bumblebee | 0ba8f658d5e820155f0cd63d4803843a55a8298f23d4e5c5a8a00a72f4b99aae

Analysis

max time kernel
141s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2023 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

porc.ps1
Size

2.2MB
MD5

bcb9a789e65a2cae71bd1c3d0cb46f39
SHA1

a8160d88ffb19f038709478d8ae44d06f59803d3
SHA256

0ba8f658d5e820155f0cd63d4803843a55a8298f23d4e5c5a8a00a72f4b99aae
SHA512

cf09c45a41432c7dccb31d0a9861bde7a646a07f6017e2067093da828277aa7ba5ecea1dcd21ece75ba0cd0a9b974e8e94acfb0c0ce68615ddccaeb00f04d1ce
SSDEEP

24576:UFva7yGVSb9fQOF+Xx/RGv8FKPtRK4stbfnuV00t71my5HsDjT6y7i9n:PKQOs5Rr4CAuDP7O

Score

10^/10

bumblebee 212lg trojan

Malware Config

Extracted

Family

bumblebee

rc4.plain

Extracted

Family

bumblebee

Botnet

212lg

91.206.178.234:443

194.135.33.85:443

104.168.157.253:443

51.75.62.204:443

172.86.120.111:443

194.135.33.184:443

185.173.34.35:443

107.189.12.129:443

205.185.113.34:443

23.82.140.155:443

209.141.53.174:443

146.19.173.86:443

160.20.147.242:443

51.68.144.43:443

173.234.155.246:443

195.133.192.10:443

103.175.16.104:443

107.189.5.17:443

23.254.167.63:443

209.141.40.19:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 6 IoCs

flow	pid	Process
1	4812	powershell.exe
5	4812	powershell.exe
9	4812	powershell.exe
13	4812	powershell.exe
15	4812	powershell.exe
16	4812	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4812	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4812	powershell.exe
4812	powershell.exe
4812	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4812	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 2836	4812	powershell.exe	82
PID 4812 wrote to memory of 2836	4812	powershell.exe	82
PID 2836 wrote to memory of 1116	2836	csc.exe	83
PID 2836 wrote to memory of 1116	2836	csc.exe	83
PID 4812 wrote to memory of 1860	4812	powershell.exe	84
PID 4812 wrote to memory of 1860	4812	powershell.exe	84
PID 1860 wrote to memory of 2120	1860	csc.exe	85
PID 1860 wrote to memory of 2120	1860	csc.exe	85

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\porc.ps1
1⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oahqqu1e\oahqqu1e.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8198.tmp" "c:\Users\Admin\AppData\Local\Temp\oahqqu1e\CSCDA3D6CD7D79B438B875A8EA7C7173F4D.TMP"
    3⤵
    PID:1116
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\okigm5g0\okigm5g0.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8DED.tmp" "c:\Users\Admin\AppData\Local\Temp\okigm5g0\CSCC14417AAC91D4C4EB78635E41FE2720.TMP"
    3⤵
    PID:2120

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8198.tmp

Filesize
1KB

MD5
31931a87ad2b7e6b2b764cea2391b675

SHA1
99c3f4d0d78f098b4cc58bf6a7db6109a0fdd8ef

SHA256
97ed53d7b335b4351c7da5621ad459eafdded8591cf1b888108fe325a931e585

SHA512
ae5e2f93be3ba8ae784d10567828cb4053fcc4abe5359cf9e8470bf55d68c904a1133317e23aeb6d1649ea9c63bb065430ac6e07f5955259a35ab142582f5b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8DED.tmp

Filesize
1KB

MD5
ef834a621dcdc0391401087c6a19427c

SHA1
fd3a1517e20201c949ba24314e63d296bfa89e0d

SHA256
0da91ef724a2085de4d618b5017fb5aa050a0196d758838729df3a4174adabe1

SHA512
57191dcae68fef8441133d8bee65742dbdd4e23410a2b00b092021759e91bae95c0fc850c183b57cfc0a858605541ad7c3abbbbce8015b8668428d9dc951d9a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_azj3h2l4.tgj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\oahqqu1e\oahqqu1e.dll

Filesize
3KB

MD5
3d6710ee5b7ec024ad5d1b4c71a6acbf

SHA1
e8cfd4d1f1ce467295ae171bb1e09ec314acc3f4

SHA256
ee5093c6fb52e7cad2c30df66adcf5c70e02ff6d36dd3c5f280fea60747dc31b

SHA512
3b6312aeb51218ed850451ad295e2ad07482e266bc6d670ecf9695af56ed5a99029802033724238ca1f99c45530eadb829597edf039ad3ac4b4469e6031479c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\okigm5g0\okigm5g0.dll

