Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://firebasestor...

windows7-x64

10

https://firebasestor...

windows10-2004-x64

1

Analysis

  • max time kernel
    136s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    22-02-2023 15:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://firebasestorage.googleapis.com/v0/b/idyllic-creek-377707.appspot.com/o/NgCFuNKy6s%2FContract_02_21_Copy%2346.zip?alt=media&token=db511c56-7c85-4d58-b569-6127c12586b2

Score
10/10
bumblebee21macatrojan

Malware Config

Extracted

Family

bumblebee

Botnet

21maca

C2

108.62.141.20:443

104.168.140.145:443

51.68.145.171:443

108.62.118.170:443

192.119.72.133:443

23.108.57.201:443
rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

    trojanbumblebee
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://firebasestorage.googleapis.com/v0/b/idyllic-creek-377707.appspot.com/o/NgCFuNKy6s%2FContract_02_21_Copy%2346.zip?alt=media&token=db511c56-7c85-4d58-b569-6127c12586b2
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1972 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:268
  • C:\Users\Admin\AppData\Local\Temp\Temp1_Contract_02_21_Copy_46.zip\Contract_02_21_Copy#46.exe
    "C:\Users\Admin\AppData\Local\Temp\Temp1_Contract_02_21_Copy_46.zip\Contract_02_21_Copy#46.exe"
    1⤵
    • Suspicious use of NtCreateThreadExHideFromDebugger
    PID:1692

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UIC7WQYE\Contract_02_21_Copy_46.zip.plggc5t.partial
    Filesize

    908KB

    MD5

    4e862da6893f064c6fbd18ad5d089579

    SHA1

    9ba9d5d61c02538b895b9e563a67b22230fc48e2

    SHA256

    bdebffe2bf8a17894c1415fb6aaf469d7a8b589614736c8162d1c5058c70ea67

    SHA512

    e347b6dbec536e38d9352c30acb289eb922721a86e6dccc4e3dac5a11368f95996e99afb59c2653297b950f1d349615394627f7569a7cdbba80f0a4c94ab9196

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VQ77JNZF\Contract_02_21_Copy_46[1].zip
    Filesize

    908KB

    MD5

    4e862da6893f064c6fbd18ad5d089579

    SHA1

    9ba9d5d61c02538b895b9e563a67b22230fc48e2

    SHA256

    bdebffe2bf8a17894c1415fb6aaf469d7a8b589614736c8162d1c5058c70ea67

    SHA512

    e347b6dbec536e38d9352c30acb289eb922721a86e6dccc4e3dac5a11368f95996e99afb59c2653297b950f1d349615394627f7569a7cdbba80f0a4c94ab9196

    Download Submit

  • memory/268-55-0x00000000030C0000-0x00000000030C2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1692-97-0x0000000000530000-0x0000000000691000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/1692-98-0x0000000000530000-0x0000000000691000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/1692-99-0x0000000000530000-0x0000000000691000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/1692-100-0x00000000000D0000-0x000000000015B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/1972-54-0x00000000027B0000-0x00000000027C0000-memory.dmp

    Filesize

    64KB

    Download