bumblebee | 8c9373fd5b6412df5a49ed8cbe38640d6b167ef79a83f9d25b2c2bff2417a8b2

Analysis

max time kernel
141s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2023 07:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bum.ps1
Size

2.2MB
MD5

95d1e51db007668a176e0203afb4816c
SHA1

e7856701d9c5de497b9c28465db059be6954f541
SHA256

8c9373fd5b6412df5a49ed8cbe38640d6b167ef79a83f9d25b2c2bff2417a8b2
SHA512

4f475b1d7a0698836c48a7d533851f879af954ff3e2871cbb62cd55c8f41ea4c876dc6be9eca48b81fa897894c41a224353f6490b3a59fd542fecb7f26dc413a
SSDEEP

24576:bb6zC8eTmNIpd0RBkc+wgzDQvnELa1EAuIhxXBdeS1YM/y+twTXgNdkXl8:bcamyVDSJ/7twTzy

Score

10^/10

bumblebee 2301lms trojan

Malware Config

Extracted

Family

bumblebee

Botnet

2301lms

62.113.238.68:443

199.195.249.106:443

104.219.233.101:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 6 IoCs

flow	pid	Process
24	4272	powershell.exe
33	4272	powershell.exe
38	4272	powershell.exe
46	4272	powershell.exe
48	4272	powershell.exe
49	4272	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4272	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4272	powershell.exe
4272	powershell.exe
4272	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4272	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 3232	4272	powershell.exe	86
PID 4272 wrote to memory of 3232	4272	powershell.exe	86
PID 3232 wrote to memory of 232	3232	csc.exe	87
PID 3232 wrote to memory of 232	3232	csc.exe	87
PID 4272 wrote to memory of 4316	4272	powershell.exe	91
PID 4272 wrote to memory of 4316	4272	powershell.exe	91
PID 4316 wrote to memory of 4412	4316	csc.exe	92
PID 4316 wrote to memory of 4412	4316	csc.exe	92

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\bum.ps1
1⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\grq4akk2\grq4akk2.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3232
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8561.tmp" "c:\Users\Admin\AppData\Local\Temp\grq4akk2\CSC4632B63255944A1880E8BAD79A2FFD68.TMP"
    3⤵
    PID:232
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q3zsvtko\q3zsvtko.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9281.tmp" "c:\Users\Admin\AppData\Local\Temp\q3zsvtko\CSC50C063AD983463C8DE0B933963B449.TMP"
    3⤵
    PID:4412

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8561.tmp

Filesize
1KB

MD5
4d6dd13d5a753047b0e9db0e8334d32b

SHA1
f5c5a6e2cebc9728734d17ba9f46560024af0f45

SHA256
0e34c1ecd6c22d2ab2b3ddfd8636167e91609880c246a856a426ab667135f742

SHA512
f70844982ac7efe5bdec64c4bfbf15e65f04380886e9bd107f565654c25aa7372fd28dce97caf20cbd5d621ca433ac60a03e768d5e1b1c7efb7283d9f9d0f0b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9281.tmp

Filesize
1KB

MD5
238277078ba32c24a60e47621643dcbe

SHA1
d2e0f09079bdc911be40c24aa1fc06c84dc5834e

SHA256
8cdb0cb0330bfea3b7634f840805fa931986dd3e8de8000bb50ac2e0863cd788

SHA512
37302309e1e121fac1ccdcf54ec9a81aab79602f48907af7aea474a4bbd86fbb262b7a509601f683f84067c9b69163baf9c2c30b2861f9681304803147419f4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c1zvszan.zij.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\grq4akk2\grq4akk2.dll

Filesize
3KB

MD5
be69f04b191b20462ad3fef574b23e30

SHA1
ea2054cd2c60e23a5a39c23a13bc7a5978e8fd76

SHA256
b5b2170794353f990d902b7e1d0324f2e20418299c9873a42449356271e83b30

SHA512
1378ce132ff57b6a2a0986f5fd73c14ad218a306b5888d5cbb9569e7714c90a0c1aa2052be75d215faa3bde9434fc949e6e568a45b8dd7c9d13e3d030a701960

Download Submit
C:\Users\Admin\AppData\Local\Temp\q3zsvtko\q3zsvtko.dll

Filesize
3KB

MD5
6611254a06c126703b116731067acd96

SHA1
89aae2d31432285954ea11b2e6448c6c3f6db8b7

SHA256
72642f9af40530139523488a1689f21d1826eb87f7b18fb44b0be5c3e7033603

SHA512
2481b6a33d3c2b315dd021778d23439b7fc5d3ed9e0039ee4c22d5a9b3a4836ac37ad6807d29b00d3e88681446349ea359b7091441d7fb4b9a798db62c3eeeec

