bumblebee | 8e04a2048e545d0faaf5d1e1c995c7b9529751e378b75c41f80c6682bd84e5aa

Analysis

max time kernel
131s
max time network
135s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/09/2023, 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hk1c9y18em.dll
Size

1.1MB
MD5

b7c42a2f6443f7efb2f005b05040a40a
SHA1

66e3ecc673fbb77c697a3b178a7458617de3d227
SHA256

8e04a2048e545d0faaf5d1e1c995c7b9529751e378b75c41f80c6682bd84e5aa
SHA512

fb802bb1fbffdadc38d0bf373a868deaa03a701d079715f3261f68e7c8f77881134f4bc8154bc68b8688d2f3711e6a6c382f0e64929c9bd1715ff2aee2b49aef
SSDEEP

24576:E40kaG+iDe5cMQW7v7+KIUC/ofj1fpLgN:E40kd+35cMv

Score

10^/10

bumblebee js1 trojan

Malware Config

Extracted

Family

bumblebee

Botnet

js1

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
2812	regsvr32.exe
2968	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 2968	2592	cmd.exe	34
PID 2592 wrote to memory of 2968	2592	cmd.exe	34
PID 2592 wrote to memory of 2968	2592	cmd.exe	34

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\hk1c9y18em.dll
1⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
PID:2812

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
1⤵
PID:2496

C:\Windows\system32\cmd.exe
"cmd.exe" /s /k pushd "C:\Users\Admin\AppData\Local\Temp"
1⤵
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\system32\rundll32.exe
  rundll32 hk1c9y18em.dll,DllRegisterServer
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:2968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2812-0-0x0000000001DB0000-0x0000000001E29000-memory.dmp

Filesize
484KB

Download
memory/2812-1-0x0000000077030000-0x00000000771D9000-memory.dmp

Filesize
1.7MB

Download
memory/2812-2-0x0000000001F40000-0x000000000204A000-memory.dmp

Filesize
1.0MB

Download
memory/2812-3-0x0000000077030000-0x00000000771D9000-memory.dmp

Filesize
1.7MB

Download
memory/2812-5-0x0000000001F40000-0x000000000204A000-memory.dmp

Filesize
1.0MB

Download
memory/2812-6-0x0000000001F40000-0x000000000204A000-memory.dmp

Filesize
1.0MB

Download
memory/2812-7-0x0000000001DB0000-0x0000000001E29000-memory.dmp

Filesize
484KB

Download
memory/2812-8-0x0000000077030000-0x00000000771D9000-memory.dmp

Filesize
1.7MB

Download
memory/2968-10-0x0000000001FC0000-0x00000000020CA000-memory.dmp

Filesize
1.0MB

Download
memory/2968-11-0x0000000077030000-0x00000000771D9000-memory.dmp

Filesize
1.7MB

Download
memory/2968-12-0x0000000077030000-0x00000000771D9000-memory.dmp

Filesize
1.7MB

Download
memory/2968-13-0x0000000077030000-0x00000000771D9000-memory.dmp

Filesize
1.7MB

Download
memory/2968-9-0x00000000003B0000-0x0000000000429000-memory.dmp

Filesize
484KB

Download
memory/2968-14-0x0000000077030000-0x00000000771D9000-memory.dmp

Filesize
1.7MB

Download
memory/2968-15-0x0000000077030000-0x00000000771D9000-memory.dmp

Filesize
1.7MB

Download
memory/2968-16-0x0000000077030000-0x00000000771D9000-memory.dmp

Filesize
1.7MB

Download
memory/2968-17-0x0000000077030000-0x00000000771D9000-memory.dmp

Filesize
1.7MB

Download
memory/2968-18-0x00000000003B0000-0x0000000000429000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads