General

  • Target

    05122024_0043_Cisco_AnyConnect.msi

  • Size

    2.9MB

  • Sample

    241205-a3fb1avpgn

  • MD5

    21e39841c3574266b0cb39359074f999

  • SHA1

    197486f5a7de2b1e1f2aca531a6d77e16dc17088

  • SHA256

    5768a1fa69dfa1c36c5e196d070eda5a257a4e1ba91440ef773af04f88771535

  • SHA512

    1f733986c6d487a89e8cd7dcd1bd322fbbc043d0efe1fc23c64163abff2902c8b95e6a64b0e8e4c4ef0fcdfeab0d7ef8b2463fe880d4863d3b11767d56feed9d

  • SSDEEP

    49152:qrlhl7mcb+E7nFv32LF/tWB+F3SP16gOl7gRVBTYoxtYyz2P5RUpeSsK9UQoKJ0v:q2xEsJ/tZmOl81TYogO2MpFsm0T7

Malware Config

Extracted

Family

bumblebee

Botnet

1

Attributes
  • dga

    45urhm0ldgxb.live

    gx6xly9rp6vl.live

    zv46ga4ntybq.live

    7n1hfolmrnbl.live

    vivh2xlt9i6q.live

    97t3nh4kk510.live

    kbkdtwucfl40.live

    qk6a1ahb63uz.live

    whko7loy7h5z.live

    dad1zg44n0bn.live

    7xwz4hw8dts9.live

    ovekd5n3gklq.live

    amwnef8mjo4v.live

    e7ivqfhnss0x.live

    rjql4nicl6bg.live

    4mo318kk29i4.live

    zpo18lm8vg1x.live

    jc51pt290y0n.live

    rg26t2dc4hf4.live

    qw9a58vunuja.live

    ugm94zjzl5nl.live

    mckag832orba.live

    pdw0v9voxlxr.live

    m4tx2apfmoxo.live

    n2uc737ef71m.live

    hkk3112645hz.live

    ugko9g5ipa4o.live

    8wgq2x4dybx9.live

    h81fx7sj8srr.live

    a4tgoqi1cm8x.live

  • dga_seed

    7834006444057268685

  • domain_length

    12

  • num_dga_domains

    300

  • port

    443

rc4.plain

Targets

    • Target

      b8794c9251e2c6fbb96c458a5e1821ddd029335933dfbb03efa7db63673562e8.msi

    • Size

      4.7MB

    • MD5

      e63911bf851f892bab6d3933349a987e

    • SHA1

      c3f5bd1aca61bd086f1aea3e4b86419a836888ce

    • SHA256

      b8794c9251e2c6fbb96c458a5e1821ddd029335933dfbb03efa7db63673562e8

    • SHA512

      f00874b37580152bbb563b29763212de0452e8117f54e4199150cb8cebf3f4d8d1c31ed28d896b7b0cbb63c17e8847019ed76b53f7c0ae07021527705e1af17c

    • SSDEEP

      49152:37Vh102T9dhkuqES58NtvUoBV0Sccd2b5+pnQ2fP1r8+/J4OV7AEqj7D4Uv6ZCOX:37VTVkufFN0ScaruSmHR9vaXZTUa3vg

    • BumbleBee

      BumbleBee is a loader malware written in C++.

    • Bumblebee family

    • Blocklisted process makes network request

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

MITRE ATT&CK Enterprise v15

Tasks