bumblebee | 957639998125a31c998b0104dba7f463d0659716a0a5b62fcc82eb28a0c0477b | Triage

Submit
Reports

Overview

overview

Static

static

1

r.msi

windows7-x64

8

r.msi

windows10-2004-x64

Sharing

General

Target

r.msi
Size

270.5MB
Sample

230313-j1z33ahc62
MD5

522c0b0d445c62cdeb0a80bcce645d57
SHA1

5dad52c67d114f7a3a5a1e7ae5b15b581054d468
SHA256

957639998125a31c998b0104dba7f463d0659716a0a5b62fcc82eb28a0c0477b
SHA512

97da31389ca0986c5f63244573ad0edd6c83feb7e9c44557acfb51832db308c6165cdd390d1555ee8dec941cc0cb896fa1ccc59cbf7b9de9610003f0bd2e8a48
SSDEEP

6291456:FTUNwNgD8hhlK4sCC90uWHgnNfTSeHRAod2da0Dmq75UpY21DYJ5HI:1UN5DqKnCULtnlnAM2kE5Gco

Score

10^/10

bumblebee citr10803 trojan

Static task

static1

Behavioral task

behavioral1

Sample

r.msi

Resource

win7-20230220-en

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

r.msi

Resource

win10v2004-20230221-en

bumblebee citr10803 trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

bumblebee

rc4.plain

Extracted

Family

bumblebee

Botnet

citr10803

C2

104.168.171.97:443

149.255.35.138:443

51.83.250.168:443

rc4.plain

Targets

- Target
  
  r.msi
- Size
  
  270.5MB
- MD5
  
  522c0b0d445c62cdeb0a80bcce645d57
- SHA1
  
  5dad52c67d114f7a3a5a1e7ae5b15b581054d468
- SHA256
  
  957639998125a31c998b0104dba7f463d0659716a0a5b62fcc82eb28a0c0477b
- SHA512
  
  97da31389ca0986c5f63244573ad0edd6c83feb7e9c44557acfb51832db308c6165cdd390d1555ee8dec941cc0cb896fa1ccc59cbf7b9de9610003f0bd2e8a48
- SSDEEP
  
  6291456:FTUNwNgD8hhlK4sCC90uWHgnNfTSeHRAod2da0Dmq75UpY21DYJ5HI:1UN5DqKnCULtnlnAM2kE5Gco
Score

10^/10

bumblebee citr10803 trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

bumblebeecitr10803trojan

© 2018-2025

Terms | Privacy