bumblebee | 5b7dfd88fcbbbb7e3d1b4b6606c4fdd10397dd5c00e18cfe83cd9a94ed136246 | Triage

Sharing

General

Target

doc12QICZ85.wsf
Size

178KB
Sample

230507-jjbddafb23
MD5

518fc2e647ec1a068d96699a7c81f09f
SHA1

2f1852128b1797ecb20557109c503197992d5ff7
SHA256

5b7dfd88fcbbbb7e3d1b4b6606c4fdd10397dd5c00e18cfe83cd9a94ed136246
SHA512

2bf8fe6ac6316b64ba2f57ca9e6bdc922913d07b5a2cd9efeae453feb2ac7bc9e621b706ca245673a9b2d73d437592b9f2cedf78e5370db8f3dc8e6afbf3ee76
SSDEEP

3072:1eULHHO+zbe2qOX/w+A429OutoWjVM8kgCRreRlW+Q5HUJAWo5hiaPJhO5Q51lJO:Y8SOXY7txjVM8kgUeRlW+FAWo5AaPjCb

Score

10^/10

bumblebee mc1904 trojan

Malware Config

Extracted

Family

bumblebee

Botnet

mc1904

C2

146.70.155.82:443

149.3.170.179:443

103.175.16.150:443

rc4.plain

Targets

- Target
  
  doc12QICZ85.wsf
- Size
  
  178KB
- MD5
  
  518fc2e647ec1a068d96699a7c81f09f
- SHA1
  
  2f1852128b1797ecb20557109c503197992d5ff7
- SHA256
  
  5b7dfd88fcbbbb7e3d1b4b6606c4fdd10397dd5c00e18cfe83cd9a94ed136246
- SHA512
  
  2bf8fe6ac6316b64ba2f57ca9e6bdc922913d07b5a2cd9efeae453feb2ac7bc9e621b706ca245673a9b2d73d437592b9f2cedf78e5370db8f3dc8e6afbf3ee76
- SSDEEP
  
  3072:1eULHHO+zbe2qOX/w+A429OutoWjVM8kgCRreRlW+Q5HUJAWo5hiaPJhO5Q51lJO:Y8SOXY7txjVM8kgUeRlW+FAWo5AaPjCb
Score

10^/10

bumblebee mc1904 trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

bumblebeemc1904trojan