bumblebee | 4c9ffef418385fdd0aa0e6ea1c0e29f3a7a4af51fbcfd011d0797d6e62c8ccfe

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
09-05-2022 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ramest.dll
Size

1.3MB
MD5

485b65ea3f28d1cd17cd4339662e048a
SHA1

13da23476ed7c8211fa49380176eabb17c1a9408
SHA256

4c9ffef418385fdd0aa0e6ea1c0e29f3a7a4af51fbcfd011d0797d6e62c8ccfe
SHA512

5a7ec093b452a26755b5a64b5606a9ae05710199a23d63cdde571d5c00a80efd8646d35c5775a8234f155ee011ef8c3a12a3c64669525d6397f200d5fef961f0

Score

10^/10

bumblebee 0905r evasion trojan

Malware Config

Extracted

Family

bumblebee

Botnet

0905r

23.227.203.120:443

51.83.253.244:443

23.227.198.195:443

146.70.106.92:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee
Enumerates VirtualBox registry keys 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

rundll32.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\SOFTWARE\Wine rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\SOFTWARE\Wine	rundll32.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

rundll32.exe

pid	process
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ramest.dll,#1
1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
PID:1592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1592-54-0x0000000001D30000-0x0000000001DF9000-memory.dmp

Filesize
804KB

Download