bumblebee | 3cb26bbe24bf7d7f3e224efea1d244ed89b7305ad45a5804a26405ddc4ced73c

Analysis

max time kernel
141s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-03-2023 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

english.ps1
Size

2.2MB
MD5

e560c98fa5542185d5fc2f48d96b46f9
SHA1

539e5e720a8e9e3e7ced26b706c63a38496be1af
SHA256

3cb26bbe24bf7d7f3e224efea1d244ed89b7305ad45a5804a26405ddc4ced73c
SHA512

d63482073541a5be2217f6b91c5f773a7aa40e9bcd7deaf7953909e2819d478c987b3a5aa77d36b62408a76d267b4118a2eb6e9e711ba8a82692842c0ac796bc
SSDEEP

24576:itr8i7vgeGn0iwEhOSmH/wBC9aU+NFfz4hG9Kq8UHKpvFXErBc1IuQw:C7vhtiwmOUdshGVvWw6

Score

10^/10

bumblebee 0603cc trojan

Malware Config

Extracted

Family

bumblebee

rc4.plain

Extracted

Family

bumblebee

Botnet

0603cc

51.75.62.204:443

23.82.140.155:443

192.111.146.184:443

103.175.16.104:443

185.173.34.35:443

157.254.194.117:443

192.111.146.178:443

205.185.113.34:443

195.20.17.75:443

194.135.33.184:443

173.234.155.246:443

23.254.225.130:443

51.68.144.43:443

51.83.248.92:443

160.20.147.242:443

23.254.167.63:443

103.175.16.13:443

172.86.120.111:443

185.17.40.138:443

91.206.178.234:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 8 IoCs

flow	pid	Process
27	5068	powershell.exe
43	5068	powershell.exe
62	5068	powershell.exe
68	5068	powershell.exe
69	5068	powershell.exe
70	5068	powershell.exe
72	5068	powershell.exe
73	5068	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
5068	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
5068	powershell.exe
5068	powershell.exe
5068	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5068	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 1664	5068	powershell.exe	85
PID 5068 wrote to memory of 1664	5068	powershell.exe	85
PID 1664 wrote to memory of 3380	1664	csc.exe	86
PID 1664 wrote to memory of 3380	1664	csc.exe	86
PID 5068 wrote to memory of 1828	5068	powershell.exe	87
PID 5068 wrote to memory of 1828	5068	powershell.exe	87
PID 1828 wrote to memory of 2892	1828	csc.exe	88
PID 1828 wrote to memory of 2892	1828	csc.exe	88

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\english.ps1
1⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qtryh2ex\qtryh2ex.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES95CC.tmp" "c:\Users\Admin\AppData\Local\Temp\qtryh2ex\CSC50C20F1D8C624FEDB172DDEA5396495.TMP"
    3⤵
    PID:3380
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b0iss55s\b0iss55s.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA33A.tmp" "c:\Users\Admin\AppData\Local\Temp\b0iss55s\CSCAF9EA7F6D99443EFA6FC6F1C4B53DDF6.TMP"
    3⤵
    PID:2892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES95CC.tmp

Filesize
1KB

MD5
e1216c6b895354354e195bc9e39a3ef5

SHA1
424bafc0201b3832843d0ea6822bc8ba87a09b96

SHA256
9f6a676f2d7cd099cbac005c33444ff5f76ad6e044e17ffea1f6bc9a97b5aa50

SHA512
1d6298e618d46f62574010f7cb562c461ba5b59120ee289a68945dd801c6b04cfaeb893d07742086008387c531ec7c504735b1c063bd1646610efd1e147558d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA33A.tmp

Filesize
1KB

MD5
a354a9c3fb36889764774b7d6d102761

SHA1
26d50bb3fa4821f2ccd303fe6f3ba51d5de81b13

SHA256
2cc2590496cf51b075bbc4e25b24c382ce849280b772e94a5fd7eec7ad5d8b26

SHA512
c94eee1c931b16bd0ec97fc0554497c4a6ee2c9ec3c7c8c9622ecb259febf88d92ef40d71d5db0821e1cb7ecb68d13b90ebb9cea90595cc6004e8ae9cf67076c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fzphaf14.yki.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b0iss55s\b0iss55s.dll

Filesize
3KB

MD5
6e08739afbbbf51cd2dcb21f4487f608

SHA1
775031e95754544728e69cde71d6cd998be4d52e

SHA256
80e744c93c5edf4183eee1d9cb3adfe37a0133a38528b3f6fdfde420c45b55bb

SHA512
fac6bbdb570deb1b0806f7e68c76d73b53b1189e74223f28e2954bb12a543e191e4a8ce29cae3698fd4e86db68b03268763f4a6409471ac525ceb7e81b8be51e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qtryh2ex\qtryh2ex.dll

