Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
21/02/2023, 23:33 UTC
General
-
Target
Contract_02_21_Copy#48.exe
-
Size
1.4MB
-
MD5
5ac5d2bfb46d310338ad8bb70a0b562d
-
SHA1
bf07b0e67bb50fec99ff89b17ec6d4f8a19a57e0
-
SHA256
05aa0587937c153ffbd573c6ba35a446e7c9eae62a39308d6e800e127156c468
-
SHA512
0ff11a63877ff9e1dfb3abb58ca565754571d8da6cfb180c4926ff97921a8c207eb5ffd6fb53593f7342c1b602c7a9fefa86f1a34a6663f7aac956bfb1fd252f
-
SSDEEP
24576:XS9VBCocBwQ4v4by+6WUjI9+Wq6w6bX2du9RXr+3:C9CJBp9WHFIJq6Pbmd2RXW
Score
10/10
Malware Config
Extracted
Family
bumblebee
Botnet
21maca
C2
108.62.141.20:443
104.168.140.145:443
51.68.145.171:443
108.62.118.170:443
192.119.72.133:443
23.108.57.201:443
rc4.plain
1
XNgHUGLrCD
Signatures
-
BumbleBee
BumbleBee is a webshell malware written in C++.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Contract_02_21_Copy#48.exe"C:\Users\Admin\AppData\Local\Temp\Contract_02_21_Copy#48.exe"1⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
Network
-
DNS44.8.109.52.in-addr.arpaRemote address:8.8.8.8:53Request44.8.109.52.in-addr.arpaIN PTRResponse
-
40.193.27.226:315
-
13.69.109.130:443 -
197.170.198.152:234 -
93.184.221.240:80
-
173.223.113.164:443
-
93.184.221.240:80
-
163.223.67.191:321 -
73.237.181.95:225
-
210.251.33.116:444 -
84.35.30.131:488
-
112.55.152.187:175
-
8.8.8.8:5344.8.109.52.in-addr.arpadns
DNS Request
44.8.109.52.in-addr.arpa
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
556KB