Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

network.dll

windows7-x64

10

network.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/02/2023, 13:51 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    network.dll

  • Size

    1.0MB

  • MD5

    fb98aec6e04559be2d5ff6e1b7dc5260

  • SHA1

    b83066ae84db1df91ede9fc323ca696085f378f2

  • SHA256

    c181c20d4efe8312d3d6a4de770febe8f48c92e78a4f7dfa7d011bba58ad8b67

  • SHA512

    17dd94fd6f4fc9d1f3444c54516ce5daca5f2ecd306222270fcab01a1abc9e01247732dce9b3afdd813491d3b0f969cad2cbb080cc02eb09f025e9de48186a5c

  • SSDEEP

    24576:ZgqqFfeeOby7LSjsfIMLkC8Jsc0Q+8VC7skZ:NqFVLIsActoC

Score
10/10
bumblebee132lgtrojan

Malware Config

Extracted

Family

bumblebee

Botnet

132lg

C2

205.185.113.34:443

103.144.139.146:443

23.106.223.222:443

95.168.191.248:443

23.106.223.182:443

146.70.29.237:443
rc4.plain
1
XNgHUGLrCD

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

    trojanbumblebee
  • Blocklisted process makes network request 7 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\network.dll,#1
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of NtCreateThreadExHideFromDebugger
    PID:4776

Network

  • flag-us
    GET
    https://205.185.113.34/gatew
    rundll32.exe
    Remote address:
    205.185.113.34:443
    Request
    GET /gatew HTTP/1.1
    Upgrade: websocket
    Connection: upgrade
    Sec-WebSocket-Key: ALvUs6gIcVKNsqR1QkJM+g==
    Sec-WebSocket-Version: 13
    Host: 205.185.113.34
    User-Agent: Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
    Response
    HTTP/1.0 403 Forbidden
    cache-control: no-cache
    content-type: text/html
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • 12.32.96.111:424
    rundll32.exe
    260 B
     5
  • 205.185.113.34:443
    https://205.185.113.34/gatew
    tls, http
    rundll32.exe
    839 B
     1.7kB
     7
    6

    HTTP Request

    GET https://205.185.113.34/gatew

    HTTP Response

    403
  • 44.216.219.17:436
    rundll32.exe
    260 B
     5
  • 20.42.73.24:443
    322 B
     7
  • 104.80.225.205:443
    322 B
     7
  • 72.21.81.240:80
    322 B
     7
  • 72.21.81.240:80
    322 B
     7
  • 72.21.81.240:80
    322 B
     7
  • 214.78.212.232:130
    rundll32.exe
    260 B
     5
  • 93.184.221.240:80
    322 B
     7
  • 148.231.175.31:428
    rundll32.exe
    260 B
     5
  • 108.162.207.198:120
    rundll32.exe
    260 B
     5
  • 60.225.51.127:461
    rundll32.exe
    260 B
     5
  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    103.169.127.40.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4776-133-0x0000025CCF1B0000-0x0000025CCF22F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/4776-132-0x0000025CD0CE0000-0x0000025CD0E41000-memory.dmp

    Filesize

    1.4MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.