bumblebee | 4c9ffef418385fdd0aa0e6ea1c0e29f3a7a4af51fbcfd011d0797d6e62c8ccfe | Triage

Sharing

General

Target

ramest.dll
Size

1.3MB
Sample

220509-ygys8agghn
MD5

485b65ea3f28d1cd17cd4339662e048a
SHA1

13da23476ed7c8211fa49380176eabb17c1a9408
SHA256

4c9ffef418385fdd0aa0e6ea1c0e29f3a7a4af51fbcfd011d0797d6e62c8ccfe
SHA512

5a7ec093b452a26755b5a64b5606a9ae05710199a23d63cdde571d5c00a80efd8646d35c5775a8234f155ee011ef8c3a12a3c64669525d6397f200d5fef961f0

Score

10^/10

bumblebee 0905r evasion trojan

Malware Config

Extracted

Family

bumblebee

Botnet

0905r

C2

23.227.203.120:443

51.83.253.244:443

23.227.198.195:443

146.70.106.92:443

rc4.plain

Targets

- Target
  
  ramest.dll
- Size
  
  1.3MB
- MD5
  
  485b65ea3f28d1cd17cd4339662e048a
- SHA1
  
  13da23476ed7c8211fa49380176eabb17c1a9408
- SHA256
  
  4c9ffef418385fdd0aa0e6ea1c0e29f3a7a4af51fbcfd011d0797d6e62c8ccfe
- SHA512
  
  5a7ec093b452a26755b5a64b5606a9ae05710199a23d63cdde571d5c00a80efd8646d35c5775a8234f155ee011ef8c3a12a3c64669525d6397f200d5fef961f0
Score

10^/10

bumblebee 0905r evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bumblebee0905revasiontrojan

behavioral2