General

  • Target

    ramest.dll

  • Size

    1.3MB

  • Sample

    220509-ygys8agghn

  • MD5

    485b65ea3f28d1cd17cd4339662e048a

  • SHA1

    13da23476ed7c8211fa49380176eabb17c1a9408

  • SHA256

    4c9ffef418385fdd0aa0e6ea1c0e29f3a7a4af51fbcfd011d0797d6e62c8ccfe

  • SHA512

    5a7ec093b452a26755b5a64b5606a9ae05710199a23d63cdde571d5c00a80efd8646d35c5775a8234f155ee011ef8c3a12a3c64669525d6397f200d5fef961f0

Malware Config

Extracted

Family

bumblebee

Botnet

0905r

C2

23.227.203.120:443

51.83.253.244:443

23.227.198.195:443

146.70.106.92:443

rc4.plain

Targets

    • Target

      ramest.dll

    • Size

      1.3MB

    • MD5

      485b65ea3f28d1cd17cd4339662e048a

    • SHA1

      13da23476ed7c8211fa49380176eabb17c1a9408

    • SHA256

      4c9ffef418385fdd0aa0e6ea1c0e29f3a7a4af51fbcfd011d0797d6e62c8ccfe

    • SHA512

      5a7ec093b452a26755b5a64b5606a9ae05710199a23d63cdde571d5c00a80efd8646d35c5775a8234f155ee011ef8c3a12a3c64669525d6397f200d5fef961f0

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

    • Enumerates VirtualBox registry keys

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Looks for VirtualBox Guest Additions in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

4
T1497

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

4
T1497

System Information Discovery

1
T1082

Tasks