Analysis
-
max time kernel
145s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
09-09-2023 01:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
07e625d9acc7803be901c9b5cfbad7265c9ba0f5d617109584a77a32d8d153f2.exe
Resource
win7-20230831-en
windows7-x64
1 signatures
150 seconds
General
-
Target
07e625d9acc7803be901c9b5cfbad7265c9ba0f5d617109584a77a32d8d153f2.exe
-
Size
597KB
-
MD5
95138e2d1e51d45f653eef0823ad3c89
-
SHA1
a28285ea359d00e3d6769481e5db882807cd7796
-
SHA256
07e625d9acc7803be901c9b5cfbad7265c9ba0f5d617109584a77a32d8d153f2
-
SHA512
3c132f6717da4518fb08dc5aa73721b211051822172f50721de77acd2b8663fe39e8f6f77a39614757873a318972c24ad679d67ab44dd07ecaf2a077c94eacfe
-
SSDEEP
12288:DSHXS6dIkIYpPVpPE9NSn8V+Nu8Hx60PinBYqT:DS3Ik7P808QrU0PCe6
Malware Config
Extracted
Family
bumblebee
Botnet
lnk1
rc4.plain
1
NEW_BLACK
Processes
Network
-
Remote address:8.8.8.8:53Request69.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request9.228.82.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request59.128.231.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.a-0001.a-msedge.netg-bing-com.a-0001.a-msedge.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=979af95091b34f5f91ea212833ece5a1&localId=w:1CCB9A0F-0FA7-2CAD-B05B-5D7DB29A4DF8&deviceId=6966549481367204&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=979af95091b34f5f91ea212833ece5a1&localId=w:1CCB9A0F-0FA7-2CAD-B05B-5D7DB29A4DF8&deviceId=6966549481367204&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=34AF99393E526C781F898ABE3F1A6D26; domain=.bing.com; expires=Thu, 03-Oct-2024 01:50:26 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 4D4043B136264ADCAC384F0DCC7EC242 Ref B: BRU30EDGE0907 Ref C: 2023-09-09T01:50:26Z
date: Sat, 09 Sep 2023 01:50:26 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=979af95091b34f5f91ea212833ece5a1&localId=w:1CCB9A0F-0FA7-2CAD-B05B-5D7DB29A4DF8&deviceId=6966549481367204&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=979af95091b34f5f91ea212833ece5a1&localId=w:1CCB9A0F-0FA7-2CAD-B05B-5D7DB29A4DF8&deviceId=6966549481367204&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=34AF99393E526C781F898ABE3F1A6D26
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 18D01C1C5659452FA67742E998FE5AB5 Ref B: BRU30EDGE0907 Ref C: 2023-09-09T01:50:26Z
date: Sat, 09 Sep 2023 01:50:26 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=979af95091b34f5f91ea212833ece5a1&localId=w:1CCB9A0F-0FA7-2CAD-B05B-5D7DB29A4DF8&deviceId=6966549481367204&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=979af95091b34f5f91ea212833ece5a1&localId=w:1CCB9A0F-0FA7-2CAD-B05B-5D7DB29A4DF8&deviceId=6966549481367204&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=34AF99393E526C781F898ABE3F1A6D26
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CFDBAF5E1D544736A6C68716B39D54C7 Ref B: BRU30EDGE0907 Ref C: 2023-09-09T01:50:26Z
date: Sat, 09 Sep 2023 01:50:26 GMT
-
Remote address:8.8.8.8:53Request41.110.16.96.in-addr.arpaIN PTRResponse41.110.16.96.in-addr.arpaIN PTRa96-16-110-41deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestcmid1s1zeiu.lifeIN AResponsecmid1s1zeiu.lifeIN A172.86.68.166
-
Remote address:8.8.8.8:53Request86.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestitszko2ot5u.lifeIN AResponseitszko2ot5u.lifeIN A45.61.130.31
