Malware Analysis Report

2024-10-23 15:36

Sample ID 230914-kr6pxsdd83
Target 45f4c6ea59bc7a8c2d20098698104940.exe
SHA256 2aae03be2893a2d742528bbd737b4195d84f6d3663e9eeff8c646c53675d7838
Tags
bumblebee js1 trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2aae03be2893a2d742528bbd737b4195d84f6d3663e9eeff8c646c53675d7838

Threat Level: Known bad

The file 45f4c6ea59bc7a8c2d20098698104940.exe was found to be: Known bad.

Malicious Activity Summary

bumblebee js1 trojan

BumbleBee

Suspicious use of NtCreateThreadExHideFromDebugger

Unsigned PE

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-09-14 08:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-14 08:51

Reported

2023-09-14 08:53

Platform

win7-20230831-en

Max time kernel

120s

Max time network

124s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\45f4c6ea59bc7a8c2d20098698104940.dll

Signatures

BumbleBee

trojan bumblebee

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\45f4c6ea59bc7a8c2d20098698104940.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 v5b6ml4o0nq.life udp
DE 116.203.151.240:443 v5b6ml4o0nq.life tcp

Files

memory/3012-0-0x0000000001D90000-0x0000000001E09000-memory.dmp

memory/3012-1-0x0000000001F20000-0x000000000202A000-memory.dmp

memory/3012-2-0x00000000778A0000-0x0000000077A49000-memory.dmp

memory/3012-3-0x00000000778A0000-0x0000000077A49000-memory.dmp

memory/3012-5-0x00000000778A0000-0x0000000077A49000-memory.dmp

memory/3012-6-0x0000000001F20000-0x000000000202A000-memory.dmp

memory/3012-7-0x0000000001F20000-0x000000000202A000-memory.dmp

memory/3012-8-0x0000000001D90000-0x0000000001E09000-memory.dmp

memory/3012-9-0x00000000778A0000-0x0000000077A49000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-14 08:51

Reported

2023-09-14 08:53

Platform

win10v2004-20230831-en

Max time kernel

133s

Max time network

136s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\45f4c6ea59bc7a8c2d20098698104940.dll

Signatures

BumbleBee

trojan bumblebee

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\45f4c6ea59bc7a8c2d20098698104940.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 v5b6ml4o0nq.life udp
DE 116.203.151.240:443 v5b6ml4o0nq.life tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 240.151.203.116.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 126.179.238.8.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

memory/1588-0-0x0000000002B70000-0x0000000002BE9000-memory.dmp

memory/1588-1-0x0000000002D80000-0x0000000002E8A000-memory.dmp

memory/1588-2-0x0000000002D80000-0x0000000002E8A000-memory.dmp

memory/1588-4-0x0000000002D80000-0x0000000002E8A000-memory.dmp

memory/1588-5-0x00007FFC97B90000-0x00007FFC97D85000-memory.dmp

memory/1588-3-0x00007FFC97B90000-0x00007FFC97D85000-memory.dmp

memory/1588-6-0x00007FFC97B90000-0x00007FFC97D85000-memory.dmp

memory/1588-7-0x00007FFC97B90000-0x00007FFC97D85000-memory.dmp

memory/1588-9-0x00007FFC97B90000-0x00007FFC97D85000-memory.dmp

memory/1588-8-0x0000000002D80000-0x0000000002E8A000-memory.dmp

memory/1588-10-0x00007FFC97B90000-0x00007FFC97D85000-memory.dmp

memory/1588-11-0x0000000002B70000-0x0000000002BE9000-memory.dmp

memory/1588-12-0x00007FFC97B90000-0x00007FFC97D85000-memory.dmp