bumblebee | 28d4ca9b8bbbad765a193c9df2a8841352a87c2f26b28a94e763709906ce073b

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03-03-2023 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

color.ps1
Size

2.2MB
MD5

742c528a179fdf26356aa239ce901c56
SHA1

d5fbd80a687813b214ad6dc7bc950ccf0f0a46f9
SHA256

28d4ca9b8bbbad765a193c9df2a8841352a87c2f26b28a94e763709906ce073b
SHA512

2c7e40258dfa27931073654c4749049b81ac160f7b3b4ac7730a85249b0ebe82b617cb2247bfc31a5597ab87f399e0d984e1e34fe7812d195a92afe5c866eadd
SSDEEP

24576:Ogpa7y/VUbkfQB0VXG/2Gv8ECPnRq4WtbYnuke0X7fmJIkrDjT8tb2i30mUO:G0QBee2Q4kw4DWbr3R

Score

10^/10

bumblebee lg0203 trojan

Malware Config

Extracted

Family

bumblebee

rc4.plain

Extracted

Family

bumblebee

Botnet

lg0203

209.141.53.174:443

157.254.194.119:443

160.20.147.242:443

205.185.113.34:443

37.28.155.36:443

194.135.33.184:443

51.75.62.204:443

173.234.155.246:443

172.86.120.111:443

185.173.34.35:443

146.19.173.86:443

194.135.33.85:443

51.68.144.43:443

23.82.140.155:443

104.168.157.253:443

23.254.167.63:443

195.133.192.10:443

107.189.12.129:443

91.206.178.234:443

103.175.16.104:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 8 IoCs

Processes:

powershell.exe

flow	pid	process
19	1332	powershell.exe
21	1332	powershell.exe
35	1332	powershell.exe
42	1332	powershell.exe
46	1332	powershell.exe
52	1332	powershell.exe
63	1332	powershell.exe
64	1332	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

powershell.exe

pid process

1332 powershell.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

1332 powershell.exe
1332 powershell.exe
1332 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1332 powershell.exe

pid	process
1332	powershell.exe

pid	process
1332	powershell.exe
1332	powershell.exe
1332	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1332	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

powershell.execsc.execsc.exe

description	pid	process	target process
PID 1332 wrote to memory of 1756	1332	powershell.exe	csc.exe
PID 1332 wrote to memory of 1756	1332	powershell.exe	csc.exe
PID 1756 wrote to memory of 980	1756	csc.exe	cvtres.exe
PID 1756 wrote to memory of 980	1756	csc.exe	cvtres.exe
PID 1332 wrote to memory of 3964	1332	powershell.exe	csc.exe
PID 1332 wrote to memory of 3964	1332	powershell.exe	csc.exe
PID 3964 wrote to memory of 1400	3964	csc.exe	cvtres.exe
PID 3964 wrote to memory of 1400	3964	csc.exe	cvtres.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\color.ps1
1⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cxywvpqd\cxywvpqd.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B13.tmp" "c:\Users\Admin\AppData\Local\Temp\cxywvpqd\CSCFEDB78C4CB12406CBE5FB851F0CC5F4A.TMP"
    3⤵
    PID:980
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xcolfzco\xcolfzco.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7767.tmp" "c:\Users\Admin\AppData\Local\Temp\xcolfzco\CSC864E8FA5DF744AE88D5623AD21ADE41.TMP"
    3⤵
    PID:1400

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6B13.tmp

Filesize
1KB

MD5
0a2bb9010f4bc913ba9d7ec6cd6712a9

SHA1
946f01cb32dc453ea3b3ade82101288f820fbbe4

SHA256
ce884aa51233eb4bb039902fa2342a178690df3675fe80a5c3941e574b2cc307

SHA512
65f23a4854eca4e11cd5cdd8cc3b5dcbcfe160f89ac74ea16c1ab1de27ebc1545564d332f4f559e473c985db6fe637df6e045d204133989eaf1b6aebfcfd9e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7767.tmp

Filesize
1KB

MD5
3fbcf2e284a8163504a8d9f53f39712d

SHA1
f08a40b5a33ee8aa9c10320009dec860b865af37

SHA256
7edd83ca4c4f06e718e2a3902af5bd073b6132613c0288d57c89f6e437dca674

SHA512
443b4e503eab3e7bb35f86864c0f16698bf7a19f8b5d0a567bd09eacdc6014f11049583eb19b37888c6e6e9c02acab86e445a042865e0b9efc3880c1261d728c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u4bpoqta.ufg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cxywvpqd\cxywvpqd.dll

Filesize
3KB

MD5
8ea3259aeda0db1fadc2e7a2b5021908

SHA1
9fab41ecd7723d9e92a3bc965eb0a2679eded7be

SHA256
ffaa8476c54e30393b58638b7bda838427c30faa4694bd9b65a740e11d60b149

SHA512
375c20889a79b73c4cb252583d8b48d8a5b500c6f56de934b374c34889cc145a65f0220427af2f687881ac3331fdd0cecabb3278a57edd28b0b93e363d350645

