Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-10-2023 01:40

General

  • Target

    452bb497728f1eb2ccd56b83f7a13e51447bd79852085e68908cb6c47625060b.dll

  • Size

    1.1MB

  • MD5

    7d2156efddf126dfb4c466da06f15e11

  • SHA1

    cf90131f73f72b7f32bccca438283a04a1001dbe

  • SHA256

    452bb497728f1eb2ccd56b83f7a13e51447bd79852085e68908cb6c47625060b

  • SHA512

    83496c49175e85e627ff320ec954f1e393d1473e17bf098f3dfbb98c09b18da6c1d4258bdcfcecc382a8da91424ff63ad882deb8a9572fecb6c667b131d74fe4

  • SSDEEP

    24576:drD2uxNbJd3BU7XFLH9io8hAGOAHxLrQ+P3U:ZDBxNvR

Score
10/10

Malware Config

Extracted

Family

bumblebee

Botnet

js1

rc4.plain
1
NEW_BLACK

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\452bb497728f1eb2ccd56b83f7a13e51447bd79852085e68908cb6c47625060b.dll
    1⤵
    • Suspicious use of NtCreateThreadExHideFromDebugger
    PID:4864

Network

  • flag-us
    DNS
    138.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    138.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    108.211.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    108.211.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    9.228.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    9.228.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    126.24.238.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    126.24.238.8.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    208.194.73.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    208.194.73.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    29.81.57.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    29.81.57.23.in-addr.arpa
    IN PTR
    Response
    29.81.57.23.in-addr.arpa
    IN PTR
    a23-57-81-29deploystaticakamaitechnologiescom
  • flag-us
    DNS
    v5b6ml4o0nq.life
    regsvr32.exe
    Remote address:
    8.8.8.8:53
    Request
    v5b6ml4o0nq.life
    IN A
    Response
    v5b6ml4o0nq.life
    IN A
    35.241.18.84
  • flag-us
    DNS
    84.18.241.35.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    84.18.241.35.in-addr.arpa
    IN PTR
    Response
    84.18.241.35.in-addr.arpa
    IN PTR
    841824135bcgoogleusercontentcom
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301221_1QT8MWO6B4ZOSDG6D&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301221_1QT8MWO6B4ZOSDG6D&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 621457
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 652604A61C7741CC8A72BFFD4B730913 Ref B: DUS30EDGE0916 Ref C: 2023-10-14T14:28:13Z
    date: Sat, 14 Oct 2023 14:28:12 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301002_1MO3TX35MNM0PMQ0Y&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301002_1MO3TX35MNM0PMQ0Y&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 312137
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 87FC2311ED5A4BE295ED6F59B77DF4C4 Ref B: DUS30EDGE0916 Ref C: 2023-10-14T14:28:13Z
    date: Sat, 14 Oct 2023 14:28:12 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301630_1PAJCY0ULCQZ3ZJR7&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301630_1PAJCY0ULCQZ3ZJR7&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 263902
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 4B89B21D75C44AB9B309D1CDF37CED32 Ref B: DUS30EDGE0916 Ref C: 2023-10-14T14:28:13Z
    date: Sat, 14 Oct 2023 14:28:12 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301435_1REX6VFBJBZOLLSTT&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301435_1REX6VFBJBZOLLSTT&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 529021
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: E7BC893961DE4C76BECED660F45094BB Ref B: DUS30EDGE0916 Ref C: 2023-10-14T14:28:13Z
    date: Sat, 14 Oct 2023 14:28:13 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301042_1MAX6G538S7UXPEO9&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301042_1MAX6G538S7UXPEO9&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 76071
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 99A1A6E2E9EB4134BF98FB86033A0BAC Ref B: DUS30EDGE0916 Ref C: 2023-10-14T14:28:13Z
    date: Sat, 14 Oct 2023 14:28:13 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301475_1TMICQ2AO32NACDU0&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301475_1TMICQ2AO32NACDU0&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 83160
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 47AB7398107448F999E82231658CE9F5 Ref B: DUS30EDGE0916 Ref C: 2023-10-14T14:28:15Z
    date: Sat, 14 Oct 2023 14:28:14 GMT
  • flag-us
    DNS
    v5b6ml4o0nq.life
    regsvr32.exe
    Remote address:
    8.8.8.8:53
    Request
    v5b6ml4o0nq.life
    IN A
    Response
    v5b6ml4o0nq.life
    IN A
    35.241.18.84
  • flag-us
    DNS
    226.162.46.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    226.162.46.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    v5b6ml4o0nq.life
    regsvr32.exe
    Remote address:
    8.8.8.8:53
    Request
    v5b6ml4o0nq.life
    IN A
    Response
    v5b6ml4o0nq.life
    IN A
    35.241.18.84
  • 35.241.18.84:443
    v5b6ml4o0nq.life
    https
    regsvr32.exe
    360 B
    299 B
    5
    7
  • 35.241.18.84:443
    v5b6ml4o0nq.life
    https
    regsvr32.exe
    406 B
    339 B
    6
    8
  • 204.79.197.200:443
    https://tse1.mm.bing.net/th?id=OADD2.10239317301475_1TMICQ2AO32NACDU0&pid=21.2&w=1080&h=1920&c=4
    tls, http2
    74.8kB
    2.0MB
    1427
    1423

