Resubmissions

12-05-2022 21:09

220512-zzeczaabg4 9

10-05-2022 12:16

220510-pfl9csbefm 10

09-05-2022 23:26

220509-3e4nxaedh7 10

General

  • Target

    oblot.dll

  • Size

    1.3MB

  • Sample

    220509-3e4nxaedh7

  • MD5

    38ea4397f1c9dfe79e9accaebe7487ec

  • SHA1

    24614b49e47bbdc30263cc86cea8aceb2781f1ed

  • SHA256

    281a1cfaebf968012e9596721d14b1bd6429744617e73f96558cb68bcc0db8f8

  • SHA512

    3b8d8deb404a52cb43306c8b3275f61efd8092202cf5ac5d86c342664b1673080abb3689f77b5bcc94b88ca10f238eb2dba67161619588e443ca6e04e261399b

Malware Config

Extracted

Family

bumblebee

Botnet

0905r

C2

23.227.203.120:443

51.83.253.244:443

23.227.198.195:443

146.70.106.92:443

rc4.plain

Targets

    • Target

      oblot.dll

    • Size

      1.3MB

    • MD5

      38ea4397f1c9dfe79e9accaebe7487ec

    • SHA1

      24614b49e47bbdc30263cc86cea8aceb2781f1ed

    • SHA256

      281a1cfaebf968012e9596721d14b1bd6429744617e73f96558cb68bcc0db8f8

    • SHA512

      3b8d8deb404a52cb43306c8b3275f61efd8092202cf5ac5d86c342664b1673080abb3689f77b5bcc94b88ca10f238eb2dba67161619588e443ca6e04e261399b

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

    • Enumerates VirtualBox registry keys

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Looks for VirtualBox Guest Additions in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

4
T1497

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

4
T1497

System Information Discovery

1
T1082

Tasks