bumblebee | 0afe02415b9523c9f840be11d9561d1c07b41ac1f7b803b7112608ae8db29950

Analysis

max time kernel
144s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02/03/2023, 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cisco2.ps1
Size

2.2MB
MD5

7708f4d0a27fcb9a315e0e2b9fa24248
SHA1

498ac3d0ddf4b19f6f7d3dacf03c4e2fbf8f993b
SHA256

0afe02415b9523c9f840be11d9561d1c07b41ac1f7b803b7112608ae8db29950
SHA512

af6b285e63c9c3db98d35492ff03ec08196c859f508834fc39d6b76283447f493bc721dfa15a2ad777c6e8547ade639f9379ac1cefa54e226096fb0aa4956f54
SSDEEP

24576:rsxT2KAWU1N5BWAdTfrOqluXAxXgo0TEYKoDcF/mUCXy0wxG/uD3:whAlf5BHF/gfha/FFT

Score

10^/10

bumblebee cisc117 trojan

Malware Config

Extracted

Family

bumblebee

rc4.plain

Extracted

Family

bumblebee

Botnet

cisc117

172.93.193.3:443

23.81.246.22:443

95.168.191.134:443

104.168.175.78:443

172.93.193.46:443

157.254.194.104:443

37.28.157.29:443

23.106.124.23:443

194.135.33.182:443

54.38.139.94:443

192.119.65.175:443

107.189.8.58:443

205.185.114.241:443

104.168.171.159:443

103.144.139.159:443

91.206.178.204:443

198.98.58.184:443

172.241.27.120:443

23.106.223.197:443

23.108.57.83:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 6 IoCs

flow	pid	Process
33	2704	powershell.exe
74	2704	powershell.exe
78	2704	powershell.exe
88	2704	powershell.exe
93	2704	powershell.exe
102	2704	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2704	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2704	powershell.exe
2704	powershell.exe
2704	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2816	2704	powershell.exe	87
PID 2704 wrote to memory of 2816	2704	powershell.exe	87
PID 2816 wrote to memory of 1392	2816	csc.exe	88
PID 2816 wrote to memory of 1392	2816	csc.exe	88
PID 2704 wrote to memory of 2540	2704	powershell.exe	91
PID 2704 wrote to memory of 2540	2704	powershell.exe	91
PID 2540 wrote to memory of 184	2540	csc.exe	92
PID 2540 wrote to memory of 184	2540	csc.exe	92

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\cisco2.ps1
1⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rzml5gc4\rzml5gc4.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES70DF.tmp" "c:\Users\Admin\AppData\Local\Temp\rzml5gc4\CSCE6F975DE3C30457EB72A3AEA49413AD8.TMP"
    3⤵
    PID:1392
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f4ixrkb4\f4ixrkb4.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D05.tmp" "c:\Users\Admin\AppData\Local\Temp\f4ixrkb4\CSC6696E79EF1714BD1B5BD8559379CD520.TMP"
    3⤵
    PID:184

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES70DF.tmp

Filesize
1KB

MD5
ee94c0dbec1b6dfec96ae91d6a440f32

SHA1
375a0847f4029f838aeabcc1068687d37c6a22ed

SHA256
d9e6348602a3d73c57cb61eb7d98cccb61ed05c0f1d07f36852b12a3f9f3e966

SHA512
c6c6ad6015715172382f715db9d65c788d1beca8d1399229854aeaf578095c21f62d77314ac62c6d49d05260c432f50613db76b17a0a2b4db74c7e6f1e06b963

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7D05.tmp

Filesize
1KB

MD5
786f95b3c6236249902886d1f626755c

SHA1
882eeb9b1d596166c77b753f0485afa754333c8b

SHA256
65e3c0112cb224f3a51d1ef2e3254fd271d2d7b9f4cf601a9e7aad2de0af13c1

SHA512
d0bbe3d218969c5d71c49c4251c62bf6b113616e89a17a0d654b0b457a2045895df7542cd0ed07a304caaeea905a455f04751f684fa3d1b907d2c0fa7757c81b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4dyjjels.c4h.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4ixrkb4\f4ixrkb4.dll

Filesize
3KB

MD5
1e6b52e67842db2e5f47c649884cd8e6

SHA1
67cb22e0f4128decf54efe5ab2cec43b5a081178

SHA256
0b27c5b025b504a7f69c8482b4efd4ac5b995b7661cbd67cf7009151402fe10e

SHA512
66b428d3fd5e936e666e92e0324affed9ffa24c5f672fc3730a4184033b20e7a08f6441fc5905059e112f66b7452d575fcd7a7a8231394b4b5c613ae361147fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\rzml5gc4\rzml5gc4.dll

Filesize
3KB

MD5
3fc03dac84c5a20abdc7f661b93160d0

SHA1
4a58624f2a7c6951c5e8c1dc5ecf47336616adec

SHA256
bdf79741d2205d9e51221b3b9767ac9d2d436172ad704a0272b17048da6d78c8

SHA512
e5a4059961271ab0ca86696312fd89566334f93a122e362ac0ac02e372c2a95f28525a241e30385c023b69d9d6571f07678de3e5bb0178278ca1bfbf93cc88cc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f4ixrkb4\CSC6696E79EF1714BD1B5BD8559379CD520.TMP

