Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/02/2023, 23:33 UTC

General

  • Target

    Contract_02_21_Copy#48.exe

  • Size

    1.4MB

  • MD5

    5ac5d2bfb46d310338ad8bb70a0b562d

  • SHA1

    bf07b0e67bb50fec99ff89b17ec6d4f8a19a57e0

  • SHA256

    05aa0587937c153ffbd573c6ba35a446e7c9eae62a39308d6e800e127156c468

  • SHA512

    0ff11a63877ff9e1dfb3abb58ca565754571d8da6cfb180c4926ff97921a8c207eb5ffd6fb53593f7342c1b602c7a9fefa86f1a34a6663f7aac956bfb1fd252f

  • SSDEEP

    24576:XS9VBCocBwQ4v4by+6WUjI9+Wq6w6bX2du9RXr+3:C9CJBp9WHFIJq6Pbmd2RXW

Score
10/10

Malware Config

Extracted

Family

bumblebee

Botnet

21maca

C2

108.62.141.20:443

104.168.140.145:443

51.68.145.171:443

108.62.118.170:443

192.119.72.133:443

23.108.57.201:443

rc4.plain
1
XNgHUGLrCD

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Contract_02_21_Copy#48.exe
    "C:\Users\Admin\AppData\Local\Temp\Contract_02_21_Copy#48.exe"
    1⤵
    • Suspicious use of NtCreateThreadExHideFromDebugger
    PID:4732

Network

  • flag-us
    DNS
    44.8.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    44.8.109.52.in-addr.arpa
    IN PTR
    Response
  • 40.193.27.226:315
    Contract_02_21_Copy#48.exe
    260 B
    5
  • 13.69.109.130:443
    322 B
    7
  • 197.170.198.152:234
    Contract_02_21_Copy#48.exe
    260 B
    5
  • 93.184.221.240:80
    322 B
    7
  • 173.223.113.164:443
    322 B
    7
  • 93.184.221.240:80
    322 B
    7
  • 163.223.67.191:321
    Contract_02_21_Copy#48.exe
    260 B
    5
  • 73.237.181.95:225
    Contract_02_21_Copy#48.exe
    260 B
    5
  • 210.251.33.116:444
    Contract_02_21_Copy#48.exe
    260 B
    5
  • 84.35.30.131:488
    Contract_02_21_Copy#48.exe
    260 B
    5
  • 112.55.152.187:175
    Contract_02_21_Copy#48.exe
    104 B
    2
  • 8.8.8.8:53
    44.8.109.52.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    44.8.109.52.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4732-133-0x000001A16D490000-0x000001A16D5F1000-memory.dmp

    Filesize

    1.4MB

  • memory/4732-134-0x000001A16D490000-0x000001A16D5F1000-memory.dmp

    Filesize

    1.4MB

  • memory/4732-135-0x000001A16D490000-0x000001A16D5F1000-memory.dmp

    Filesize

    1.4MB

  • memory/4732-136-0x000001A16D180000-0x000001A16D20B000-memory.dmp

    Filesize

    556KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.