bumblebee | d4a1f8bfa09c151163399befc009d4d1e39b2c8adaff3489d9bd31965fc56910[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

d4a1f8bfa09c151163399befc009d4d1e39b2c8adaff3489d9bd31965fc56910.zip
Size

612KB
MD5

025c9de4d61f8c8d8184c2a273704857
SHA1

c8ed068f1a79ca4143a0ffb1e7721380a0c48f97
SHA256

d1ed15a69c112b048936201fe8e816828346168cf02838086d89843a4041b94b
SHA512

e6181f501cbc5acf05274ac47dd7be6aae6c18805438de967f35a30ece042680aef9005b97f6b30d1fa30eb737b0958a6ca6fbcb4450604babb9c0b4e146926b
SSDEEP

12288:uOxu4a8Vx+nsHER1jJ1P3Gx0i1wYNjj9BUPeactCY:uOwcx4sM1jJ1PWxTBdj9AU

Score

10^/10

mc1905 bumblebee

Malware Config

Extracted

Family

bumblebee

Botnet

mc1905

92.119.178.40:443

32.54.188.44:443

194.135.33.160:443

192.198.82.59:443

103.175.16.151:443

rc4.plain

Signatures

Bumblebee family
bumblebee

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/d4a1f8bfa09c151163399befc009d4d1e39b2c8adaff3489d9bd31965fc56910

Files

d4a1f8bfa09c151163399befc009d4d1e39b2c8adaff3489d9bd31965fc56910.zip
.zip

Password: infected
d4a1f8bfa09c151163399befc009d4d1e39b2c8adaff3489d9bd31965fc56910
.dll windows:6 windows x64 arch:x64

2fe2e7082a95cdfb4a2c89d515c31d6e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

crypt32

CertVerifyCertificateChainPolicy
CertCreateCertificateChainEngine
CertGetCertificateChain
CertFreeCertificateChain
CertFreeCertificateChainEngine
CertFreeCertificateContext

secur32

InitSecurityInterfaceA

shlwapi

PathCombineW
StrStrIW
PathRemoveExtensionW
PathFindFileNameW
PathFileExistsW
StrCmpIW

kernel32

Process32NextW
Process32FirstW
CloseHandle
OpenProcess
GetFileAttributesA
GetCurrentProcess
ResumeThread
CreateEventW
SetEvent
GetThreadContext
GetProcAddress
GetModuleHandleW
SetThreadContext
SetWaitableTimer
TlsSetValue
SetLastError
EnterCriticalSection
CreateWaitableTimerW
WaitForMultipleObjects
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
GetQueuedCompletionStatus
PostQueuedCompletionStatus
FormatMessageW
GetLastError
TerminateThread
TlsAlloc
QueueUserAPC
LocalFree
DeleteCriticalSection
VerSetConditionMask
WideCharToMultiByte
SleepEx
VerifyVersionInfoW
TlsGetValue
TlsFree
FormatMessageA
CreateIoCompletionPort
AreFileApisANSI
ReadFile
SetHandleInformation
CreateNamedPipeA
WriteFile
TerminateProcess
GetCurrentThreadId
GetSystemDirectoryW
MultiByteToWideChar
CreateFileA
GetEnvironmentStrings
CreateProcessA
FreeEnvironmentStringsA
GetExitCodeProcess
LoadLibraryW
Sleep
Thread32Next
Thread32First
GetModuleHandleA
LoadLibraryA
VirtualProtectEx
OpenThread
HeapFree
VirtualAlloc
lstrlenA
CreateFileW
CreateToolhelp32Snapshot
HeapAlloc
GetFileSize
GetProcessHeap
GetModuleFileNameA
GetModuleFileNameW
SetFilePointer
lstrcmpA
VirtualProtect
VirtualFree
Wow64DisableWow64FsRedirection
ExpandEnvironmentStringsW
Wow64RevertWow64FsRedirection
GetWindowsDirectoryW
GetCurrentDirectoryW
GlobalMemoryStatusEx
GetTickCount
GetFileAttributesW
GetStdHandle
WriteConsoleW
SetStdHandle
SetEnvironmentVariableA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
WaitForSingleObject
GetCurrentProcessId
CopyFileA
lstrcatA
GetTempFileNameW
CopyFileW
DeleteFileW
FindClose
GetTempPathW
FindNextFileW
FindFirstFileW
ReadConsoleW
HeapSize
SetEndOfFile
GetCommandLineA
FindNextFileA
FindFirstFileExA
GetTimeZoneInformation
GetOEMCP
IsValidCodePage
SetFilePointerEx
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetTimeFormatW
GetDateFormatW
GetConsoleMode
GetConsoleCP
FlushFileBuffers
GetFileType
ExitProcess
GetACP
GetModuleHandleExW
ExitThread
RtlUnwindEx
HeapReAlloc
CreateTimerQueue
UnregisterWaitEx
QueryDepthSList
InterlockedFlushSList
InterlockedPushEntrySList
InterlockedPopEntrySList
ReleaseSemaphore
DuplicateHandle
GetVersionExW
LoadLibraryExW
FreeLibraryAndExitThread
FreeLibrary
GetThreadTimes
GetCurrentThread
UnregisterWait
RegisterWaitForSingleObject
SetThreadAffinityMask
GetProcessAffinityMask
GetNumaHighestNodeNumber
DeleteTimerQueueTimer
ChangeTimerQueueTimer
CreateTimerQueueTimer
GetLogicalProcessorInformation
GetThreadPriority
SetThreadPriority
CreateThread
SwitchToThread
SignalObjectAndWait
InitializeSListHead
IsProcessorFeaturePresent
GetStartupInfoW
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
WaitForSingleObjectEx
ResetEvent
GetCPInfo
GetStringTypeW
GetLocaleInfoW
LCMapStringW
CompareStringW
RtlPcToFileHeader
EncodePointer
DecodePointer
RaiseException
QueryPerformanceCounter
QueryPerformanceFrequency
TryEnterCriticalSection
GetSystemTimeAsFileTime

