Analysis

  • max time kernel
    140s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-04-2023 17:45

General

  • Target

    d763681286d9d514420c27210746edd5bb9b563b626c0cdb2c61239292b86535.dll

  • Size

    1.4MB

  • MD5

    adcfd6939319c09ad8cbef72a81944a5

  • SHA1

    154c1f4bc247d79789ec7eaf0feb92ea0d932445

  • SHA256

    d763681286d9d514420c27210746edd5bb9b563b626c0cdb2c61239292b86535

  • SHA512

    4f4fb6e9d2c833d4335dc816fbac2b5d25d3b95fdd1dced1b795c5564d367dca533eb743842fcf31ae74563cba451ae55b226e44f05b4745613b8e6e50e010ce

  • SSDEEP

    24576:fno8Poz7SOWZlz7nnGqCk//xhxNbcFzPCC5lZXVQ:fjo/+GwPr

Score
10/10

Malware Config

Extracted

Family

bumblebee

Botnet

mc1904

C2

146.70.155.82:443

149.3.170.179:443

103.175.16.150:443

rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

  • Blocklisted process makes network request 7 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d763681286d9d514420c27210746edd5bb9b563b626c0cdb2c61239292b86535.dll, bYXjdERymsFY
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of NtCreateThreadExHideFromDebugger
    PID:4660

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4660-133-0x0000029C547E0000-0x0000029C54941000-memory.dmp

    Filesize

    1.4MB

  • memory/4660-134-0x0000029C54600000-0x0000029C5467A000-memory.dmp

    Filesize

    488KB

  • memory/4660-135-0x0000029C547E0000-0x0000029C54941000-memory.dmp

    Filesize

    1.4MB

  • memory/4660-136-0x0000029C547E0000-0x0000029C54941000-memory.dmp

    Filesize

    1.4MB