Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    e4a5383ac32d5642eaf2c7406a0f1c0f.msi

  • Size

    4.2MB

  • Sample

    230302-pq936sch69

  • MD5

    e4a5383ac32d5642eaf2c7406a0f1c0f

  • SHA1

    3e5637d253c40aefdb0465df15bc057ed5c26186

  • SHA256

    d99b63e1740aa4f779b91d22f508a4792f237f09413d24b51144e0694af5d34f

  • SHA512

    ed7ae40e2475ca2bdeefbfb3f15df6e93c8c7d7781b31c2b0c5cab99ff8fec0487f7975b406eebb8117aca2038a11a658d129c32d4147275fd7770c1bfa28da8

  • SSDEEP

    98304:lPKnw39kiUnMUYeg8F1HWMUKFln1RiZmSZ9J1zYfWwG:4wNJUnMUYetUKFZnpSf1w

Malware Config

Extracted

Family

bumblebee

rc4.plain

Extracted

Family

bumblebee

Botnet

cisc117

C2

172.93.193.3:443

23.81.246.22:443

95.168.191.134:443

104.168.175.78:443

172.93.193.46:443

157.254.194.104:443

37.28.157.29:443

23.106.124.23:443

194.135.33.182:443

54.38.139.94:443

192.119.65.175:443

107.189.8.58:443

205.185.114.241:443

104.168.171.159:443

103.144.139.159:443

91.206.178.204:443

198.98.58.184:443

172.241.27.120:443

23.106.223.197:443

23.108.57.83:443

rc4.plain

Targets

    • Target

      e4a5383ac32d5642eaf2c7406a0f1c0f.msi

    • Size

      4.2MB

    • MD5

      e4a5383ac32d5642eaf2c7406a0f1c0f

    • SHA1

      3e5637d253c40aefdb0465df15bc057ed5c26186

    • SHA256

      d99b63e1740aa4f779b91d22f508a4792f237f09413d24b51144e0694af5d34f

    • SHA512

      ed7ae40e2475ca2bdeefbfb3f15df6e93c8c7d7781b31c2b0c5cab99ff8fec0487f7975b406eebb8117aca2038a11a658d129c32d4147275fd7770c1bfa28da8

    • SSDEEP

      98304:lPKnw39kiUnMUYeg8F1HWMUKFln1RiZmSZ9J1zYfWwG:4wNJUnMUYetUKFZnpSf1w

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtCreateThreadExHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks