bumblebee | b6d05d8f7f1f946806cd70f18f8b6af1b033900cfaa4ab7b7361b19696be9259

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2023 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

documents.ps1
Size

2.2MB
MD5

fcdf0ba1ce0384e1a55a9191d2761da0
SHA1

4454a27ff9f40d54231820f2b3352f55556c0533
SHA256

b6d05d8f7f1f946806cd70f18f8b6af1b033900cfaa4ab7b7361b19696be9259
SHA512

9c850cbb4e03715d392f01ae6c7916c4479e01e812040ba1ae5033a36bbfeea073c075c1eb05febc9a16d8d4c98b0e9f32d3c883739ad0bdb163945fe280fa11
SSDEEP

24576:4q2pALU9NJAWAdsCR7RIuXAxXgP0WEY/2DwF/mxUrF0ExGyP:SA4nJAlkfg9iG/1xb

Score

10^/10

bumblebee 202lg trojan

Malware Config

Extracted

Family

bumblebee

rc4.plain

Extracted

Family

bumblebee

Botnet

202lg

104.168.157.253:443

209.141.40.19:443

107.189.5.17:443

23.254.167.63:443

91.206.178.234:443

146.19.173.86:443

103.175.16.104:443

194.135.33.85:443

173.234.155.246:443

51.68.144.43:443

172.86.120.111:443

160.20.147.242:443

51.75.62.204:443

205.185.113.34:443

194.135.33.184:443

23.82.140.155:443

185.173.34.35:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 8 IoCs

flow	pid	Process
6	3736	powershell.exe
8	3736	powershell.exe
16	3736	powershell.exe
27	3736	powershell.exe
29	3736	powershell.exe
31	3736	powershell.exe
33	3736	powershell.exe
38	3736	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3736	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3736	powershell.exe
3736	powershell.exe
3736	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3736	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3736 wrote to memory of 2796	3736	powershell.exe	83
PID 3736 wrote to memory of 2796	3736	powershell.exe	83
PID 2796 wrote to memory of 2784	2796	csc.exe	85
PID 2796 wrote to memory of 2784	2796	csc.exe	85
PID 3736 wrote to memory of 3068	3736	powershell.exe	86
PID 3736 wrote to memory of 3068	3736	powershell.exe	86
PID 3068 wrote to memory of 1876	3068	csc.exe	87
PID 3068 wrote to memory of 1876	3068	csc.exe	87

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\documents.ps1
1⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3736
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jqm0mwkj\jqm0mwkj.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7738.tmp" "c:\Users\Admin\AppData\Local\Temp\jqm0mwkj\CSC21696BA94A81413C9F2E48C846F223A.TMP"
    3⤵
    PID:2784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\34ibnmhc\34ibnmhc.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES834E.tmp" "c:\Users\Admin\AppData\Local\Temp\34ibnmhc\CSC2E62710446A49D699F8C69334C8D8F.TMP"
    3⤵
    PID:1876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\34ibnmhc\34ibnmhc.dll

Filesize
3KB

MD5
91924f7e72e856ac05f7308497484546

SHA1
1af5f7dbbdd7fef34e3dc3cf60d26014a5158333

SHA256
dbcda666a29d51d061974824f778fb9e73d5f801c7723fbd788df24a891fce58

SHA512
e59808f56749eb5522200c50effb40cf4aa75d4f77848d206996a423df3304b58e6ebf056eb41758491e5ead17e73cfa0263c6997fbe2668aa603d2929c9bf39

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7738.tmp

Filesize
1KB

MD5
05dbed8cfbc455538ddbf35e42e904b3

SHA1
96c588ea9e82ff4ab2e0434444c52b844796462b

SHA256
309fcf6513fc38a79cc1ac846a8db6c5cab77764e93460732ec917ba3f86a3ba

SHA512
f5fcccb0af4b557170fbeeb5cc0ede6c270c4d3e33c20c0693f8d906719bf0cf104999dccd1e49ebb506145d4c28337a7414811dc10a55f1b2bacc9a453aba86

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES834E.tmp

Filesize
1KB

MD5
d3f730184823bcad1c79a4212c1b7011

SHA1
65608d1db1d44b54cb091dd2dd32ee1b28509866

SHA256
4c46c684655c335ab231c7848f4b38aa482a8f162e74862c566b0e9bf52f0186

SHA512
1ceafadc3d5fb9d4f1a3a928a04d875ebaae8741d7d69084811063efea81de690978535c2d258f82887d176341f58f75133c22dcf47534de58182bb3bdf5331f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cz2zpc0r.rfc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jqm0mwkj\jqm0mwkj.dll

Filesize
3KB

MD5
73eafc30cff9f14c33766034f954bf05

SHA1
d24a9fade093770631a0124a896904d15d6fcf58

SHA256
dfee8d4ab69e7b70408d545f033dfb0543f22ecaebff37afe7481c659cfa0d12

SHA512
d9e50494c3dca47f9db4ec3f2a22cc1de01b209f4086addeef04b31417fec986ca2f5db34adbc0f1c81adedabecc1cf0a052e543804ba27b752e02f2a3f6e0bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\34ibnmhc\34ibnmhc.0.cs

