bumblebee | 7d5337ef04ddabac61a5f3dae4a9fdf17c6d0b64f1a1b5ae0b07b6bbc0bcbd9e

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23-02-2023 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19bdf3110168f2ac48c599fac9e03e23.ps1
Size

2.2MB
MD5

19bdf3110168f2ac48c599fac9e03e23
SHA1

c8ab417929970ae032cf6fede8743f829847d75f
SHA256

7d5337ef04ddabac61a5f3dae4a9fdf17c6d0b64f1a1b5ae0b07b6bbc0bcbd9e
SHA512

dbfd9d9c4a9c94024cf53a30c5041c1973e845100c214a04930d38cc895f6e81dda096a695140cb23a888f648334ba4d26a9abd5346c966b3df25c5828956be0
SSDEEP

24576:itC5Ja7ybVCbyfQCQfXk/SGv8raPHRJ4LtbgnuSW0v7wmlQccDjT96KjIM:iZQQCgcSM433DDwO

Score

10^/10

bumblebee 212cc trojan

Malware Config

Extracted

Family

bumblebee

rc4.plain

Extracted

Family

bumblebee

Botnet

212cc

104.168.157.253:443

185.173.34.35:443

103.175.16.104:443

86.106.131.105:443

23.82.140.155:443

173.234.155.246:443

195.20.17.75:443

192.111.146.178:443

23.254.167.63:443

51.75.62.204:443

103.175.16.13:443

146.19.173.86:443

160.20.147.242:443

51.68.144.43:443

205.185.113.34:443

157.254.194.117:443

194.135.33.184:443

91.206.178.234:443

172.86.120.111:443

185.17.40.138:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 7 IoCs

flow	pid	Process
1	2108	powershell.exe
3	2108	powershell.exe
13	2108	powershell.exe
14	2108	powershell.exe
16	2108	powershell.exe
18	2108	powershell.exe
19	2108	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2108	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2108	powershell.exe
2108	powershell.exe
2108	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 1100	2108	powershell.exe	82
PID 2108 wrote to memory of 1100	2108	powershell.exe	82
PID 1100 wrote to memory of 4228	1100	csc.exe	83
PID 1100 wrote to memory of 4228	1100	csc.exe	83
PID 2108 wrote to memory of 2112	2108	powershell.exe	84
PID 2108 wrote to memory of 2112	2108	powershell.exe	84
PID 2112 wrote to memory of 4520	2112	csc.exe	85
PID 2112 wrote to memory of 4520	2112	csc.exe	85

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\19bdf3110168f2ac48c599fac9e03e23.ps1
1⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yslnaqth\yslnaqth.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82A2.tmp" "c:\Users\Admin\AppData\Local\Temp\yslnaqth\CSC7ADE28BBB3854B98ACCDB4BDE60D5A4.TMP"
    3⤵
    PID:4228
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0wofwsqr\0wofwsqr.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES90DB.tmp" "c:\Users\Admin\AppData\Local\Temp\0wofwsqr\CSCF6D3B8C1A48449F8928C2C9209359A.TMP"
    3⤵
    PID:4520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0wofwsqr\0wofwsqr.dll

Filesize
3KB

MD5
3d1bb7589e5e0ad7b59c02a1810206dc

SHA1
74d79c664b9a743bc03cebfc7023b3c23746e034

SHA256
67db189eb0836ae2b5e3a09e5bce334443c0fa236f09f65056e1ea58150bd949

SHA512
d92a617310da374597d77037faddac8704eda8ea29d60b38fc0634fab6843d72b43ba28ee306febcb7ec7909094172cf8474ffcef0b611404c1d1a946ffa7767

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES82A2.tmp

Filesize
1KB

MD5
a1a27ef5fe9ed04bba4001b7d5725224

SHA1
3f9f4bbcdfb695e01f1d4c153fca6f45fa4b6c36

SHA256
35862fdaf6ae8b39562dcc4b1239f787cf447afaf3164dbd64a499b756361d0f

SHA512
cc3180d72742909de51f0c9eb091511ae7fd168a81f6438902d7685b3fa2d4f8dda1ccddb4fb374176dcae7542e83a1ddfe5821da2fc2e8b5030a742e27fd33a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES90DB.tmp

Filesize
1KB

MD5
21807fc116e00c29a89c0128fde1cf29

SHA1
18584f28bbc6c2c10ac0a0ce93939a4bad0396e9

SHA256
e45d4bfa9b15f29be222d22427de8b0688de1d8bcff60523bce78ec3511aae70

SHA512
8ad01161de8a7374601e532b691fd7d032bc10d125a6dfbaf3d4b3c79e276f9259fdc547bf7063b77e9a32ee97b32291e04da1fb082cbc73a70f605705c201c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wg12qedu.blb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\yslnaqth\yslnaqth.dll

