bumblebee | 95a37ee707f673e561f3a8dbb27927f7140b8541c12eb805bf47613adc36b584

Resubmissions

30-11-2022 14:23

221130-rqendabf91 10

29-11-2022 07:29

221129-ja8yaaca8y 1

Analysis

max time kernel
204s
max time network
243s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

taxonomy.dll
Size

1.1MB
MD5

f8a6948b927d6a0408679fc623994571
SHA1

2246524678f02ca6e76d861f29a6a3642309fafe
SHA256

95a37ee707f673e561f3a8dbb27927f7140b8541c12eb805bf47613adc36b584
SHA512

35bbc85f172b4edbdc13aade1db745c6f991533a9c2754ad2223a0358e078df2ab373c4846cb9e0262f749b7bd6de8d1fdd0eeda670b19acc50408b54cb8fb77
SSDEEP

24576:DYDUU4/rSJXCy6hPKfGjQIr0or/yMSjJfMKAXEek9oHpPF:DYQUE+J0jQc9riYXzn

Score

10^/10

bumblebee 2811 trojan

Malware Config

Extracted

Family

bumblebee

Botnet

2811

108.62.118.70:443

104.219.233.41:443

142.11.199.235:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2016	rundll32.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2016	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1800	1708	WerFault.exe	33
932	880	WerFault.exe	35

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1104	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1104	AUDIODG.EXE
Token: 33	1104	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1104	AUDIODG.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1708	2032	cmd.exe	33
PID 2032 wrote to memory of 1708	2032	cmd.exe	33
PID 2032 wrote to memory of 1708	2032	cmd.exe	33
PID 1708 wrote to memory of 1800	1708	rundll32.exe	34
PID 1708 wrote to memory of 1800	1708	rundll32.exe	34
PID 1708 wrote to memory of 1800	1708	rundll32.exe	34
PID 2032 wrote to memory of 880	2032	cmd.exe	35
PID 2032 wrote to memory of 880	2032	cmd.exe	35
PID 2032 wrote to memory of 880	2032	cmd.exe	35
PID 880 wrote to memory of 932	880	rundll32.exe	36
PID 880 wrote to memory of 932	880	rundll32.exe	36
PID 880 wrote to memory of 932	880	rundll32.exe	36
PID 2032 wrote to memory of 2016	2032	cmd.exe	37
PID 2032 wrote to memory of 2016	2032	cmd.exe	37
PID 2032 wrote to memory of 2016	2032	cmd.exe	37

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\taxonomy.dll,#1
1⤵
PID:1628

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:964

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x188
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\system32\rundll32.exe
  rundll32.exe taxonomy.dll #2
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1708 -s 84
    3⤵
    - Program crash
    PID:1800
- C:\Windows\system32\rundll32.exe
  rundll32.exe taxonomy.dll #3
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 880 -s 84
    3⤵
    - Program crash
    PID:932
- C:\Windows\system32\rundll32.exe
  rundll32.exe taxonomy.dll #4
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:2016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/964-54-0x000007FEFB851000-0x000007FEFB853000-memory.dmp

Filesize
8KB

Download
memory/2016-60-0x0000000002010000-0x0000000002159000-memory.dmp

Filesize
1.3MB

Download
memory/2016-61-0x0000000000190000-0x0000000000206000-memory.dmp

Filesize
472KB

Download