Filesize
3KB

MD5
bc2b411af2176e0776ba23f05c288c20

SHA1
110f444bc386f195fb32c82cd757a816a0bea1c8

SHA256
9cb8bf82677acd9fd3a255fd426cc3cf1e3d76013209d28645f15796a681eb7b

SHA512
fba758fd634ad8b39b81b4aa3c6df84853917a32e1c2e958389637b6bb0a3e2ca3bcf609e5fa0e23f02db7a2c0a0a91752014e4005141cc8c141e4113679550a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b0iss55s\CSCAF9EA7F6D99443EFA6FC6F1C4B53DDF6.TMP

Filesize
652B

MD5
a12ecbea747a96b3dd64ea28ee21ad35

SHA1
662c2932511eb7cbfcfedbc8e379d21cf6f55de1

SHA256
d6f7ddca09b3f5256d624c6c6e63176833251cc6a797251afa7333b6e93d077b

SHA512
3962284c2c5b1d7c0d7b9732f549fcb27aba98bddc12d0818353dc619b96664fca38e5fbfb160764fe0d324b1e1c46706180997fee838ed94119d984b427ee72

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b0iss55s\b0iss55s.0.cs

Filesize
582B

MD5
2bb8d0ee93aeae61a09adf4db6f29c1c

SHA1
8da3034bb8f84ea2522e276b492b2797b5db30ca

SHA256
68d44e3c373d2aec9dacf51326cbfebcba76c1c1a56545e5e1cbf58b44a9f817

SHA512
b3ec6841a9541e96a671a7d81378293567972541d9cdfc3137b478d9b4d3cccd4b5f536d0f059ee9c12fe9ba86bca62b795139a5215843465cb751e0ade95677

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b0iss55s\b0iss55s.cmdline

Filesize
369B

MD5
b2d913bfbd272898721fda0b2545b856

SHA1
d53062b8b2be6582886549de00837119309cabc5

SHA256
d9c313657d8b97cb7a0806f7ff0f71e9bc224b3019fca485bcbe7a2ad62d13ea

SHA512
d09f5b15d5d61b6338aa1c40625e27378e4eb0da289f50ee2a488226299a40571035238925ec067e74981934c8319210169ab796032aa975eaa7d62d5d31e630

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qtryh2ex\CSC50C20F1D8C624FEDB172DDEA5396495.TMP

Filesize
652B

MD5
18291106de76e28d782bce0b960a4794

SHA1
021402446dd5bc6332e6893f3097a07e40cde029

SHA256
2e3309eaf157dbadab811431087a8c2dcccabd4e57f2bbe137f6248212759119

SHA512
1b334f61c05e4067d670829cb2144d4fad00b5efa566df0f0b1f7007efcd22b87eed06acaa0404c5c768422d1493efe7680e9fd0a4297455c1269030f6aca1c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qtryh2ex\qtryh2ex.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qtryh2ex\qtryh2ex.cmdline

Filesize
369B

MD5
b288fdca23fd6edf3bf33b4c6c4d2c34

SHA1
adbd97c7a80886637474f0d4bc75f49c6b123c69

SHA256
71069ed24a3e92a94aa076edba7b4670944b239f32f0064187aecdd0b5908251

SHA512
65e22c2bb50fdabeb9cfac584f2d41f58d835fb6623536d382e0c7225f54c55e1e6cc56693fcc5461a86739dceb8b0d9aed73fbd7595ad7ba42c8e3f44b73f03

Download Submit
memory/5068-179-0x000001A547F80000-0x000001A5480F4000-memory.dmp

Filesize
1.5MB

Download
memory/5068-180-0x000001A547F80000-0x000001A5480F4000-memory.dmp

Filesize
1.5MB

Download
memory/5068-144-0x000001A544F80000-0x000001A544F90000-memory.dmp

Filesize
64KB

Download
memory/5068-139-0x000001A544F80000-0x000001A544F90000-memory.dmp

Filesize
64KB

Download
memory/5068-172-0x000001A547E00000-0x000001A547F74000-memory.dmp

Filesize
1.5MB

Download
memory/5068-178-0x000001A544F80000-0x000001A544F90000-memory.dmp

Filesize
64KB

Download
memory/5068-158-0x000001A544F80000-0x000001A544F90000-memory.dmp

Filesize
64KB

Download
memory/5068-133-0x000001A544DD0000-0x000001A544DF2000-memory.dmp

Filesize
136KB

Download
memory/5068-181-0x00007FFE156B0000-0x00007FFE156B1000-memory.dmp

Filesize
4KB

Download
memory/5068-182-0x000001A547F80000-0x000001A5480F4000-memory.dmp

Filesize
1.5MB

Download
memory/5068-186-0x000001A544F80000-0x000001A544F90000-memory.dmp

Filesize
64KB

Download
memory/5068-187-0x000001A544F80000-0x000001A544F90000-memory.dmp

Filesize
64KB

Download
memory/5068-188-0x000001A544F80000-0x000001A544F90000-memory.dmp

Filesize
64KB

Download
memory/5068-189-0x000001A544F80000-0x000001A544F90000-memory.dmp

Filesize
64KB

Download
memory/5068-194-0x000001A547C80000-0x000001A547D3E000-memory.dmp

Filesize
760KB

Download