bumblebee | 4b7bd61d8985e4bda823bed25986c52da45cf519b04661980db35060ae5ca3b1

Analysis

max time kernel
141s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2023 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

documents.ps1
Size

1.1MB
MD5

b4a6a5b0288f7b644091dd82b537999f
SHA1

c4764431b56e9c59b13496e4ab11209633604128
SHA256

4b7bd61d8985e4bda823bed25986c52da45cf519b04661980db35060ae5ca3b1
SHA512

20673f83f887b96ca0701b6673d146b0c486f60a9b5c56b0a7de2a55f4a19468350ca86eb35fb0bd5bc4b599757fcf2fa2c04730a8b4a21ae6acb3bfa9c4cb1a
SSDEEP

24576:BTwzO2B32tGRDSrH+KxAvjncxPteQcE8Z5pa2Oz9WabsKqRasT/TyMNY:DbbKgPIQSrPOxhsKszWgY

Score

10^/10

bumblebee 202lg trojan

Malware Config

Extracted

Family

bumblebee

rc4.plain

Extracted

Family

bumblebee

Botnet

202lg

104.168.157.253:443

209.141.40.19:443

107.189.5.17:443

23.254.167.63:443

91.206.178.234:443

146.19.173.86:443

103.175.16.104:443

194.135.33.85:443

173.234.155.246:443

51.68.144.43:443

172.86.120.111:443

160.20.147.242:443

51.75.62.204:443

205.185.113.34:443

194.135.33.184:443

23.82.140.155:443

185.173.34.35:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 8 IoCs

flow	pid	Process
22	1824	powershell.exe
24	1824	powershell.exe
26	1824	powershell.exe
30	1824	powershell.exe
37	1824	powershell.exe
39	1824	powershell.exe
41	1824	powershell.exe
42	1824	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1824	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1824	powershell.exe
1824	powershell.exe
1824	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1824	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 1412	1824	powershell.exe	83
PID 1824 wrote to memory of 1412	1824	powershell.exe	83
PID 1412 wrote to memory of 1296	1412	csc.exe	84
PID 1412 wrote to memory of 1296	1412	csc.exe	84
PID 1824 wrote to memory of 4304	1824	powershell.exe	85
PID 1824 wrote to memory of 4304	1824	powershell.exe	85
PID 4304 wrote to memory of 224	4304	csc.exe	86
PID 4304 wrote to memory of 224	4304	csc.exe	86

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\documents.ps1
1⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xm3dix32\xm3dix32.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES85CF.tmp" "c:\Users\Admin\AppData\Local\Temp\xm3dix32\CSCADD517DB68074382871E3DD8A6B395C.TMP"
    3⤵
    PID:1296
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z2ia2oq3\z2ia2oq3.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES91E4.tmp" "c:\Users\Admin\AppData\Local\Temp\z2ia2oq3\CSC24E48E4BD71943DF88CEF3684387D83.TMP"
    3⤵
    PID:224

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES85CF.tmp

Filesize
1KB

MD5
a64dce89208552fdda3cb9db7664c8f5

SHA1
586fb42d4ff484bde899a6eb11f0b91b0e9817d9

SHA256
84141cc04214da36345d8dbff78cb6b47b052e791dea1b35a571e6f4d011a766

SHA512
704ff283de84e8cc5b7d087cc216037cf28a6f8622768e68179734c967c04ce01e91f49768c11cad8e3d770ff309a40fd3169e309cf2199dfd3596b5c19cb796

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES91E4.tmp

Filesize
1KB

MD5
ecebb15073c5c3d7f3e4181bae07aa82

SHA1
9c97dfd25910f0d331ae0cf6375c0fa4ce952cb9

SHA256
9f9bba264095b94c2860dfaba753b424246d3db77283194d4b9aa47162aa6f98

SHA512
b396e9914cc3eb7468576603526cf44d35dee0a98a91fb29eec533bea04d56a3aaef071930c5944534dd9da67b24d8c39739a95a62bed300e61d0aab29609e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_svkixsil.afc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xm3dix32\xm3dix32.dll

Filesize
3KB

MD5
a7782541a3340944fe2ab3e2d66d01ea

SHA1
9465d3ee4a6798698e8da0f3dc7e4869726b41ed

SHA256
8187d87b0eb141708fd71f9fb6bae0094348acc73736235be773ecee20308087

SHA512
5662fccb597bde45c9b4fd42a9308aaaf9ddfff7b72ece2078556cd0aae42dc9fb31a57c9603cfed9d7439a105367ebe2f6c6482151f6f8c473ab539af1f1be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\z2ia2oq3\z2ia2oq3.dll

Filesize
3KB

MD5
94578e9559e43f01481e2d9330f8f971

SHA1
76bc158da29aedb0b2b8af86e2305960424f2923

SHA256
cdf73d2d0e44febe4f245399fd93242e544fdb9e23e3866d66238673543bb7dd

SHA512
29bf4ddab69f45c4f8400f525d63268b3e8507e4b0ac95ae12333fbd6bfc18eebd4bd36fe6cdbc402faac3398bba12cb15784b703c0e0a0ce63e7f9ad6bba6a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xm3dix32\CSCADD517DB68074382871E3DD8A6B395C.TMP

