bumblebee | 1a06b268c8398494eff8a3e8532415383b6384552158ba26ad56f054814f4b25 | Triage

Analysis

max time kernel
15s
max time network
22s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
07-02-2023 19:08

Sharing

Report Analysis Logs

General

Target

maidservant/changeability.dll
Size

883KB
MD5

c5f2f4f62a273ddebaa72be2bc60aa96
SHA1

ec0e5be2eb48abd1f8f7d768c51280bb52e8dd35
SHA256

56088c0abddea8f5af72f2e212d1da5688cc3c67e6587e5885107d6b900c37bb
SHA512

02fb65e5907611765f4df50483bbc8f9f5ba25115f986c0582b5ee1f20ec0cccc37cc875c8f9a5594a924def19e87cb0931e723d48333da217392b905414d085
SSDEEP

24576:bl7tQ/ikPAknx9XfzPXMRrMnSUcQBlmzrle2:bl7i/i+A297PXMn3QBlOe

Score

10^/10

bumblebee 0211r trojan

Malware Config

Extracted

Family

bumblebee

Botnet

0211r

C2

193.109.120.156:443

192.111.146.184:443

104.219.233.113:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3712	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3716	3712	WerFault.exe	54

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\maidservant\changeability.dll,#1
1⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
PID:3712
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3712 -s 384
  2⤵
  - Program crash
  PID:3716

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3712-116-0x00000290F14F0000-0x00000290F1639000-memory.dmp

Filesize
1.3MB

Download
memory/3712-117-0x00000290EF890000-0x00000290EF906000-memory.dmp

Filesize
472KB

Download