bumblebee | 33203446cd754cf91dddebec42fa3340e24d232f6e5792448c9c30b1c852fb1d

Analysis

max time kernel
36s
max time network
40s
platform
windows7_x64
resource
win7-20220414-en
submitted
05-05-2022 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

413915.dll
Size

3.6MB
MD5

6909250134a5290f9a0223878b914760
SHA1

53dad515d7de0adc185682a47a60e63fcdf0fc4b
SHA256

33203446cd754cf91dddebec42fa3340e24d232f6e5792448c9c30b1c852fb1d
SHA512

437576ae6345a09893d6430eff2fa024244cea7032db5a5ad8e2a56c59a1a37c1e28d1b3b3b4a26979ed6122fc5c303821f94956f328931ccd9f16726e3a8aa2

Score

10^/10

bumblebee evasion trojan

Malware Config

Extracted

Family

bumblebee

23.82.128.149:443

108.62.12.203:443

Attributes

group_id
mc405
BLACK

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee
Enumerates VirtualBox registry keys 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	rundll32.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

rundll32.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\SOFTWARE\Wine rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\SOFTWARE\Wine	rundll32.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

rundll32.exe

pid	process
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe
1000	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\413915.dll,#1
1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
PID:1000

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1000-54-0x0000000001CB0000-0x0000000001EFB000-memory.dmp

Filesize
2.3MB

Download