bumblebee | 73ed8e7786da9b099e869fb6c8ac19dd3c223a8fb7d577b8f8be364b641da13b

Analysis

max time kernel
122s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
submitted
25/11/2024, 19:25 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FILE_InstallMeExe.dll

Score

10^/10

bumblebee 138704 loader

Malware Config

Extracted

Family

bumblebee

Botnet

138704

Attributes

dga
45urhm0ldgxb.live

gx6xly9rp6vl.live

zv46ga4ntybq.live

7n1hfolmrnbl.live

vivh2xlt9i6q.live

97t3nh4kk510.live

kbkdtwucfl40.live

qk6a1ahb63uz.live

whko7loy7h5z.live

dad1zg44n0bn.live

7xwz4hw8dts9.live

ovekd5n3gklq.live

amwnef8mjo4v.live

e7ivqfhnss0x.live

rjql4nicl6bg.live

4mo318kk29i4.live

zpo18lm8vg1x.live

jc51pt290y0n.live

rg26t2dc4hf4.live

qw9a58vunuja.live

ugm94zjzl5nl.live

mckag832orba.live

pdw0v9voxlxr.live

m4tx2apfmoxo.live

n2uc737ef71m.live

hkk3112645hz.live

ugko9g5ipa4o.live

8wgq2x4dybx9.live

h81fx7sj8srr.live

a4tgoqi1cm8x.live

kse2q7uxyrwp.live

mfwnbxvt9qme.live

x99ahfftf28l.live

9n6bmko47gxe.live

6l96lk6edlyf.live

st5j8zqdrppf.live

dxjeucbj4p0j.live

bnpuxnov7lhr.live

a8bxv8lqe1m0.live

yczi2ujcyyro.live

sbeo0cztn1kh.live

o337yf9fh4bf.live

zoki7ma89z7b.live

x2r9bglz76r7.live

wi1w9yu1vush.live

mtqdvzkai700.live

r6o2sj70m85m.live

ut6qohwra5lm.live

9yi98fh7usy1.live

kkpjp9jzbzba.live

whvffwd7zphw.live

uztmazsno4y5.live

i3iubj73c21c.live

b72o02l2ilc6.live

wom4o4cutfx6.live

fek3qya20lid.live

nhkvd56j82xw.live

midyxlu6b22f.live

vp9c9rziba2a.live

rkffupb7i1gv.live

8u7r35mu2e4g.live

3c2xflq8mztc.live

wswis3sptby1.live

9rib57u1zu3c.live

sv3pldc5gkdl.live

bmdcn5celetq.live

y3mpywhmem7t.live

avwtkc23ffmw.live

nvgirtryox1z.live

3rlfa7w0bz37.live

vy9u47oyzltu.live

ysdwk0l8xass.live

tbt0aqol3sp2.live

xqqoo0a8zk0w.live

nevkq7lku38l.live

5u42wjin0vfz.live

y626kbnryktm.live

5k9b8nmc0x8r.live

i18t3jshekua.live

4hk1bcnxbse0.live

si00bu9fv5he.live

g3in90m5caz2.live

f6s4n6w41oov.live

sgl7og2qswmm.live

vrrbk7ykz8h1.live

zl7bmlfq8n9w.live

qydstwmw2imy.live

y9s73mnvurxr.live

7zggkh833im1.live

cvnsiogvl3kt.live

enf3gev34gis.live

doj6z5i9g803.live

zsm954jr5ek4.live

6z96z4mk84dc.live

e0et68offggh.live

au97foecnlrm.live

3ibjpmls5x46.live

mmmpa1byo300.live

3e60zvd64d8y.live

zt3nnzr70hn0.live
dga_seed
7834006444057268685
domain_length
12
num_dga_domains
300
port
443

rc4.plain

1
NEW_BLACK

Signatures

BumbleBee
BumbleBee is a loader malware written in C++.
loader bumblebee
Bumblebee family
bumblebee

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	api.ipify.org
20	api.ipify.org

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\FILE_InstallMeExe.dll
1⤵
PID:3508

Network

DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR

Response
DNS

83.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

83.210.23.2.in-addr.arpa

IN PTR

Response

83.210.23.2.in-addr.arpa

IN PTR

a2-23-210-83deploystaticakamaitechnologiescom
DNS

45urhm0ldgxb.live

regsvr32.exe

Remote address:

8.8.8.8:53

Request

45urhm0ldgxb.live

IN A

Response

45urhm0ldgxb.live

IN A

149.154.153.2
DNS

api.ipify.org

regsvr32.exe

Remote address:

8.8.8.8:53

Request

api.ipify.org

IN A

Response

api.ipify.org

IN A

104.26.12.205

api.ipify.org

IN A

172.67.74.152

api.ipify.org

IN A

104.26.13.205
DNS

64.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

64.159.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
DNS

2.153.154.149.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.153.154.149.in-addr.arpa

IN PTR

Response

2.153.154.149.in-addr.arpa

IN PTR

�
GET

https://api.ipify.org/

regsvr32.exe

Remote address:

104.26.12.205:443

Request

GET / HTTP/1.1
User-Agent: IP retriever
Host: api.ipify.org
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Mon, 25 Nov 2024 19:25:52 GMT
Content-Type: text/plain
Content-Length: 14
Connection: keep-alive
Vary: Origin
cf-cache-status: DYNAMIC
Server: cloudflare
CF-RAY: 8e8406f41f0fb8b4-AMS
server-timing: cfL4;desc="?proto=TCP&rtt=35562&sent=6&recv=9&lost=0&retrans=0&sent_bytes=3278&recv_bytes=392&delivery_rate=104830&cwnd=253&unsent_bytes=0&cid=8d540339c8c97541&ts=380&x=0"
DNS

c.pki.goog

regsvr32.exe

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.200.3
GET

http://c.pki.goog/r/gsr1.crl

regsvr32.exe

Remote address:

