bumblebee | 7a33dd7271575d93a84138ff4d6ebe4eb068ee83555cade505eb6c84d4a5f302

General

Target

ps1.ps1

Score

10^/10

bumblebee dcc3 execution loader

Malware Config

Extracted

Family

bumblebee

Botnet

dcc3

Attributes

dga
kxk0fp99.life

9b7t2l0q.life

hyivgigf.life

ge0gmguu.life

c0g886v7.life

z5gt6avq.life

bhqjgnyg.life

vtq4vrd1.life

wmds946t.life

lawsc41o.life

8zxvhrw3.life

6t152qng.life

8jenv5cj.life

nnc9xesb.life

vevijml2.life

qblg0klz.life

3botypuk.life

quw31ted.life

n9t609lu.life

mtu5eery.life

guycev3v.life

klcmu5e3.life

hm2psb94.life

wiof5kps.life

ink7i9yf.life

rj3h9lji.life

n0ohhx48.life

d5lspsc8.life

wuxe83rt.life

rka4u64f.life

7ue3qloo.life

wv7n0k5b.life

zutr3leo.life

9bydjn76.life

93628xvf.life

jh1px0y2.life

3hlr4b32.life

lq4rvf7h.life

qulj3o2b.life

o1kmnuax.life

dtacg44e.life

lq6oee8d.life

652t37sd.life

8e2fs333.life

hlbflus2.life

389wsdwk.life

k9asv5kf.life

0ny3328d.life

tkpnkize.life

rrfklwtt.life

gpw38bkj.life

v9nvi0qk.life

kxxxz02p.life

eiwkrw3v.life

tli6v0bb.life

vkm1k94n.life

56xom9cr.life

qdqw1w5c.life

ms6qhpe2.life

i8yegp0g.life

y5eqdqo8.life

mw0au96x.life

e12p0p07.life

c4e9t8ri.life

9i4h14pn.life

lnze846x.life

0ad1qrc1.life

qz7waafq.life

y6rqgp73.life

9xuj8nh1.life

1kq5u5oh.life

vpvmrmin.life

da3qmuiz.life

tztttnt4.life

k6ptpfxk.life

ouhz98km.life

ym1mmve7.life

az3hs01z.life

gb3kmt70.life

cu945ae2.life

enxlrvsp.life

puh4ptfq.life

xawrjuc7.life

6tcl7gdl.life

inwyinkt.life

si0wpv63.life

dkzmobfb.life

augbit10.life

w97o36m1.life

y833kir4.life

y2stju2y.life

agjsuxbi.life

5xrn6i3n.life

d64ijd3x.life

hkk0meg1.life

klclsjxl.life

jbq2lc4m.life

q905hr35.life

n7iemk16.life

2bdgvvjm.life
dga_seed
3169630490570045124
domain_length
8
num_dga_domains
100
port
443

rc4.plain

Signatures

BumbleBee
BumbleBee is a loader malware written in C++.
loader bumblebee
Bumblebee family
bumblebee

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2768	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1940	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1940	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 2768	1940	powershell.exe	29
PID 1940 wrote to memory of 2768	1940	powershell.exe	29
PID 1940 wrote to memory of 2768	1940	powershell.exe	29

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ps1.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" w_ver.dll DllRegisterServer
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1940-4-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/1940-5-0x0000000001F80000-0x0000000001F88000-memory.dmp

Filesize
32KB

Download
memory/1940-6-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download
memory/1940-7-0x0000000002B80000-0x0000000002C00000-memory.dmp

Filesize
512KB

Download
memory/1940-8-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download
memory/1940-9-0x0000000002B80000-0x0000000002C00000-memory.dmp

Filesize
512KB

Download
memory/1940-10-0x0000000002B80000-0x0000000002C00000-memory.dmp

Filesize
512KB

Download
memory/1940-11-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download
memory/2768-12-0x0000000001FB0000-0x0000000002097000-memory.dmp

Filesize
924KB

Download
memory/2768-13-0x0000000077670000-0x0000000077819000-memory.dmp

Filesize
1.7MB

Download
memory/2768-15-0x0000000077670000-0x0000000077819000-memory.dmp

Filesize
1.7MB

Download
memory/2768-14-0x00000000022C0000-0x00000000024D8000-memory.dmp

Filesize
2.1MB

Download
memory/2768-16-0x0000000077670000-0x0000000077819000-memory.dmp

Filesize
1.7MB

Download
memory/2768-18-0x0000000077670000-0x0000000077819000-memory.dmp

Filesize
1.7MB

Download
memory/2768-19-0x0000000077670000-0x0000000077819000-memory.dmp

Filesize
1.7MB

Download
memory/2768-17-0x0000000077670000-0x0000000077819000-memory.dmp

Filesize
1.7MB

Download
memory/2768-20-0x00000000022C0000-0x00000000024D8000-memory.dmp

Filesize
2.1MB

Download
memory/2768-21-0x0000000001FB0000-0x0000000002097000-memory.dmp

Filesize
924KB

Download
memory/2768-22-0x0000000077670000-0x0000000077819000-memory.dmp

Filesize
1.7MB

Download
memory/2768-23-0x0000000077670000-0x0000000077819000-memory.dmp

Filesize
1.7MB

Download
memory/2768-24-0x0000000077670000-0x0000000077819000-memory.dmp

Filesize
1.7MB

Download

Resubmissions

Analysis

Sharing