bumblebee | b2bd3a7284b4dddb7412a5a929836200d9ec742af0d1af79de3ad164aceadf1a

General

Target

CZPgtmlLgThm.dll
Size

3.2MB
MD5

e102f51b67a248436f9729e410100a13
SHA1

d34e81135fd45258982d56ce66fcb0661daff9de
SHA256

b2bd3a7284b4dddb7412a5a929836200d9ec742af0d1af79de3ad164aceadf1a
SHA512

4ce752d04bbdca4b9f6af961ee473d37b84d9a845dd01afb959a6bd03842858939b0dbb55db859a500362d61a0ac177846911cbcf5de534fadbecedaabc5910a
SSDEEP

49152:6vMLhOv7qLYgOQkv2ldCcCgPqIo9xlf8ZirVq42tmAMK7+slR0+RNW8d:6v+0Yj/7VniJDfQiQVtD68tRNhd

Score

10^/10

bumblebee 9090 discovery loader

Malware Config

Extracted

Family

bumblebee

Botnet

9090

Attributes

dga
nvg55tpgvn.click

ulbun31qmv.click

7oc6be5fmy.click

bm76b9296k.click

h7xupkk0d3.click

fi7anseaj7.click

0u4bcayb8u.click

1cckgd13z5.click

562z75s3bp.click

1smmlbbiqr.click

cc5fi2q6ca.click

xisdha07tt.click

rvi6iv6l5v.click

kddpj0gryr.click

jmpxjjqhe8.click

ui1b0rvu0k.click

kqiqovthoj.click

zbldvupsdc.click

qdhqoj9s20.click

g841i9ksgn.click

uu4cx79e90.click

m9a2qfmqay.click

kc8svtokry.click

st9rdv9xai.click

i4965hr9jc.click

wkxfgjwonu.click

53y5nwsc6j.click

7ou7og586r.click

r5wrzrk1bi.click

am7gd0loc1.click

a2cey1j0xl.click

il1nlb7tn0.click

d7x2whgood.click

b5sqn635n9.click

nox7lvewcl.click

5buum8t9vl.click

fb25x2ju7i.click

ral9rhuaxy.click

mt9ycu98jr.click

8vndou1xlz.click

ul6105p00e.click

9hqid2tzng.click

lxw6duivu7.click

0dhalnnwr5.click

p6xuzncl71.click

lwpk3miw9n.click

t792ufhvll.click

o0fivl26q7.click

hmh20ykvlf.click

ixu6xial6v.click

dv14q2l82c.click

wz4pnl68jg.click

6709v1hcy1.click

x0822sepnx.click

ft8qxfxurc.click

64ud5xnryz.click

gflgt8sbzn.click

27c28lnp3v.click

g2to6sz5pi.click

i76uhrb930.click

h3p2sxyyk8.click

g90uubdr4p.click

nmgyqyrb8b.click

a53faphpe4.click

2wqfxxycnk.click

xa7wlz3r5y.click

27v2bofhl4.click

uc38lfln1t.click

akk5t6frjq.click

kiuxl1yijx.click

689c3d8ylq.click

3j6smer0tm.click

b8w2qcig4n.click

85ciukct31.click

b4j8gnyy3a.click

roc72ievev.click

3sehf3t4x5.click

hztr0qlwke.click

vig3u2t4fm.click

ehca1iots2.click

b4c6xa0j4f.click

y65z9jsgrh.click

a9ph8qf8d6.click

lp09sfynbd.click

62dp72sdft.click

7y2yvpkuff.click

y3hhmeydtr.click

kh2e843low.click

bao2cdlwd0.click

ufbt7kts4x.click

dls5ae3bfp.click

cbwsfxcdei.click

56azbsx5nm.click

rjafv9rkqq.click

cjbdm0nhub.click

xt58p1nya3.click

6y3igtg9t6.click

4q3m78acq6.click

rjj19c1jpn.click

nepygxz419.click
dga_seed
-5372979216912523469
domain_length
10
num_dga_domains
300
port
443
tld
.click

rc4.plain

Signatures

BumbleBee
BumbleBee is a loader malware written in C++.
loader bumblebee
Bumblebee family
bumblebee

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
58	api.ipify.org
59	api.ipify.org

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1968	MicrosoftEdgeUpdate.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\CZPgtmlLgThm.dll
1⤵
PID:440

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NEVEMDY3MTctQURFRS00OTlDLTk0OUMtRUMzOThGMUY4NTM1fSIgdXNlcmlkPSJ7MTA5MTY2RTEtOEY4QS00MTMxLUE2MUMtNkQyM0YwMDc3M0U1fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MUU1REU3REMtRTNBQy00NzRFLUI4QTItNTlCQkREMTQyNjE3fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODM0MTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NTUzNjg2NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NTM1OTE2NjQxIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/440-4-0x00007FFDEB04D000-0x00007FFDEB04E000-memory.dmp

Filesize
4KB

Download
memory/440-6-0x00007FFDEAFB0000-0x00007FFDEB1A5000-memory.dmp

Filesize
2.0MB

Download
memory/440-3-0x00000000023C0000-0x00000000025EB000-memory.dmp

Filesize
2.2MB

Download
memory/440-8-0x00007FFDEAFB0000-0x00007FFDEB1A5000-memory.dmp

Filesize
2.0MB

Download
memory/440-7-0x00007FFDEAFB0000-0x00007FFDEB1A5000-memory.dmp

Filesize
2.0MB

Download
memory/440-1-0x00000000025F0000-0x0000000002809000-memory.dmp

Filesize
2.1MB

Download
memory/440-9-0x00007FFDEAFB0000-0x00007FFDEB1A5000-memory.dmp

Filesize
2.0MB

Download
memory/440-2-0x00000000025F0000-0x0000000002809000-memory.dmp

Filesize
2.1MB

Download
memory/440-10-0x00000000025F0000-0x0000000002809000-memory.dmp

Filesize
2.1MB

Download
memory/440-0-0x00000000025F0000-0x0000000002809000-memory.dmp

Filesize
2.1MB

Download
memory/440-5-0x00000000025F0000-0x0000000002809000-memory.dmp

Filesize
2.1MB

Download
memory/440-11-0x00007FFDEAFB0000-0x00007FFDEB1A5000-memory.dmp

Filesize
2.0MB

Download
memory/440-12-0x00007FFDEAFB0000-0x00007FFDEB1A5000-memory.dmp

Filesize
2.0MB

Download
memory/440-13-0x00000000023C0000-0x00000000025EB000-memory.dmp

Filesize
2.2MB

Download
memory/440-14-0x00007FFDEAFB0000-0x00007FFDEB1A5000-memory.dmp

Filesize
2.0MB

Download
memory/440-15-0x00007FFDEB04D000-0x00007FFDEB04E000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing