C2vwVB9Xzjt

Score

10^/10

bumblebee 0211r trojan

Malware Config

Extracted

Family

bumblebee

Botnet

0211r

C2

193.109.120.156:443

192.111.146.184:443

104.219.233.113:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 6 IoCs

flow	pid	Process
30	1616	rundll32.exe
42	1616	rundll32.exe
45	1616	rundll32.exe
50	1616	rundll32.exe
51	1616	rundll32.exe
52	1616	rundll32.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1616	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\maidservant\heedlessness.dll,#1
1⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
PID:1616

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1616-132-0x000001B1DCE00000-0x000001B1DCF49000-memory.dmp

Filesize
1.3MB

Download
memory/1616-133-0x000001B1DCC40000-0x000001B1DCCB6000-memory.dmp

Filesize
472KB

Download