Malware-Traffic-Analysis.net - 2022-11-17

2022-11-17 - BUMBLEBEE INFECTION

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

REFERENCE:

https://twitter.com/Unit42_Intel/status/1593636233212739584

NOTES:

After the referenced tweet was submitted, I let my Bumblebee-infected host run overnight, and it changed its C2 IP address at approximately 03:46 UTC (details below).

ASSOCIATED FILES:

2022-11-17-Bumblebee-IOCs.txt.zip 1.4 kB (1,386 bytes)
2022-11-17-Bumblebee-infection-traffic.pcap.zip 3.3 MB (3,344,658 bytes)
2022-11-17-Bumblebee-malware.zip 2.4 MB (2,354,602 bytes)

IMAGES

Shown above: Traffic from the infection filtered in Wireshark.

2022-11-17 (THURSDAY): BUMBLEBEE MALWARE INFECTION

NOTES:

- Sample shared by @k3dg3 on malware bazaar at:
  -- https://bazaar.abuse.ch/sample/151f7c9217daae41679f4d9a701d0c990259683e65260785ebc810274f544235/
- Sample identified for Bumblebee botnet group_name 1711
- Sample originated from unspecified Smash URL (de-fanged example: hxxps://fromsmash[.]com/KpzZ99iifn-et)
- This activity identified by @k3dg3 as Proofpoint designated threat actor TA580

INITIAL ZIP ARCHIVE AND EXTRACTED DISK IMAGE:

- SHA256 hash: 151f7c9217daae41679f4d9a701d0c990259683e65260785ebc810274f544235
- File size: 778,176 bytes
- File name: project details.zip
- File description: password-protected zip archive
- Password: Nv2022

- SHA256 hash: 2402f2f88f8fda10916c9cea40aa89916eba960263d5f17524d83fb9af569f31
- File size: 2,228,224 bytes
- File name: details.img
- File description: Disk image extracted from the above zip archive

CONTENTS OF THE DISK IMAGE:

- SHA256 hash: 91dd90e5cfd696089fce2e79f4caacd691fd6488ca2ff821bb1b740805826b94
- File size: 995 bytes
- File name: project details.lnk
- File description: Windows shortcut, only visible file in the ISO (everything else is hidden)

- SHA256 hash: 7738c3502abeefb6d032cc88768c4d6370bc1fd250b2c9575646de56c463d721
- File size: 965 bytes
- File name: DyNNDCUAhTtInE.bat
- File description: run by the above shortcut, this batch file executes the Bumblebee DLL below

- SHA256 hash: 10acbfaf8c4cb43320e5bf75c817ddc57cb21ae74a59b40dfbee8da924027d06
- File size: 994,816 bytes
- File name: aBZbMXVgKCtmcQ.dll
- File description: 64-bit DLL for Bumblebee
- Run method: rundll32.exe [filename],CheckSetting

BUMBLEBEE C2 TRAFFIC FROM AN INFECTED WINDOWS HOST:

- 193.200.16[.]175 port 443 - HTTPS traffic
- 64.44.97[.]58 port 443 - HTTPS traffic

SELF-SIGNED CERTIFICATE ISSUER DATA FROM BOTH BUMBLEBEE C2 SERVERS:

- id-at-countryName=AU
- id-at-stateOrProvinceName=Some-State
- id-at-organizationName=Internet Widgits Pty Ltd

BUMBLEBEE C2 SERVER SELF-SIGNED CERTIFICATE VALIDITY FOR 193.200.16[.]175:

- Not before: Thursday, 2022-11-17 11:23:52 GMT
- Not after: Friday, 2023-11-17 11:23:52 GMT

BUMBLEBEE C2 SERVER SELF-SIGNED CERTIFICATE VALIDITY FOR 64.44.97[.]58:

- Not before: Thursday, 2022-11-17 11:25:22 GMT
- Not after: Friday, 2023-11-17 11:25:22 GMT

Click here to return to the main page.