bumblebee | bcd9b7d4ca83e96704e00e378728db06291e8e2b50d68db22efd1f8974d1ca91

General

Target

Inv(05-19)Copy#19-48-01.js
Size

772KB
MD5

c56f106025e1853958f0745516c0b88f
SHA1

f3506be345eafb653e2c2c18410b8c4f5d1a2c26
SHA256

bcd9b7d4ca83e96704e00e378728db06291e8e2b50d68db22efd1f8974d1ca91
SHA512

facf6c8c5690209c1c905f96da1f6ef1ad8b86ab752e8714e73ae48781ff8bfec17813816862fe5d75a96d7c316c083d46e27accf4685e060c6555e882e24278
SSDEEP

24576:93vle/E45Mk2h1K3G9EhRe4jEER9Fwf8TxzM34LM9gkIy9ByxZO9TLd8wDNGOi5t:plZ45Mk2h1aG9EhRe4jEy9Fwf8TxzM3s

Score

10^/10

bumblebee mc1905 trojan

Malware Config

Extracted

Family

bumblebee

Botnet

mc1905

C2

92.119.178.40:443

32.54.188.44:443

194.135.33.160:443

192.198.82.59:443

103.175.16.151:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 10 IoCs

flow	pid	Process
4	316	wscript.exe
6	316	wscript.exe
8	316	wscript.exe
10	316	wscript.exe
11	1676	rundll32.exe
17	1676	rundll32.exe
20	1676	rundll32.exe
23	1676	rundll32.exe
24	1676	rundll32.exe
27	1676	rundll32.exe

Downloads MZ/PE file

Loads dropped DLL 2 IoCs

pid	Process
1676	rundll32.exe
1932	rundll32.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
1676	rundll32.exe
1932	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	wscript.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 1676	316	wscript.exe	30
PID 316 wrote to memory of 1676	316	wscript.exe	30
PID 316 wrote to memory of 1676	316	wscript.exe	30
PID 316 wrote to memory of 1932	316	wscript.exe	31
PID 316 wrote to memory of 1932	316	wscript.exe	31
PID 316 wrote to memory of 1932	316	wscript.exe	31

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Inv(05-19)Copy#19-48-01.js
1⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:316
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\150163.dat,eOXScagadNKe
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:1676
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\841072.dat,eOXScagadNKe
  2⤵
  - Loads dropped DLL
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1E04.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\150163.dat

Filesize
1.2MB

MD5
000f864b3c5c69457429864497ea20d1

SHA1
43fe2e0b040ba56cd3f1d89cc43c3a078fc16d3f

SHA256
94b55b9376cbe55e590eb4f1a92d39ae2198e46a63fc71235e21d77c43627a0c

SHA512
b8de522c28362da3484d6e7c1d0f28d92f74c912b802eb440f96c32d5b8146275949b9ccba17a07991c0c2fea50a3465c9ec3459f786fb7a3df67b93d7a6964d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\841072.dat

Filesize
1.2MB

MD5
3975e6b5799c5653eb9f80310d9cc1aa

SHA1
05ca70c2f9fdf2a7c96ca6d87122495ae7ab947a

SHA256
f1e2d9557d4f928a0b466141582d9e5ef5b3c27cb8928cc50273835597746ca0

SHA512
f0b9152ac5c00ce4b0e97e5e471c6e0ea9760df6e5f1ba3c552f48e4aabf389eccaf274c77095ee2c6bb3eea7cd26c950309ecc58c3d58bd827b8a3824b3f1ff

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\150163.dat

Filesize
1.2MB

MD5
000f864b3c5c69457429864497ea20d1

SHA1
43fe2e0b040ba56cd3f1d89cc43c3a078fc16d3f

SHA256
94b55b9376cbe55e590eb4f1a92d39ae2198e46a63fc71235e21d77c43627a0c

SHA512
b8de522c28362da3484d6e7c1d0f28d92f74c912b802eb440f96c32d5b8146275949b9ccba17a07991c0c2fea50a3465c9ec3459f786fb7a3df67b93d7a6964d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\841072.dat

Filesize
1.2MB

MD5
3975e6b5799c5653eb9f80310d9cc1aa

SHA1
05ca70c2f9fdf2a7c96ca6d87122495ae7ab947a

SHA256
f1e2d9557d4f928a0b466141582d9e5ef5b3c27cb8928cc50273835597746ca0

SHA512
f0b9152ac5c00ce4b0e97e5e471c6e0ea9760df6e5f1ba3c552f48e4aabf389eccaf274c77095ee2c6bb3eea7cd26c950309ecc58c3d58bd827b8a3824b3f1ff

Download Submit
memory/1676-117-0x0000000002070000-0x00000000021D1000-memory.dmp

Filesize
1.4MB

Download
memory/1676-118-0x0000000002070000-0x00000000021D1000-memory.dmp

Filesize
1.4MB

Download
memory/1676-119-0x0000000002070000-0x00000000021D1000-memory.dmp

Filesize
1.4MB

Download
memory/1676-120-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/1932-121-0x0000000002080000-0x00000000021E1000-memory.dmp

Filesize
1.4MB

Download
memory/1932-122-0x0000000001C60000-0x0000000001CDF000-memory.dmp

Filesize
508KB

Download

Resubmissions

Analysis

Sharing