bumblebee | fbd403eb77a8afdd3c5036235e8afc3256b1da2c5cdc216f319e4fa71f898852 | Triage

Sharing

General

Target

Files.zip
Size

806KB
Sample

221208-yagalaea9w
MD5

50d7192eff771113b287ca776fe56037
SHA1

22a54858187196b08b0a79c670a846e4d6c86488
SHA256

fbd403eb77a8afdd3c5036235e8afc3256b1da2c5cdc216f319e4fa71f898852
SHA512

9b60b3151df993139c7d1119b683e33f059facbdcdc03e110e32c3d60e37b20ffbeb5943da7226d0b0a0c1b684e9297212aa22ca501e8c5052fbb30a1c9749ee
SSDEEP

12288:1aS9RQgkIpTkYh/wFC3fw5IoM/W5jVGtZKKe3CzLgDDYStREvoPlwxoEXRafxf21:r9HgYqFSu555xKLgDDYC4ElwZiRlLQAY

Score

10^/10

bumblebee 0812 trojan

Malware Config

Extracted

Family

bumblebee

Botnet

0812

C2

86.106.87.135:443

51.83.248.182:443

23.82.128.116:443

rc4.plain

Targets

- Target
  
  conf.bat
- Size
  
  3KB
- MD5
  
  e3fa7caf070132a2fe880ca6dcfede6a
- SHA1
  
  51a5b1e0f82449005c5c4864a6e777a3df39686f
- SHA256
  
  0cedb3a30881245f9283181855e0d60e8299bbd0a676b7cc493012b9cda00427
- SHA512
  
  c40d2593d5484a08a2885f3cb28e15703707f434ee0f6fe7552329bbb8de7c8a9d7dbd4e0c966b583bfafa2eabe0a9ae3927e353b003f6488a2830885e3b0376
Score

10^/10

bumblebee 0812 trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral1 behavioral2
- Target
  
  list.lnk
- Size
  
  1KB
- MD5
  
  6d6c8abcd4144c4ea09d7f1b759d93b7
- SHA1
  
  9141c9c89ce1fe76bffd88c4aa1d6c4c0b2ccbbc
- SHA256
  
  068901e007a00393ac50592d599b473149fae5f1b559b6240952f3866a167973
- SHA512
  
  80f8bceb3c8978b8da3a4387dc43b2cb647cc89d5fd2e347dd6fcbe74ca2733b5a14921f883ba0d741f2a7ce4e32e605ab81d799664d56f3bc71fe3912010547
Score

8^/10
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral3 behavioral4
- Target
  
  tutorials.dll
- Size
  
  1.5MB
- MD5
  
  955124cf3130441f0b93fa0c87c02137
- SHA1
  
  0acd91c4631f7643d0ad242665d1d7baadabab5f
- SHA256
  
  35afd5a5aadaab873a895fccf8bfaef61a68c1f364dc99f309f3c3b8c718d65d
- SHA512
  
  f6dce4ebb9e98f9bc68a29551575c4d0357d2322f0f1d35715317e6a6794d2ebdc8cd707b70d1e7f35c7ca2110aa3ed9aabacf7d0404a73ef54bafb108a871dd
- SSDEEP
  
  24576:yUwx8mbsebGYPZVnJop5CzD7FKNn7uaxECSirfDy:VwzwYtNJID
Score

10^/10

bumblebee 0812 trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral5 behavioral6

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

bumblebee0812trojan

behavioral3

behavioral4

behavioral5

bumblebee0812trojan

behavioral6

bumblebee0812trojan