bumblebee | 212bddfe0446f5f5037d8452bb9f4fad2823502917546811a97d6b4c555d5ad6

Resubmissions

21-06-2023 13:07

230621-qcx25ahe88 10

20-06-2023 06:50

230620-hly2sabg3s 3

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21-06-2023 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fb0c8b5d8ef25661fb0f89d676e2e49.dll
Size

1.2MB
MD5

1fb0c8b5d8ef25661fb0f89d676e2e49
SHA1

1b284a2b2ab3c733603a702320d9c55c3b74bd91
SHA256

212bddfe0446f5f5037d8452bb9f4fad2823502917546811a97d6b4c555d5ad6
SHA512

a8033e6c6beac49a166f500b9991bfcff43be42d6579062ffd11f147a3c016ccb1f2de9b217f18e4ba00dd6acd0d9a8e898666acd885344e37cabc9b4ad297a3
SSDEEP

24576:V88Kjwqgo6dmg6XKZz0AUfOwZbB2aBnRLI151E/BgXRzyCF7z7vb:u7+ZU3TODE/CdPb

Score

10^/10

bumblebee mc1905 trojan

Malware Config

Extracted

Family

bumblebee

Botnet

mc1905

92.119.178.40:443

32.54.188.44:443

194.135.33.160:443

192.198.82.59:443

103.175.16.151:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	1868	rundll32.exe
4	1868	rundll32.exe
5	1868	rundll32.exe
6	1868	rundll32.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1868	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1384	1644	WerFault.exe	3

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1164	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1164	AUDIODG.EXE
Token: 33	1164	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1164	AUDIODG.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 1384	1644	rundll32.exe	28
PID 1644 wrote to memory of 1384	1644	rundll32.exe	28
PID 1644 wrote to memory of 1384	1644	rundll32.exe	28
PID 764 wrote to memory of 1868	764	cmd.exe	34
PID 764 wrote to memory of 1868	764	cmd.exe	34
PID 764 wrote to memory of 1868	764	cmd.exe	34
PID 764 wrote to memory of 1548	764	cmd.exe	36
PID 764 wrote to memory of 1548	764	cmd.exe	36
PID 764 wrote to memory of 1548	764	cmd.exe	36

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1fb0c8b5d8ef25661fb0f89d676e2e49.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1644 -s 84
  2⤵
  - Program crash
  PID:1384

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1456

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:764
- C:\Windows\system32\rundll32.exe
  rundll32.exe 1fb0c8b5d8ef25661fb0f89d676e2e49.dll eOXScagadNKe
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:1868
- C:\Windows\system32\rundll32.exe
  rundll32.exe 1fb0c8b5d8ef25661fb0f89d676e2e49.dll PcYge9j
  2⤵
  PID:1548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1868-54-0x0000000001F80000-0x00000000020E1000-memory.dmp

Filesize
1.4MB

Download
memory/1868-55-0x0000000001F80000-0x00000000020E1000-memory.dmp

Filesize
1.4MB

Download
memory/1868-56-0x0000000001F80000-0x00000000020E1000-memory.dmp

Filesize
1.4MB

Download
memory/1868-57-0x00000000002E0000-0x000000000035F000-memory.dmp

Filesize
508KB

Download