Resubmissions
12-05-2022 21:08
220512-zzbl3sabg3 1010-05-2022 12:31
220510-pp1hcabehk 1004-05-2022 21:07
220504-zynv1shdfj 10Analysis
-
max time kernel
141s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-05-2022 21:08
General
-
Target
15.dll
-
Size
3.7MB
-
MD5
8c85cc84e654fa7d4222e8c68dff334f
-
SHA1
9d8a1d0e1854d2f39e012b39df4651cb11663ca4
-
SHA256
897bf7aaeee44df44e04fb6b0a276d0be76298569252fe157a39d6071a17631c
-
SHA512
d0e57b9617c9decab2542b4eec79da7191c4e381d4915b2ce5aa6ab71f1e7b7b8597869563a9219ca1b6fe177e50e392e2d44cf835f9f012d5b129b736f18d7e
Score
10/10
Malware Config
Extracted
Family
bumblebee
Botnet
mc405
C2
23.82.128.149:443
108.62.12.203:443
rc4.plain
Signatures
-
BumbleBee
BumbleBee is a webshell malware written in C++.
-
Enumerates VirtualBox registry keys 2 TTPs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\15.dll,#11⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
-
Filesize
64KB