bumblebee | 8640824dd436af0e73c51a89aa86987f22fb76f60be94f61f3ae3affe5f0927e

Sharing

Copy URL

Twitter E-mail

General

Target

8640824dd436af0e73c51a89aa86987f22fb76f60be94f61f3ae3affe5f0927e
Size

804KB
MD5

84cfa5bac0faa823d116644de18a20e3
SHA1

80dae96c422ebad401d870ea1720b4a4622bf7cc
SHA256

8640824dd436af0e73c51a89aa86987f22fb76f60be94f61f3ae3affe5f0927e
SHA512

427b83f923a3d0349714de8de70c468cc96d510d83459885a43be0eb78859d50b572d508ef9351a8ed3194bb197643c08a8c0286ed649edfcd7f4fd4b86765b0
SSDEEP

12288:cipvTLaZ+ZyRY2POCN2zPj77ejZYEc6QfBoHmuv+kfkQQkh:cipvTOZ+uPOC8H7KYEc6QfBud+ksQQ

Score

10^/10

1105a bumblebee

Malware Config

Extracted

Family

bumblebee

Botnet

1105a

142.11.222.79:443

23.254.224.200:443

103.175.16.52:443

199.195.252.30:443

rc4.plain

Signatures

Bumblebee family
bumblebee

Detects executables referencing many IR and analysis tools 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_References_SecTools

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
8640824dd436af0e73c51a89aa86987f22fb76f60be94f61f3ae3affe5f0927e

Files

8640824dd436af0e73c51a89aa86987f22fb76f60be94f61f3ae3affe5f0927e
.dll windows:6 windows x64 arch:x64

23ef69b19204b704365863cbed9a810e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

crypt32

CertGetCertificateChain
CertVerifyCertificateChainPolicy
CertFreeCertificateChain
CertFreeCertificateChainEngine
CertFreeCertificateContext
CertCreateCertificateChainEngine

secur32

InitSecurityInterfaceA

kernel32

SetEvent
TerminateThread
GetCurrentProcessId
CreateEventA
SetWaitableTimer
TlsSetValue
VerifyVersionInfoA
SetLastError
EnterCriticalSection
WaitForMultipleObjects
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
GetQueuedCompletionStatus
PostQueuedCompletionStatus
CreateEventW
FormatMessageW
TlsAlloc
QueueUserAPC
CreateWaitableTimerA
LocalFree
DeleteCriticalSection
VerSetConditionMask
WideCharToMultiByte
SleepEx
TlsGetValue
TlsFree
FormatMessageA
CreateIoCompletionPort
ReadFile
SetHandleInformation
WriteFile
TerminateProcess
CreatePipe
CreateProcessA
FileTimeToSystemTime
LoadLibraryW
GetLocalTime
GetProcAddress
SystemTimeToFileTime
GetModuleHandleW
GetCurrentProcess
Thread32Next
Thread32First
GetModuleHandleA
OpenProcess
LoadLibraryA
VirtualProtectEx
OpenThread
MultiByteToWideChar
GetModuleFileNameW
SetFilePointer
lstrlenA
CreateFileW
lstrcmpA
VirtualAlloc
HeapFree
CreateFileA
HeapReAlloc
HeapAlloc
GetFileSize
GetLastError
VirtualQuery
lstrcpyA
Wow64DisableWow64FsRedirection
ExpandEnvironmentStringsW
Wow64RevertWow64FsRedirection
GetWindowsDirectoryW
GlobalMemoryStatusEx
VerifyVersionInfoW
GetFileAttributesW
Process32NextW
Process32FirstW
GetStdHandle
RtlLookupFunctionEntry
RtlCaptureContext
WaitForSingleObjectEx
SetFilePointerEx
HeapSize
GetConsoleMode
Sleep
lstrcatA
CreateDirectoryA
GetFileAttributesA
GetModuleFileNameA
CloseHandle
CreateToolhelp32Snapshot
WaitForSingleObject
GetConsoleCP
FlushFileBuffers
SetStdHandle
ResetEvent
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
FindNextFileA
GetCPInfo
GetStringTypeW
GetLocaleInfoW
LCMapStringW
GetSystemTimeAsFileTime
QueryPerformanceFrequency
QueryPerformanceCounter
RaiseException
DecodePointer
EncodePointer
RtlPcToFileHeader
GetProcessHeap
FindFirstFileExA
FindClose
GetOEMCP
IsValidCodePage
OutputDebugStringW
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
ExitProcess
GetACP
WriteConsoleW
GetFileType
GetModuleHandleExW
FreeLibraryAndExitThread
ExitThread
CreateThread
LoadLibraryExW
FreeLibrary
RtlUnwindEx
InterlockedFlushSList
InitializeSListHead
GetCurrentThreadId
IsProcessorFeaturePresent
GetStartupInfoW
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind

user32

FindWindowW
wsprintfW

advapi32

LookupPrivilegeValueA
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
GetUserNameW

shell32

SHGetSpecialFolderPathW
SHGetSpecialFolderPathA

ole32

CoCreateInstance
CoUninitialize
CoInitializeEx
CoSetProxyBlanket
CoInitializeSecurity

oleaut32

SafeArrayGetUBound
SafeArrayGetElement
SafeArrayGetLBound
SafeArrayUnaccessData
SafeArrayAccessData
SysFreeString
SysAllocString
VariantClear
VariantInit

mpr

WNetGetProviderNameW

iphlpapi

GetAdaptersInfo

ws2_32

WSASetLastError
select
WSASend
WSASocketW
WSAGetLastError
setsockopt
getaddrinfo
ioctlsocket
freeaddrinfo
getsockopt
WSARecv
WSACleanup
connect
closesocket
WSAStartup

shlwapi

PathCombineW
StrCmpIW
StrChrA
StrStrIW
StrToIntA

Exports

Exports

aCmHmjrptS
SetPath

Sections

.text
Size: 436KB - Virtual size: 436KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 216KB - Virtual size: 215KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 71KB - Virtual size: 94KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 26KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 512B - Virtual size: 504B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

23ef69b19204b704365863cbed9a810e

Headers

DLL Characteristics

File Characteristics

Imports

crypt32

secur32

kernel32

user32

advapi32

shell32

ole32

oleaut32

mpr

iphlpapi

ws2_32

shlwapi

Exports

Exports

Sections

.text Size: 436KB - Virtual size: 436KB

.rdata Size: 216KB - Virtual size: 215KB

.data Size: 71KB - Virtual size: 94KB

.pdata Size: 26KB - Virtual size: 25KB

.gfids Size: 512B - Virtual size: 504B

.tls Size: 5KB - Virtual size: 4KB

.reloc Size: 4KB - Virtual size: 4KB

.text
Size: 436KB - Virtual size: 436KB

.rdata
Size: 216KB - Virtual size: 215KB

.data
Size: 71KB - Virtual size: 94KB

.pdata
Size: 26KB - Virtual size: 25KB

.gfids
Size: 512B - Virtual size: 504B

.tls
Size: 5KB - Virtual size: 4KB

.reloc
Size: 4KB - Virtual size: 4KB