bumblebee | 54f28031ae6742e825a113b0437db1d0d16bec6668629bc5bbe656446ce45db1

Analysis

max time kernel
144s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04-04-2023 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3u.ps1
Size

2.2MB
MD5

f9400abd6228a51e8e05085eccafc313
SHA1

807dedf3cc9802a77885975e88027727999ab762
SHA256

54f28031ae6742e825a113b0437db1d0d16bec6668629bc5bbe656446ce45db1
SHA512

5d3413586fc066c9c006dfde4f1e8d1d8057a0cdd3024d7fdcf365c9a0b638763e3b143b9acb1f0ec2b652ab353d3d10e29ed5232f88901756697df8c7743a90
SSDEEP

24576:mRQnNmYwNUFN1Jt3ld6+1qek4SuB3o9JAmjwNSUJWEAm4Rvy7leMoG0Fi78:mR7eFNTg+1YjwvO+b78

Score

10^/10

bumblebee tr23103 trojan

Malware Config

Extracted

Family

bumblebee

rc4.plain

Extracted

Family

bumblebee

Botnet

tr23103

103.144.139.164:443

64.44.102.85:443

198.98.60.196:443

45.61.184.8:443

173.234.155.143:443

209.141.48.221:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 7 IoCs

flow	pid	Process
14	2796	powershell.exe
28	2796	powershell.exe
40	2796	powershell.exe
43	2796	powershell.exe
45	2796	powershell.exe
46	2796	powershell.exe
47	2796	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2796	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2796	powershell.exe
2796	powershell.exe
2796	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 980	2796	powershell.exe	83
PID 2796 wrote to memory of 980	2796	powershell.exe	83
PID 980 wrote to memory of 1696	980	csc.exe	84
PID 980 wrote to memory of 1696	980	csc.exe	84
PID 2796 wrote to memory of 344	2796	powershell.exe	88
PID 2796 wrote to memory of 344	2796	powershell.exe	88
PID 344 wrote to memory of 4940	344	csc.exe	89
PID 344 wrote to memory of 4940	344	csc.exe	89

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\3u.ps1
1⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3lmo05rh\3lmo05rh.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B9D.tmp" "c:\Users\Admin\AppData\Local\Temp\3lmo05rh\CSCD2B4B50869A6406698965030CE2CDF99.TMP"
    3⤵
    PID:1696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3sh5h2i4\3sh5h2i4.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:344
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES86E8.tmp" "c:\Users\Admin\AppData\Local\Temp\3sh5h2i4\CSC39138CFC32BF46FBA29AD8B2A47BCC7.TMP"
    3⤵
    PID:4940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3lmo05rh\3lmo05rh.dll

Filesize
3KB

MD5
0542e83e0a08d40685c4e46686159722

SHA1
cd9b1c34c06709f1e56aa4f33880d0964548b399

SHA256
6b61d8bdd1990932f4347082fda32eef84e27987e11a4a1235ef44c4d0b51c38

SHA512
665bd248403096cae2dc5ace46e345b0eecd3376476534dbbea566ac3ff332baeed85cf42d4cf8af1708e24acab9f157eeec2d79d545a08ba18ccd4067437a9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3sh5h2i4\3sh5h2i4.dll

Filesize
3KB

MD5
32da42a8bdf53f9d16a7873a61a63eeb

SHA1
f5436dc9cecdb15190452422337e3f724a8ca47c

SHA256
ef7fc0fb02752477d49a70a1df439877f2f9ec7517762ed8080efb25dd74faef

SHA512
a39ca5fbb1873ad2e1f6bfceb7d50783925f706f997ddac886f929b36967eaaba80466639293a89fa6eaa59bd521f1bb272ac06f46275e303217db0d0d2b42e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7B9D.tmp

Filesize
1KB

MD5
75a9b1a1fff31bbcfa82841970455246

SHA1
08b6b2965aa428349f61553c600cba4d5438253c

SHA256
e40b56d8fd13409ec06d70bd0374afd08d2d05705583e3542f7ab6d7a3d73cad

SHA512
ed9b0eacc9dd49bca8c11c8aad56652df3a4a0ea8d37c7667de5c4965e6c01984ef8d672024e332c19939f09552a8de8d241f153b1f62677ebd5ed4cce0bf446

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES86E8.tmp

Filesize
1KB

MD5
c412b498d8998acb59fb469b663f7bf8

SHA1
361ddef2780720939dff80a55e42070fa11e3006

SHA256
70c43e27d3f1b99405089d57572b0206aa27d4c3a8a0e1ba6297b6670c343701

SHA512
8c9f10acde2fd35a41e7cba5d7d10ad11e39690226190a045c26405bed10768d2afd6a159d854212e284703f48ba4870b9f087036c903252e22ad11ab1ca510f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vhb33lp4.mql.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3lmo05rh\3lmo05rh.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3lmo05rh\3lmo05rh.cmdline