Filesize
652B

MD5
5b2a02034579d2a36f2225ff25ac3d4c

SHA1
907393d38a66dcb8e45050ca6d3cccd97f43111d

SHA256
b5d96aaae300834c8918bf924df69393fcae23e104809271f1ea4b52d8b85ffb

SHA512
c4a431d8ca5024ead1bff5e8ba008d523b9c1c3c494c85c9ffb4067f1f6f2037eeec67a61701413e9087c18e2f10f0505812708614c3be6df9af7a6870128937

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f4ixrkb4\f4ixrkb4.0.cs

Filesize
582B

MD5
2bb8d0ee93aeae61a09adf4db6f29c1c

SHA1
8da3034bb8f84ea2522e276b492b2797b5db30ca

SHA256
68d44e3c373d2aec9dacf51326cbfebcba76c1c1a56545e5e1cbf58b44a9f817

SHA512
b3ec6841a9541e96a671a7d81378293567972541d9cdfc3137b478d9b4d3cccd4b5f536d0f059ee9c12fe9ba86bca62b795139a5215843465cb751e0ade95677

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f4ixrkb4\f4ixrkb4.cmdline

Filesize
369B

MD5
e2676e9bf8068da3b01b91079c29e332

SHA1
475fdc0927b9cc99d000c63f7d1703c3fbf9b01e

SHA256
362ba5918cf6348468d09185b958332a4e1db536d5dba2e484529839f947b3cd

SHA512
61049ebe1bec7881966632e9d6f72b40180fe2637b1f607fe47ba0369e033cc81f19c516ca85fc27810a65383b0ab3150b206eba9d7617f643cef3f6b20243ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rzml5gc4\CSCE6F975DE3C30457EB72A3AEA49413AD8.TMP

Filesize
652B

MD5
ed653129c9c6e97c9886e6e93cd9f55f

SHA1
457a839161c081db771d896d5dded5123d5041eb

SHA256
d5f5dedb95c330f05a5174cbe1e82456c2fa1f8c4205236660595bbeaa51fd50

SHA512
a319e2aa9c13698adf5ea2759761e95d212ac61d7dec8c577d965848c8ff72616fcaaff92c69af9b980d8978aee9f2f1e33955ce93e5182c6142d03ed2608cab

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rzml5gc4\rzml5gc4.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rzml5gc4\rzml5gc4.cmdline

Filesize
369B

MD5
e12c6ec568503ecc046e9ae3bbe01aea

SHA1
f1a609670aef9d81d095c87419a768f3b58c5199

SHA256
271344a0cbb231acc1ad1f175d536b51dd7a9440029c6b122271c3b23e7ae5df

SHA512
664ac678065b91d6ff34249ce00e5d4dd78c2173dac387e72891dfacd3879964ed565f234bfb0a2d2252e3ea13a0965ac5ce12f850934891a2c959d3329f12eb

Download Submit
memory/2704-180-0x0000015C827A0000-0x0000015C82914000-memory.dmp

Filesize
1.5MB

Download
memory/2704-184-0x0000015C827A0000-0x0000015C8285E000-memory.dmp

Filesize
760KB

Download
memory/2704-144-0x0000015CE5940000-0x0000015CE5950000-memory.dmp

Filesize
64KB

Download
memory/2704-143-0x0000015CE5940000-0x0000015CE5950000-memory.dmp

Filesize
64KB

Download
memory/2704-172-0x0000015CE5940000-0x0000015CE5950000-memory.dmp

Filesize
64KB

Download
memory/2704-173-0x0000015C82610000-0x0000015C82784000-memory.dmp

Filesize
1.5MB

Download
memory/2704-145-0x0000015CE5940000-0x0000015CE5950000-memory.dmp

Filesize
64KB

Download
memory/2704-181-0x0000015C827A0000-0x0000015C82914000-memory.dmp

Filesize
1.5MB

Download
memory/2704-179-0x0000015C827A0000-0x0000015C82914000-memory.dmp

Filesize
1.5MB

Download
memory/2704-182-0x00007FF930F30000-0x00007FF930F31000-memory.dmp

Filesize
4KB

Download
memory/2704-142-0x0000015CE5830000-0x0000015CE5852000-memory.dmp

Filesize
136KB

Download
memory/2704-186-0x0000015CE5940000-0x0000015CE5950000-memory.dmp

Filesize
64KB

Download
memory/2704-187-0x0000015CE5940000-0x0000015CE5950000-memory.dmp

Filesize
64KB

Download
memory/2704-188-0x0000015CE5940000-0x0000015CE5950000-memory.dmp

Filesize
64KB

Download
memory/2704-189-0x0000015CE5940000-0x0000015CE5950000-memory.dmp

Filesize
64KB

Download