-
Remote address:8.8.8.8:53Request8.3.197.209.in-addr.arpaIN PTRResponse8.3.197.209.in-addr.arpaIN PTRvip0x008map2sslhwcdnnet
-
Remote address:8.8.8.8:53Request3v1n35i5kwx.lifeIN AResponse3v1n35i5kwx.lifeIN A172.86.123.215
-
Remote address:8.8.8.8:53Requestnewdnq1xnl9.lifeIN AResponsenewdnq1xnl9.lifeIN A88.198.203.50
-
Remote address:8.8.8.8:53Request50.203.198.88.in-addr.arpaIN PTRResponse50.203.198.88.in-addr.arpaIN PTRstatic 88-198-203-50clientsyour-serverde
-
Remote address:8.8.8.8:53Request11.173.189.20.in-addr.arpaIN PTRResponse
-
204.79.197.200:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=979af95091b34f5f91ea212833ece5a1&localId=w:1CCB9A0F-0FA7-2CAD-B05B-5D7DB29A4DF8&deviceId=6966549481367204&anid=tls, http21.9kB 9.3kB 22 19
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=979af95091b34f5f91ea212833ece5a1&localId=w:1CCB9A0F-0FA7-2CAD-B05B-5D7DB29A4DF8&deviceId=6966549481367204&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=979af95091b34f5f91ea212833ece5a1&localId=w:1CCB9A0F-0FA7-2CAD-B05B-5D7DB29A4DF8&deviceId=6966549481367204&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=979af95091b34f5f91ea212833ece5a1&localId=w:1CCB9A0F-0FA7-2CAD-B05B-5D7DB29A4DF8&deviceId=6966549481367204&anid=HTTP Response
204 -
172.86.68.166:443cmid1s1zeiu.life07e625d9acc7803be901c9b5cfbad7265c9ba0f5d617109584a77a32d8d153f2.exe260 B 5
-
45.61.130.31:443itszko2ot5u.life07e625d9acc7803be901c9b5cfbad7265c9ba0f5d617109584a77a32d8d153f2.exe260 B 5
-
172.86.123.215:4433v1n35i5kwx.life07e625d9acc7803be901c9b5cfbad7265c9ba0f5d617109584a77a32d8d153f2.exe260 B 5
-
88.198.203.50:443newdnq1xnl9.lifehttps07e625d9acc7803be901c9b5cfbad7265c9ba0f5d617109584a77a32d8d153f2.exe1.1kB 866 B 12 13
-
172.86.68.166:443cmid1s1zeiu.life07e625d9acc7803be901c9b5cfbad7265c9ba0f5d617109584a77a32d8d153f2.exe260 B 5
-
45.61.130.31:443itszko2ot5u.life07e625d9acc7803be901c9b5cfbad7265c9ba0f5d617109584a77a32d8d153f2.exe156 B 3
-
71 B 157 B 1 1
DNS Request
69.31.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
9.228.82.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
59.128.231.4.in-addr.arpa
-
56 B 158 B 1 1
DNS Request
g.bing.com
DNS Response
204.79.197.20013.107.21.200
-
71 B 135 B 1 1
DNS Request
41.110.16.96.in-addr.arpa
-
8.8.8.8:53cmid1s1zeiu.lifedns07e625d9acc7803be901c9b5cfbad7265c9ba0f5d617109584a77a32d8d153f2.exe62 B 78 B 1 1
DNS Request
cmid1s1zeiu.life
DNS Response
172.86.68.166
-
70 B 144 B 1 1
DNS Request
86.23.85.13.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
8.8.8.8:53itszko2ot5u.lifedns07e625d9acc7803be901c9b5cfbad7265c9ba0f5d617109584a77a32d8d153f2.exe62 B 78 B 1 1
DNS Request
itszko2ot5u.life
DNS Response
45.61.130.31
-
70 B 111 B 1 1
DNS Request
8.3.197.209.in-addr.arpa
-
8.8.8.8:533v1n35i5kwx.lifedns07e625d9acc7803be901c9b5cfbad7265c9ba0f5d617109584a77a32d8d153f2.exe62 B 78 B 1 1
DNS Request
3v1n35i5kwx.life
DNS Response
172.86.123.215
-
8.8.8.8:53newdnq1xnl9.lifedns07e625d9acc7803be901c9b5cfbad7265c9ba0f5d617109584a77a32d8d153f2.exe62 B 78 B 1 1
DNS Request
newdnq1xnl9.life
DNS Response
88.198.203.50
-
72 B 129 B 1 1
DNS Request
50.203.198.88.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
11.173.189.20.in-addr.arpa