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcolfzco\xcolfzco.dll

Filesize
3KB

MD5
f030a910caa141899ef30a6d7320af3a

SHA1
1d383e734a466c54ddf2d527451abb417a910587

SHA256
db6e40755babac090bbd470fd403c975667e1d2ab90f3c63a5eb8986fd92b233

SHA512
00de29adb87ec7d43989f3f9c2603d4bc803830e37dfa3664cbb5388a3992ad82197a27d7d4f30c985fd5e1462db479a4ef2bcb2752d01c97bebb55ab9ef3622

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cxywvpqd\CSCFEDB78C4CB12406CBE5FB851F0CC5F4A.TMP

Filesize
652B

MD5
177d74781cbad84179ec682d34f73a9b

SHA1
7fb8f2ed6588f0e57939b9a1aff1b11f4d996d77

SHA256
6db24c629b4756f4882bb08a43808ff85d4924e54b2daf9ba2df000c9dd91a85

SHA512
521692b21d295cafb1512378885a698d5ae0817bbab54600a4ca9338290c7efafb754717adb7b09e50759688eda2a4e401d72b79f82f8536850502f002e96e49

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cxywvpqd\cxywvpqd.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cxywvpqd\cxywvpqd.cmdline

Filesize
369B

MD5
c0202f72ce7fc6d789837bd29c45350d

SHA1
660b53babda1731a1aa0d2308e3e7ac44b28f63b

SHA256
ea48b9f0ce01408293427ea57ed6709a77b728d0971caf8736e8e1a7d0ce553f

SHA512
137aef5259577d208791242657698779e82c8a94fcd515dca3ab56a1a289803643d1ffdc0af46b9ff74b26c0eef4bf6a0e491dd3e8fe03332c9fb5bb026ee076

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xcolfzco\CSC864E8FA5DF744AE88D5623AD21ADE41.TMP

Filesize
652B

MD5
4837deb9c1bca5bd5004fd5b72a7534e

SHA1
1f5601deb912611298fd8c456c43b64f3682c12e

SHA256
687b231f123b4d50df9d42d1f17c490e70a17a39e8e9c8e8c2c53d8c26be3fda

SHA512
8d8fce729378ee61a45eb7814585c1e888bcd7b7d7fa69c85c6475d4c8023ccc0a5e3c512ff4ec667bb5399d4f66251a8aff3b92b38f340798844cd07a5d49d5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xcolfzco\xcolfzco.0.cs

Filesize
582B

MD5
2bb8d0ee93aeae61a09adf4db6f29c1c

SHA1
8da3034bb8f84ea2522e276b492b2797b5db30ca

SHA256
68d44e3c373d2aec9dacf51326cbfebcba76c1c1a56545e5e1cbf58b44a9f817

SHA512
b3ec6841a9541e96a671a7d81378293567972541d9cdfc3137b478d9b4d3cccd4b5f536d0f059ee9c12fe9ba86bca62b795139a5215843465cb751e0ade95677

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xcolfzco\xcolfzco.cmdline

Filesize
369B

MD5
a2ef72ed65f74d6daa423772f1f8ee63

SHA1
026745078974293105832c8fab9466610aca1a06

SHA256
254b886e29cf506d5a0198bdc2b19eb8948c2b3767cfec7c04a280dc231644f5

SHA512
a96199065e8f167f096a51d4421f9bd9fd058db67ce23ea813239e3d3d848305033f7f60d2bb13e0651d9f895c4486425d86e049d254767cfae1ff641d869d2a

Download Submit
memory/1332-179-0x0000020E53740000-0x0000020E53750000-memory.dmp

Filesize
64KB

Download
memory/1332-145-0x0000020E53740000-0x0000020E53750000-memory.dmp

Filesize
64KB

Download
memory/1332-143-0x0000020E53740000-0x0000020E53750000-memory.dmp

Filesize
64KB

Download
memory/1332-140-0x0000020E6D270000-0x0000020E6D292000-memory.dmp

Filesize
136KB

Download
memory/1332-172-0x0000020E6D900000-0x0000020E6DA74000-memory.dmp

Filesize
1.5MB

Download
memory/1332-178-0x0000020E6DA80000-0x0000020E6DBF4000-memory.dmp

Filesize
1.5MB

Download
memory/1332-144-0x0000020E53740000-0x0000020E53750000-memory.dmp

Filesize
64KB

Download
memory/1332-180-0x00007FFD64CD0000-0x00007FFD64CD1000-memory.dmp

Filesize
4KB

Download
memory/1332-181-0x0000020E6DA80000-0x0000020E6DBF4000-memory.dmp

Filesize
1.5MB

Download
memory/1332-182-0x0000020E6DA80000-0x0000020E6DBF4000-memory.dmp

Filesize
1.5MB

Download
memory/1332-183-0x0000020E6D2A0000-0x0000020E6D4BC000-memory.dmp

Filesize
2.1MB

Download
memory/1332-188-0x0000020E53740000-0x0000020E53750000-memory.dmp

Filesize
64KB

Download
memory/1332-187-0x0000020E53740000-0x0000020E53750000-memory.dmp

Filesize
64KB

Download
memory/1332-189-0x0000020E53740000-0x0000020E53750000-memory.dmp

Filesize
64KB

Download
memory/1332-190-0x0000020E53740000-0x0000020E53750000-memory.dmp

Filesize
64KB

Download