bumblebee | 897bf7aaeee44df44e04fb6b0a276d0be76298569252fe157a39d6071a17631c

Resubmissions

12-05-2022 21:08

220512-zzbl3sabg3 10

10-05-2022 12:31

220510-pp1hcabehk 10

04-05-2022 21:07

220504-zynv1shdfj 10

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220414-en
submitted
04-05-2022 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15.dll
Size

3.7MB
MD5

8c85cc84e654fa7d4222e8c68dff334f
SHA1

9d8a1d0e1854d2f39e012b39df4651cb11663ca4
SHA256

897bf7aaeee44df44e04fb6b0a276d0be76298569252fe157a39d6071a17631c
SHA512

d0e57b9617c9decab2542b4eec79da7191c4e381d4915b2ce5aa6ab71f1e7b7b8597869563a9219ca1b6fe177e50e392e2d44cf835f9f012d5b129b736f18d7e

Score

10^/10

bumblebee evasion trojan

Malware Config

Extracted

Family

bumblebee

23.82.128.149:443

108.62.12.203:443

Attributes

group_id
mc405
BLACK

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee
Enumerates VirtualBox registry keys 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	rundll32.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

rundll32.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Wine rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Wine	rundll32.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

rundll32.exe

pid	process
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\15.dll,#1
1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
PID:976

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/976-54-0x0000000001E70000-0x00000000020BB000-memory.dmp

Filesize
2.3MB

Download