Filesize
582B

MD5
2bb8d0ee93aeae61a09adf4db6f29c1c

SHA1
8da3034bb8f84ea2522e276b492b2797b5db30ca

SHA256
68d44e3c373d2aec9dacf51326cbfebcba76c1c1a56545e5e1cbf58b44a9f817

SHA512
b3ec6841a9541e96a671a7d81378293567972541d9cdfc3137b478d9b4d3cccd4b5f536d0f059ee9c12fe9ba86bca62b795139a5215843465cb751e0ade95677

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\34ibnmhc\34ibnmhc.cmdline

Filesize
369B

MD5
9f29f1d1f7e7fcced104ad391450f65c

SHA1
840133775c1bfbdf737d4d02d3a60a26328998b7

SHA256
bd1b84fb57d85e6bc89de72ba5a6c6640363931a87547831891df6511214f4cd

SHA512
3d52589740f671f218c34fbf502119bc19b76dc6c39cc7b895fc67b9d26cc6a10676456b51e27476e59dd422b5b58e11c3513d5805264e1f2f75f63c39a2259c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\34ibnmhc\CSC2E62710446A49D699F8C69334C8D8F.TMP

Filesize
652B

MD5
4c40ef5cd2c0db1941e4f224d7bf0af8

SHA1
e44684e9f0bf4d500cac3e9c5fbbf2e6bef5a0de

SHA256
a9cec6f4c1523ef6ee2df417a6fedc5d3311e9e95f1d97688520bf97206772b2

SHA512
d7f1d38020b272547bb440bf25e9c2219388be14b55f374dbaaccb2b3c18faa0a35996675a97bdaab7ad54f29c6b11d76399cedc3293db403a8d3c4c0a0f99f5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jqm0mwkj\CSC21696BA94A81413C9F2E48C846F223A.TMP

Filesize
652B

MD5
7ff9cc5f163f2835b73a38beb12dceb0

SHA1
38af6ae220f499175ffc6995bffc299b43218207

SHA256
55cb6e0dd398438b4f40d6aa97e9197219b9a48ef811d2e438622230e0a6d629

SHA512
e6fc08a63a693571acfb92e2796944db3f921bc2c60e658709285d02391ac46a0e434d32a38d3f4bcd3fa20858a72280832b77ff5c4ccc6ecefa286ff9c1b91c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jqm0mwkj\jqm0mwkj.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jqm0mwkj\jqm0mwkj.cmdline

Filesize
369B

MD5
216d30a94b56b290177c147fc4ff3dd8

SHA1
587e25d17a84b7fc7f18859fbeb0d8fb802dc9a8

SHA256
b872a2e6ad18e6068a3c5e2b0346f05059207c8c5d4fae33c1bf46af3c5965a7

SHA512
433e75b902c05fe7c073ad3403b7ebd23fbd978017b5255b570116ec53df9914cd4aacc4f219fb2e4441d897885b7b517cfd7de4dccb04f527af92da2e4931a7

Download Submit
memory/3736-180-0x00007FF9E2030000-0x00007FF9E2031000-memory.dmp

Filesize
4KB

Download
memory/3736-181-0x000001CFF9BF0000-0x000001CFF9D64000-memory.dmp

Filesize
1.5MB

Download
memory/3736-135-0x000001CFF6BD0000-0x000001CFF6BF2000-memory.dmp

Filesize
136KB

Download
memory/3736-134-0x000001CFF6C30000-0x000001CFF6C40000-memory.dmp

Filesize
64KB

Download
memory/3736-172-0x000001CFF9A70000-0x000001CFF9BE4000-memory.dmp

Filesize
1.5MB

Download
memory/3736-178-0x000001CFF9BF0000-0x000001CFF9D64000-memory.dmp

Filesize
1.5MB

Download
memory/3736-148-0x000001CFF6C30000-0x000001CFF6C40000-memory.dmp

Filesize
64KB

Download
memory/3736-133-0x000001CFF6C30000-0x000001CFF6C40000-memory.dmp

Filesize
64KB

Download
memory/3736-179-0x000001CFF6C30000-0x000001CFF6C40000-memory.dmp

Filesize
64KB

Download
memory/3736-182-0x000001CFF9BF0000-0x000001CFF9D64000-memory.dmp

Filesize
1.5MB

Download
memory/3736-184-0x000001CFF9BF0000-0x000001CFF9CAE000-memory.dmp

Filesize
760KB

Download
memory/3736-186-0x000001CFF6C30000-0x000001CFF6C40000-memory.dmp

Filesize
64KB

Download
memory/3736-187-0x000001CFF6C30000-0x000001CFF6C40000-memory.dmp

Filesize
64KB

Download
memory/3736-188-0x000001CFF6C30000-0x000001CFF6C40000-memory.dmp

Filesize
64KB

Download
memory/3736-189-0x00007FF9E2030000-0x00007FF9E2031000-memory.dmp

Filesize
4KB

Download