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\grq4akk2\CSC4632B63255944A1880E8BAD79A2FFD68.TMP

Filesize
652B

MD5
ef800c834186d1910f96b4980551e67b

SHA1
bfae2ddc85d216b7719dde80f290f5f1d0364fd9

SHA256
c3cd5c8bfdcd20f23746ad5f6a0d304ef8b300ffc8c41bd8e26c7eff79ddf5d1

SHA512
7fd1f29edd4bf535d70161dbe19860d9a810d783e30c7941cfdab5bea3776ec32dbab6ea8cb44768713468fd4ca058271e94b0892efb6a76f95cbb2d794e8ea3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\grq4akk2\grq4akk2.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\grq4akk2\grq4akk2.cmdline

Filesize
369B

MD5
b4ced8465ac525efec1cc234cfd8fd9b

SHA1
f6d7116244dfb098e1206b8954a9005b16ab8705

SHA256
00c9cdf44a47fa1aad1c10178d67b193facf1e778ecfde9654d519fbfaa3616c

SHA512
0c94b9f7a6597023b5bd5be35e75f7dfa34a4c2fdc5279b4f1217df102c44fd206b0133f29e3ae1cc604fecd442e840a5ba212db6e638d5eabb3492ab8efb411

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q3zsvtko\CSC50C063AD983463C8DE0B933963B449.TMP

Filesize
652B

MD5
552f5101a5a9b9614eb1f8940a3cc853

SHA1
bda57225781dd28327320bd37920aa86180ae329

SHA256
cec4aa6855b4ce8099f971da7621e783b3ed7d6908a3d9519db905ac866b97f9

SHA512
d18053a59683ebc38ad7e176d87d851a226a1b4e3517782878c513e6b53393d1aedee4e2a616a2517dd8577040ee39fb01578abdeccb86f5698179019dce747c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q3zsvtko\q3zsvtko.0.cs

Filesize
582B

MD5
2bb8d0ee93aeae61a09adf4db6f29c1c

SHA1
8da3034bb8f84ea2522e276b492b2797b5db30ca

SHA256
68d44e3c373d2aec9dacf51326cbfebcba76c1c1a56545e5e1cbf58b44a9f817

SHA512
b3ec6841a9541e96a671a7d81378293567972541d9cdfc3137b478d9b4d3cccd4b5f536d0f059ee9c12fe9ba86bca62b795139a5215843465cb751e0ade95677

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q3zsvtko\q3zsvtko.cmdline

Filesize
369B

MD5
0fe7bdaf4e567c998e1cb954b222eafb

SHA1
0c7f25c3598601e4aacab2f5f55fe1fd1c5dec25

SHA256
b2b2db33dfa8bd0f2d05d403bdde1f3c05bef655f5297eeb631db0baea594168

SHA512
00a3fdd379b301082824bee502cf4afc2a1e728723832a5bdd12519ce2b68ac4fbd717e14ae85614bd8572ee1ca6f96486c9ee5950b3c0b3871b1becd180eeee

Download Submit
memory/4272-179-0x0000029EC4DF0000-0x0000029EC4F64000-memory.dmp

Filesize
1.5MB

Download
memory/4272-138-0x0000029EC4820000-0x0000029EC4842000-memory.dmp

Filesize
136KB

Download
memory/4272-144-0x0000029EA96E0000-0x0000029EA96F0000-memory.dmp

Filesize
64KB

Download
memory/4272-143-0x0000029EA96E0000-0x0000029EA96F0000-memory.dmp

Filesize
64KB

Download
memory/4272-172-0x0000029EA96E0000-0x0000029EA96F0000-memory.dmp

Filesize
64KB

Download
memory/4272-173-0x0000029EC4C70000-0x0000029EC4DE4000-memory.dmp

Filesize
1.5MB

Download
memory/4272-145-0x0000029EA96E0000-0x0000029EA96F0000-memory.dmp

Filesize
64KB

Download
memory/4272-180-0x00007FF8DF690000-0x00007FF8DF691000-memory.dmp

Filesize
4KB

Download
memory/4272-181-0x0000029EC4DF0000-0x0000029EC4F64000-memory.dmp

Filesize
1.5MB

Download
memory/4272-185-0x0000029EA96E0000-0x0000029EA96F0000-memory.dmp

Filesize
64KB

Download
memory/4272-186-0x0000029EA96E0000-0x0000029EA96F0000-memory.dmp

Filesize
64KB

Download
memory/4272-187-0x0000029EA96E0000-0x0000029EA96F0000-memory.dmp

Filesize
64KB

Download
memory/4272-188-0x0000029EA96E0000-0x0000029EA96F0000-memory.dmp

Filesize
64KB

Download
memory/4272-195-0x0000029EC4DF0000-0x0000029EC4F64000-memory.dmp

Filesize
1.5MB

Download