Filesize
3KB

MD5
074b11bc470fb01e977f8f45e52258ae

SHA1
362ebc95df8eb22cdedb5a3daf0cb3f979125381

SHA256
89030f41be8c466756f65cea9a514c0a5b6e5281e3a44f0ab78cbfec7b965851

SHA512
1a030087456b7ae4e10cc91326dcf64768a17649559dc7b793ab1e221f233c4711ab9ae3cdf022b92a545df1df200c44c982cddaa11d323340220107e83d5a1e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0wofwsqr\0wofwsqr.0.cs

Filesize
582B

MD5
2bb8d0ee93aeae61a09adf4db6f29c1c

SHA1
8da3034bb8f84ea2522e276b492b2797b5db30ca

SHA256
68d44e3c373d2aec9dacf51326cbfebcba76c1c1a56545e5e1cbf58b44a9f817

SHA512
b3ec6841a9541e96a671a7d81378293567972541d9cdfc3137b478d9b4d3cccd4b5f536d0f059ee9c12fe9ba86bca62b795139a5215843465cb751e0ade95677

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0wofwsqr\0wofwsqr.cmdline

Filesize
369B

MD5
494e5899d80464892eae39f2841a19af

SHA1
ccde05b3bf92e63d0260331fb0d01e73610cea53

SHA256
df783c8cdd978d88ba60337ec7c974cd9184633a66a419bf399658af165409f0

SHA512
d028eaf3aa56159f0621c899f472fe6e3b407feb77cc70223d9d82e771b16d12a668cd1cfdd9e4365c7baad3e6c48d8eea752051644867ac7bb79dcc1d80c06a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0wofwsqr\CSCF6D3B8C1A48449F8928C2C9209359A.TMP

Filesize
652B

MD5
5b3f5fb09bacd7e2f75fb593d65c4cc4

SHA1
8ed64606d46f00a22c09cd6bd0dfd0f13bc3f67a

SHA256
354288d3c3aa0800136f023e2cba405e526547c27aab21e642b93d274e5f4d96

SHA512
23058fc045556da78c14c1923229c18852983914819402af6e444f9983cc1c968f167bee0a7bf5b9a9b4f604b7e61c7b2522375f14df910b488dab1e1f9328c8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yslnaqth\CSC7ADE28BBB3854B98ACCDB4BDE60D5A4.TMP

Filesize
652B

MD5
b08bc9eec83ee32747490d03019b4f8c

SHA1
aec734ed3df122eb828d971ef81454637c0aac3a

SHA256
212b710ab73c996e0dd9304d16c3885e7d6b4b00ff58c5579037e9bc266f804f

SHA512
832a6d3514115b314866dc263d98c66cb3721b1c818176407541d2e6f3bf059aa0346359df60652d0bfb2c7ca6e4a233a152e92705c10397b75be6d578f75eaa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yslnaqth\yslnaqth.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yslnaqth\yslnaqth.cmdline

Filesize
369B

MD5
443d81dfdb7a2c48383b0b600fb36f26

SHA1
9cd366dfee0f3a95fe16a5abada9c786c35a436a

SHA256
bff730f6570b1831cf7c3f4995032ab79ad88e7d4fe42a0fc3c02c7dfe734d4d

SHA512
68c065a30d9f843657bb8e9fec901a1174af21e5afa492039ea7aabcd90d3171a90a1b35cde1751530722ae8c04ec334d3657579091f3608d8d9f00da620a4bf

Download Submit
memory/2108-179-0x00007FFCBCAB0000-0x00007FFCBCAB1000-memory.dmp

Filesize
4KB

Download
memory/2108-180-0x00000296E7740000-0x00000296E78B4000-memory.dmp

Filesize
1.5MB

Download
memory/2108-138-0x00000296E7220000-0x00000296E7242000-memory.dmp

Filesize
136KB

Download
memory/2108-171-0x00000296E51A0000-0x00000296E51B0000-memory.dmp

Filesize
64KB

Download
memory/2108-172-0x00000296E7350000-0x00000296E74C4000-memory.dmp

Filesize
1.5MB

Download
memory/2108-178-0x00000296E7740000-0x00000296E78B4000-memory.dmp

Filesize
1.5MB

Download
memory/2108-144-0x00000296E51A0000-0x00000296E51B0000-memory.dmp

Filesize
64KB

Download
memory/2108-143-0x00000296E51A0000-0x00000296E51B0000-memory.dmp

Filesize
64KB

Download
memory/2108-181-0x00000296E7740000-0x00000296E78B4000-memory.dmp

Filesize
1.5MB

Download
memory/2108-183-0x00000296E7740000-0x00000296E77FE000-memory.dmp

Filesize
760KB

Download
memory/2108-185-0x00000296E51A0000-0x00000296E51B0000-memory.dmp

Filesize
64KB

Download
memory/2108-187-0x00000296E51A0000-0x00000296E51B0000-memory.dmp

Filesize
64KB

Download
memory/2108-186-0x00000296E51A0000-0x00000296E51B0000-memory.dmp

Filesize
64KB

Download
memory/2108-188-0x00000296E51A0000-0x00000296E51B0000-memory.dmp

Filesize
64KB

Download