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301221_1QT8MWO6B4ZOSDG6D&pid=21.2&w=1920&h=1080&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301002_1MO3TX35MNM0PMQ0Y&pid=21.2&w=1920&h=1080&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301630_1PAJCY0ULCQZ3ZJR7&pid=21.2&w=1080&h=1920&c=4

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301435_1REX6VFBJBZOLLSTT&pid=21.2&w=1080&h=1920&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301042_1MAX6G538S7UXPEO9&pid=21.2&w=1920&h=1080&c=4

    HTTP Response

    200

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301475_1TMICQ2AO32NACDU0&pid=21.2&w=1080&h=1920&c=4

    HTTP Response

    200
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.3kB
    16
    14
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.3kB
    16
    14
  • 35.241.18.84:443
    v5b6ml4o0nq.life
    https
    regsvr32.exe
    406 B
    339 B
    6
    8
  • 35.241.18.84:443
    v5b6ml4o0nq.life
    https
    regsvr32.exe
    360 B
    299 B
    5
    7
  • 35.241.18.84:443
    v5b6ml4o0nq.life
    https
    regsvr32.exe
    406 B
    339 B
    6
    8
  • 35.241.18.84:443
    v5b6ml4o0nq.life
    https
    regsvr32.exe
    406 B
    339 B
    6
    8
  • 8.8.8.8:53
    138.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    138.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    108.211.229.192.in-addr.arpa
    dns
    74 B
    145 B
    1
    1

    DNS Request

    108.211.229.192.in-addr.arpa

  • 8.8.8.8:53
    9.228.82.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    9.228.82.20.in-addr.arpa

  • 8.8.8.8:53
    126.24.238.8.in-addr.arpa
    dns
    71 B
    125 B
    1
    1

    DNS Request

    126.24.238.8.in-addr.arpa

  • 8.8.8.8:53
    208.194.73.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    208.194.73.20.in-addr.arpa

  • 8.8.8.8:53
    26.35.223.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    26.35.223.20.in-addr.arpa

  • 8.8.8.8:53
    29.81.57.23.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    29.81.57.23.in-addr.arpa

  • 8.8.8.8:53
    v5b6ml4o0nq.life
    dns
    regsvr32.exe
    62 B
    78 B
    1
    1

    DNS Request

    v5b6ml4o0nq.life

    DNS Response

    35.241.18.84

  • 8.8.8.8:53
    84.18.241.35.in-addr.arpa
    dns
    71 B
    122 B
    1
    1

    DNS Request

    84.18.241.35.in-addr.arpa

  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    103.169.127.40.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
    173 B
    1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    v5b6ml4o0nq.life
    dns
    regsvr32.exe
    62 B
    78 B
    1
    1

    DNS Request

    v5b6ml4o0nq.life

    DNS Response

    35.241.18.84

  • 8.8.8.8:53
    226.162.46.104.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    226.162.46.104.in-addr.arpa

  • 8.8.8.8:53
    v5b6ml4o0nq.life
    dns
    regsvr32.exe
    62 B
    78 B
    1
    1

    DNS Request

    v5b6ml4o0nq.life

    DNS Response

    35.241.18.84

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4864-0-0x0000000002BA0000-0x0000000002C19000-memory.dmp

    Filesize

    484KB

  • memory/4864-3-0x0000000002D30000-0x0000000002E3A000-memory.dmp

    Filesize

    1.0MB

  • memory/4864-2-0x00007FFE43310000-0x00007FFE43505000-memory.dmp

    Filesize

    2.0MB

  • memory/4864-5-0x0000000002D30000-0x0000000002E3A000-memory.dmp

    Filesize

    1.0MB

  • memory/4864-4-0x00007FFE43310000-0x00007FFE43505000-memory.dmp

    Filesize

    2.0MB

  • memory/4864-6-0x00007FFE43310000-0x00007FFE43505000-memory.dmp

    Filesize

    2.0MB

  • memory/4864-7-0x00007FFE43310000-0x00007FFE43505000-memory.dmp

    Filesize

    2.0MB

  • memory/4864-1-0x0000000002D30000-0x0000000002E3A000-memory.dmp

    Filesize

    1.0MB

  • memory/4864-8-0x00007FFE43310000-0x00007FFE43505000-memory.dmp

    Filesize

    2.0MB

  • memory/4864-9-0x0000000002D30000-0x0000000002E3A000-memory.dmp

    Filesize

    1.0MB

  • memory/4864-10-0x0000000002BA0000-0x0000000002C19000-memory.dmp

    Filesize

    484KB

  • memory/4864-11-0x00007FFE43310000-0x00007FFE43505000-memory.dmp

    Filesize

    2.0MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.