Filesize
3KB

MD5
1037d3528d9c1dac8089b5007fa76b1e

SHA1
1f8e9ac85611f110fc242cffb597c7224472b181

SHA256
260cc5f11d053271e7bfa3672c47b16b45413d2f3111c7b31213c26d229e0291

SHA512
3530e1c15cfa43f34810fe1b6265c722e0c43f9272680957d3de63a94bedb893849e3ea061f9df963ddf7f27a4c9138d6b6616f11d5e24dbcebbdb2971a4d2cf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oahqqu1e\CSCDA3D6CD7D79B438B875A8EA7C7173F4D.TMP

Filesize
652B

MD5
2d3855cd26594bca799f489b77ac93f8

SHA1
e2305b3d8d509ecbec4fbdd12030efef4b63d015

SHA256
84b0a995e072bf3cfe7e8759505129f155ce9fee5ae2fc0063a0e04502d7138c

SHA512
fda0f5bd1b291f3ef56575fb0d0d3b4d9606e33b575032d6e7827dad62669ff64d5e6ab2bfa5f74945230251e36fa8b75ed9ca704a638aa1b78878ad88148013

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oahqqu1e\oahqqu1e.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oahqqu1e\oahqqu1e.cmdline

Filesize
369B

MD5
a0ad9073d2c647e1c024ee1fdc178e06

SHA1
08f8ea7c9f23aa95a43620f616098beb00e806fb

SHA256
d425c3d026f3d7465849ff3987dd73eef439f3d651cc07299870ccd0dcd0d2f1

SHA512
bed10b64b3dcb6d682dea652487c98247ac3d3979712f21896e26dd17049456afb551502da06fadb225bcbb4a9517ee61c6664bb89e88a58daa64a07e347a40b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\okigm5g0\CSCC14417AAC91D4C4EB78635E41FE2720.TMP

Filesize
652B

MD5
8b341e40872c55c97ac150d09d637a26

SHA1
2d8ded43f8958321d50a5c810ecc946ef90b4f36

SHA256
9c08e06fb5ee53052c850bac1dec67b793dd426834afd80e4fa2a4c0ad69d345

SHA512
78ddedc5a617b47f48c6beb7c41a5be86a98cf47dd4927132770ab67283917e4f1b3c9e70f0551445ad84e1de1a2ee852bdc70eb29b799b3df608b498e3f9490

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\okigm5g0\okigm5g0.0.cs

Filesize
582B

MD5
2bb8d0ee93aeae61a09adf4db6f29c1c

SHA1
8da3034bb8f84ea2522e276b492b2797b5db30ca

SHA256
68d44e3c373d2aec9dacf51326cbfebcba76c1c1a56545e5e1cbf58b44a9f817

SHA512
b3ec6841a9541e96a671a7d81378293567972541d9cdfc3137b478d9b4d3cccd4b5f536d0f059ee9c12fe9ba86bca62b795139a5215843465cb751e0ade95677

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\okigm5g0\okigm5g0.cmdline

Filesize
369B

MD5
5541b76659201e95b77c64154ccb65a1

SHA1
69811184c923416e0b22d79533ca29f852866858

SHA256
2a96c355b9b083aad7968164971bd3153b72db43bd5c08f37b25039ce97991e3

SHA512
3685e023ef87090bc11bb5394e42af2b09b311c0e0d170c5afe6dad6d2879348b90f6d434b83a345fbdbb2a9a27281c58d0aee39a564f3656a659667b1ab2e3d

Download Submit
memory/4812-179-0x00000193C2620000-0x00000193C2794000-memory.dmp

Filesize
1.5MB

Download
memory/4812-142-0x00000193C0A70000-0x00000193C0A92000-memory.dmp

Filesize
136KB

Download
memory/4812-145-0x00000193C0AB0000-0x00000193C0AC0000-memory.dmp

Filesize
64KB

Download
memory/4812-143-0x00000193C0AB0000-0x00000193C0AC0000-memory.dmp

Filesize
64KB

Download
memory/4812-172-0x00000193C24A0000-0x00000193C2614000-memory.dmp

Filesize
1.5MB

Download
memory/4812-178-0x00000193C0AB0000-0x00000193C0AC0000-memory.dmp

Filesize
64KB

Download
memory/4812-144-0x00000193C0AB0000-0x00000193C0AC0000-memory.dmp

Filesize
64KB

Download
memory/4812-180-0x00000193C2620000-0x00000193C2794000-memory.dmp

Filesize
1.5MB

Download
memory/4812-181-0x00007FFADAB70000-0x00007FFADAB71000-memory.dmp

Filesize
4KB

Download
memory/4812-182-0x00000193C2620000-0x00000193C2794000-memory.dmp

Filesize
1.5MB

Download
memory/4812-184-0x00000193C2620000-0x00000193C26DE000-memory.dmp

Filesize
760KB

Download
memory/4812-186-0x00000193C0AB0000-0x00000193C0AC0000-memory.dmp

Filesize
64KB

Download
memory/4812-187-0x00000193C0AB0000-0x00000193C0AC0000-memory.dmp

Filesize
64KB

Download
memory/4812-188-0x00000193C0AB0000-0x00000193C0AC0000-memory.dmp

Filesize
64KB

Download