bumblebee | 95a37ee707f673e561f3a8dbb27927f7140b8541c12eb805bf47613adc36b584

Resubmissions

30-11-2022 14:23

221130-rqendabf91 10

29-11-2022 07:29

221129-ja8yaaca8y 1

Analysis

max time kernel
186s
max time network
208s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

taxonomy.dll
Size

1.1MB
MD5

f8a6948b927d6a0408679fc623994571
SHA1

2246524678f02ca6e76d861f29a6a3642309fafe
SHA256

95a37ee707f673e561f3a8dbb27927f7140b8541c12eb805bf47613adc36b584
SHA512

35bbc85f172b4edbdc13aade1db745c6f991533a9c2754ad2223a0358e078df2ab373c4846cb9e0262f749b7bd6de8d1fdd0eeda670b19acc50408b54cb8fb77
SSDEEP

24576:DYDUU4/rSJXCy6hPKfGjQIr0or/yMSjJfMKAXEek9oHpPF:DYQUE+J0jQc9riYXzn

Score

10^/10

bumblebee 2811 trojan

Malware Config

Extracted

Family

bumblebee

Botnet

2811

108.62.118.70:443

104.219.233.41:443

142.11.199.235:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 3 IoCs

flow	pid	Process
68	1800	rundll32.exe
82	1800	rundll32.exe
93	1800	rundll32.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1800	rundll32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 2652	2560	cmd.exe	86
PID 2560 wrote to memory of 2652	2560	cmd.exe	86
PID 2560 wrote to memory of 1800	2560	cmd.exe	87
PID 2560 wrote to memory of 1800	2560	cmd.exe	87

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\taxonomy.dll,#1
1⤵
PID:3372

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Windows\system32\rundll32.exe
  rundll32.exe taxonomy.dll #2
  2⤵
  PID:2652
- C:\Windows\system32\rundll32.exe
  rundll32.exe taxonomy.dll #4
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:1800

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1800-134-0x0000026D99040000-0x0000026D99189000-memory.dmp

Filesize
1.3MB

Download
memory/1800-135-0x0000026D974B0000-0x0000026D97526000-memory.dmp

Filesize
472KB

Download