142.250.200.3:80

Request

GET /r/gsr1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1739
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Mon, 25 Nov 2024 18:38:28 GMT
Expires: Mon, 25 Nov 2024 19:28:28 GMT
Cache-Control: public, max-age=3000
Age: 2844
Last-Modified: Mon, 07 Oct 2024 07:18:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
GET

http://c.pki.goog/r/r4.crl

regsvr32.exe

Remote address:

142.250.200.3:80

Request

GET /r/r4.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 436
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Mon, 25 Nov 2024 18:38:35 GMT
Expires: Mon, 25 Nov 2024 19:28:35 GMT
Cache-Control: public, max-age=3000
Age: 2837
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
DNS

3.200.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

3.200.250.142.in-addr.arpa

IN PTR

Response

3.200.250.142.in-addr.arpa

IN PTR

lhr48s29-in-f31e100net
DNS

205.12.26.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

205.12.26.104.in-addr.arpa

IN PTR

Response
DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

56.163.245.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.163.245.4.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

104.209.201.84.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.209.201.84.in-addr.arpa

IN PTR

Response
DNS

88.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.210.23.2.in-addr.arpa

IN PTR

Response

88.210.23.2.in-addr.arpa

IN PTR

a2-23-210-88deploystaticakamaitechnologiescom
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response

149.154.153.2:443

45urhm0ldgxb.live

https

regsvr32.exe

1.2kB
836 B
13
12
104.26.12.205:443

https://api.ipify.org/

tls, http

regsvr32.exe

932 B
4.1kB
12
9

HTTP Request

GET https://api.ipify.org/

HTTP Response

200
142.250.200.3:80

http://c.pki.goog/r/r4.crl

http

regsvr32.exe

602 B
3.9kB
8
6

HTTP Request

GET http://c.pki.goog/r/gsr1.crl

HTTP Response

200

HTTP Request

GET http://c.pki.goog/r/r4.crl

HTTP Response

200
149.154.153.2:443

45urhm0ldgxb.live

https

regsvr32.exe

1.2kB
876 B
13
13
149.154.153.2:443

45urhm0ldgxb.live

https

regsvr32.exe

1.2kB
796 B
12
11
149.154.153.2:443

45urhm0ldgxb.live

https

regsvr32.exe

1.2kB
836 B
12
12

8.8.8.8:53

149.220.183.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

149.220.183.52.in-addr.arpa
8.8.8.8:53

83.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

83.210.23.2.in-addr.arpa
8.8.8.8:53

45urhm0ldgxb.live

dns

regsvr32.exe

63 B
79 B
1
1

DNS Request

45urhm0ldgxb.live

DNS Response

149.154.153.2
8.8.8.8:53

api.ipify.org

dns

regsvr32.exe

59 B
107 B
1
1

DNS Request

api.ipify.org

DNS Response

104.26.12.205

172.67.74.152

104.26.13.205
8.8.8.8:53

64.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

64.159.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

2.153.154.149.in-addr.arpa

dns

72 B
86 B
1
1

DNS Request

2.153.154.149.in-addr.arpa
8.8.8.8:53

c.pki.goog

dns

regsvr32.exe

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.200.3
8.8.8.8:53

3.200.250.142.in-addr.arpa

dns

72 B
110 B
1
1

DNS Request

3.200.250.142.in-addr.arpa
8.8.8.8:53

205.12.26.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

205.12.26.104.in-addr.arpa
8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

56.163.245.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

56.163.245.4.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

104.209.201.84.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

104.209.201.84.in-addr.arpa
8.8.8.8:53

88.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

88.210.23.2.in-addr.arpa
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

43.229.111.52.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3508-0-0x0000000002990000-0x0000000002A83000-memory.dmp

Filesize
972KB

Download
memory/3508-1-0x00007FFFCC12D000-0x00007FFFCC12E000-memory.dmp

Filesize
4KB

Download
memory/3508-4-0x0000000002CE0000-0x0000000002EFE000-memory.dmp

Filesize
2.1MB

Download
memory/3508-3-0x0000000002CE0000-0x0000000002EFE000-memory.dmp

Filesize
2.1MB

Download
memory/3508-7-0x00007FFFCC090000-0x00007FFFCC285000-memory.dmp

Filesize
2.0MB

Download
memory/3508-8-0x00007FFFCC090000-0x00007FFFCC285000-memory.dmp

Filesize
2.0MB

Download
memory/3508-6-0x00007FFFCC090000-0x00007FFFCC285000-memory.dmp

Filesize
2.0MB

Download
memory/3508-5-0x0000000002CE0000-0x0000000002EFE000-memory.dmp

Filesize
2.1MB

Download
memory/3508-9-0x0000000002CE0000-0x0000000002EFE000-memory.dmp

Filesize
2.1MB

Download
memory/3508-2-0x0000000002CE0000-0x0000000002EFE000-memory.dmp

Filesize
2.1MB

Download
memory/3508-18-0x0000000002990000-0x0000000002A83000-memory.dmp

Filesize
972KB

Download
memory/3508-19-0x00007FFFCC090000-0x00007FFFCC285000-memory.dmp

Filesize
2.0MB

Download
memory/3508-20-0x00007FFFCC12D000-0x00007FFFCC12E000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.