user32

FindWindowW
GetCursorPos

advapi32

RegQueryValueExW
GetUserNameW
RegOpenKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
RegCloseKey
EnumServicesStatusExW
OpenSCManagerW
LookupPrivilegeValueW
CloseServiceHandle

shell32

SHGetKnownFolderPath
SHGetSpecialFolderPathA
SHGetSpecialFolderPathW

ole32

CoCreateInstance
CoInitializeEx
CoInitializeSecurity
CoUninitialize
CoTaskMemFree
CoSetProxyBlanket

oleaut32

SafeArrayGetUBound
VariantClear
SysAllocString
SysFreeString
VariantInit
SafeArrayAccessData
SafeArrayUnaccessData
SafeArrayGetElement
SafeArrayGetLBound

mpr

WNetGetProviderNameW

iphlpapi

GetAdaptersInfo

wtsapi32

WTSEnumerateProcessesA
WTSFreeMemory

ws2_32

WSAStartup
connect
getsockopt
getaddrinfo
WSASocketW
WSARecv
WSAGetLastError
WSASetLastError
shutdown
setsockopt
ioctlsocket
freeaddrinfo
WSACleanup
closesocket
WSASend
select

rpcrt4

RpcServerListen
RpcMgmtStopServerListening
RpcServerUnregisterIf
RpcBindingFree
NdrServerCall2
RpcServerUseProtseqEpA
RpcServerRegisterIfEx

Exports

Exports

dataCheck
setPath

Sections

.text
Size: 879KB - Virtual size: 878KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 344KB - Virtual size: 343KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 83KB - Virtual size: 111KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 46KB - Virtual size: 46KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

2fe2e7082a95cdfb4a2c89d515c31d6e

Headers

DLL Characteristics

File Characteristics

Imports

crypt32

secur32

shlwapi

kernel32

user32

advapi32

shell32

ole32

oleaut32

mpr

iphlpapi

wtsapi32

ws2_32

rpcrt4

Exports

Exports

Sections

.text Size: 879KB - Virtual size: 878KB

.rdata Size: 344KB - Virtual size: 343KB

.data Size: 83KB - Virtual size: 111KB

.pdata Size: 46KB - Virtual size: 46KB

.gfids Size: 4KB - Virtual size: 4KB

.tls Size: 5KB - Virtual size: 5KB

.reloc Size: 7KB - Virtual size: 7KB

.text
Size: 879KB - Virtual size: 878KB

.rdata
Size: 344KB - Virtual size: 343KB

.data
Size: 83KB - Virtual size: 111KB

.pdata
Size: 46KB - Virtual size: 46KB

.gfids
Size: 4KB - Virtual size: 4KB

.tls
Size: 5KB - Virtual size: 5KB

.reloc
Size: 7KB - Virtual size: 7KB