Filesize
369B

MD5
36f441ccfd151080effc96cb9871e535

SHA1
2ecc4d2497624c0f8a0f348a9c9f263be2adaa86

SHA256
8c5303570b1e4492e6bf3b7b5d752c948ca59e9b943cf69380fda5fa3c2029a1

SHA512
ec2313e6bfde57e30060df295ab094a42dbd495f5bd85ca56501bc1559d1b633be79476d4babf8ca7a1fd0e3156dd82883b55477c097bf4497c09b2255c2f02b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3lmo05rh\CSCD2B4B50869A6406698965030CE2CDF99.TMP

Filesize
652B

MD5
7fb0fe399848050f5104531bb76938f6

SHA1
176739d69301b59a8d14bcdfd3769424a6a0b541

SHA256
28d773ea07468f34451091288a94821e094ca1bfa8057a8ea1adb2c23c16a8ca

SHA512
142f78cbeb1ebd5bbe50c4a8e6aa7b94ddd42e714c78c2ced89532f13478b537137633c3199494a91dd1c2f324225e7fa95eb1aa57e623605a3a8fbb41659c4b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3sh5h2i4\3sh5h2i4.0.cs

Filesize
582B

MD5
2bb8d0ee93aeae61a09adf4db6f29c1c

SHA1
8da3034bb8f84ea2522e276b492b2797b5db30ca

SHA256
68d44e3c373d2aec9dacf51326cbfebcba76c1c1a56545e5e1cbf58b44a9f817

SHA512
b3ec6841a9541e96a671a7d81378293567972541d9cdfc3137b478d9b4d3cccd4b5f536d0f059ee9c12fe9ba86bca62b795139a5215843465cb751e0ade95677

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3sh5h2i4\3sh5h2i4.cmdline

Filesize
369B

MD5
387d1824de410edc64eaef0343743585

SHA1
8e4b48383e9b186b5908d30edc72a6cfbda3e9b2

SHA256
d7290f1ff2b7f7df674aff70970e9c61fac494c1a559ecdc40ebb3433ee8434d

SHA512
b78e7d00598f1855fcaee375bbeef648cd062a28a5613c59d055731d69470ec62b2a5c7af4477198f37cfe0c4d0b0710020994393298f392919ad61f04e57882

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3sh5h2i4\CSC39138CFC32BF46FBA29AD8B2A47BCC7.TMP

Filesize
652B

MD5
556cd3d95002fe4ca3024a82c5a7497f

SHA1
baa5c9e53f9fc90426584fbae0f4b0a0831f1ff8

SHA256
8884c32cfaad9d5c24e6a835ac7e7b10ea0eb8e611b6b14c371f4d5347a7ff6c

SHA512
a452588c7e8592fb3464ae0795d9eaa7399d5c50b28a78974e502232fd8856c3bbfb0f3b7ed7e86f14fea07543bf6b79576ddf63fffd3f3f1ef20ada3642975d

Download Submit
memory/2796-179-0x000002027CC60000-0x000002027CC70000-memory.dmp

Filesize
64KB

Download
memory/2796-145-0x000002027CC60000-0x000002027CC70000-memory.dmp

Filesize
64KB

Download
memory/2796-143-0x000002027CC60000-0x000002027CC70000-memory.dmp

Filesize
64KB

Download
memory/2796-144-0x000002027CC60000-0x000002027CC70000-memory.dmp

Filesize
64KB

Download
memory/2796-172-0x000002021A710000-0x000002021A884000-memory.dmp

Filesize
1.5MB

Download
memory/2796-178-0x000002021A890000-0x000002021AA04000-memory.dmp

Filesize
1.5MB

Download
memory/2796-133-0x000002027CB60000-0x000002027CB82000-memory.dmp

Filesize
136KB

Download
memory/2796-180-0x00007FFE5C930000-0x00007FFE5C931000-memory.dmp

Filesize
4KB

Download
memory/2796-186-0x000002027CC60000-0x000002027CC70000-memory.dmp

Filesize
64KB

Download
memory/2796-182-0x000002021A890000-0x000002021AA04000-memory.dmp

Filesize
1.5MB

Download
memory/2796-181-0x000002021A890000-0x000002021AA04000-memory.dmp

Filesize
1.5MB

Download
memory/2796-187-0x000002027CC60000-0x000002027CC70000-memory.dmp

Filesize
64KB

Download
memory/2796-188-0x000002027CC60000-0x000002027CC70000-memory.dmp

Filesize
64KB

Download
memory/2796-189-0x000002027CC60000-0x000002027CC70000-memory.dmp

Filesize
64KB

Download