Filesize
652B

MD5
3a3b8810a5a52f8ea507356212e460c9

SHA1
665b2cab49bec54a141676b12ebafa85b988c677

SHA256
f8fbc5aa66a6456b64302a01793a1dffefc380f32a004c3396a1ec81768c34aa

SHA512
4df736557d080a20b6801aeb29152a77ffb785a7819d5fe4491788e58ab7e8f56390956e4b750abe59d9bbffc13cd0a2e796a5eff841357d90aaa3903d40c8dd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xm3dix32\xm3dix32.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xm3dix32\xm3dix32.cmdline

Filesize
369B

MD5
da19b3e314952c9eedcf07bffd8da943

SHA1
6a7a24de4f5e9d8ab2390c02aacdef7e93d02258

SHA256
d28d73d4fcf1093897a49ba8a6ab8e6e1a31feb97d7e16953fdfe1617bb784a7

SHA512
4f82e63673ddf997a3e6494ffb8df4dd07125fdb565eb50b663768a455f64af8b670c168104531f19bbb1424250695dba2665aee12f1daf4382732d0b08b934b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z2ia2oq3\CSC24E48E4BD71943DF88CEF3684387D83.TMP

Filesize
652B

MD5
52de8da61dacf4c3e6c5b99b265a74e9

SHA1
743fe0cd146924f0a12e891a8ec5334de70bc856

SHA256
346852a79423ed74535000d9c45455978cf719b02d7c461c8406857be738a716

SHA512
5c2593bd05fa86497b8c48b08810619c3f0a0a9ce5e737b52124daf4eedc3b0c144269368779ade789e8bf7c28b99d4cd2c246afa58ef5082afec688d5511b15

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z2ia2oq3\z2ia2oq3.0.cs

Filesize
582B

MD5
2bb8d0ee93aeae61a09adf4db6f29c1c

SHA1
8da3034bb8f84ea2522e276b492b2797b5db30ca

SHA256
68d44e3c373d2aec9dacf51326cbfebcba76c1c1a56545e5e1cbf58b44a9f817

SHA512
b3ec6841a9541e96a671a7d81378293567972541d9cdfc3137b478d9b4d3cccd4b5f536d0f059ee9c12fe9ba86bca62b795139a5215843465cb751e0ade95677

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z2ia2oq3\z2ia2oq3.cmdline

Filesize
369B

MD5
4d9e846ffb5e7aa3703c0a802f7baf7e

SHA1
f9922a2a72dcc877f55feb02ebf71782b7a0f863

SHA256
c91e5a994282ff6483b77aa4107a9b6e0b619c67c5c87886f05826a63064e035

SHA512
73941faa7c7d5befb97b15eb2de5fb1bf74477dad577785212c4a6d7a6b56747d55f574ee72b17e1d43e7066f29d70aabed335c97cde1d952cb59518abd3f052

Download Submit
memory/1824-179-0x000001A57B180000-0x000001A57B2F4000-memory.dmp

Filesize
1.5MB

Download
memory/1824-133-0x000001A57AC30000-0x000001A57AC52000-memory.dmp

Filesize
136KB

Download
memory/1824-144-0x000001A578130000-0x000001A578140000-memory.dmp

Filesize
64KB

Download
memory/1824-143-0x000001A578130000-0x000001A578140000-memory.dmp

Filesize
64KB

Download
memory/1824-172-0x000001A57B000000-0x000001A57B174000-memory.dmp

Filesize
1.5MB

Download
memory/1824-178-0x000001A57B180000-0x000001A57B2F4000-memory.dmp

Filesize
1.5MB

Download
memory/1824-145-0x000001A578130000-0x000001A578140000-memory.dmp

Filesize
64KB

Download
memory/1824-180-0x000001A578130000-0x000001A578140000-memory.dmp

Filesize
64KB

Download
memory/1824-181-0x00007FFB82F50000-0x00007FFB82F51000-memory.dmp

Filesize
4KB

Download
memory/1824-182-0x000001A57B180000-0x000001A57B2F4000-memory.dmp

Filesize
1.5MB

Download
memory/1824-184-0x000001A57B180000-0x000001A57B23E000-memory.dmp

Filesize
760KB

Download
memory/1824-186-0x000001A578130000-0x000001A578140000-memory.dmp

Filesize
64KB

Download
memory/1824-187-0x000001A578130000-0x000001A578140000-memory.dmp

Filesize
64KB

Download
memory/1824-188-0x000001A578130000-0x000001A578140000-memory.dmp

Filesize
64KB

Download
memory/1824-189-0x000001A578130000-0x000001A578140000-memory.dmp

Filesize
64KB

Download