Resubmissions
12-05-2022 21:09
220512-zzeczaabg4 910-05-2022 12:16
220510-pfl9csbefm 1009-05-2022 23:26
220509-3e4nxaedh7 10Analysis
-
max time kernel
16s -
max time network
17s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
09-05-2022 23:26
General
-
Target
oblot.dll
-
Size
1.3MB
-
MD5
38ea4397f1c9dfe79e9accaebe7487ec
-
SHA1
24614b49e47bbdc30263cc86cea8aceb2781f1ed
-
SHA256
281a1cfaebf968012e9596721d14b1bd6429744617e73f96558cb68bcc0db8f8
-
SHA512
3b8d8deb404a52cb43306c8b3275f61efd8092202cf5ac5d86c342664b1673080abb3689f77b5bcc94b88ca10f238eb2dba67161619588e443ca6e04e261399b
Score
10/10
Malware Config
Extracted
Family
bumblebee
Botnet
0905r
C2
23.227.203.120:443
51.83.253.244:443
23.227.198.195:443
146.70.106.92:443
rc4.plain
Signatures
-
BumbleBee
BumbleBee is a webshell malware written in C++.
-
Enumerates VirtualBox registry keys 2 TTPs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\oblot.dll,#11⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
804KB
-
Filesize
16KB