Resubmissions
12-05-2022 21:08
220512-zzbl3sabg3 1010-05-2022 12:31
220510-pp1hcabehk 1004-05-2022 21:07
220504-zynv1shdfj 10Analysis
-
max time kernel
141s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-05-2022 21:08
Static task
static1
Behavioral task
behavioral1
Sample
15.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
15.dll
-
Size
3.7MB
-
MD5
8c85cc84e654fa7d4222e8c68dff334f
-
SHA1
9d8a1d0e1854d2f39e012b39df4651cb11663ca4
-
SHA256
897bf7aaeee44df44e04fb6b0a276d0be76298569252fe157a39d6071a17631c
-
SHA512
d0e57b9617c9decab2542b4eec79da7191c4e381d4915b2ce5aa6ab71f1e7b7b8597869563a9219ca1b6fe177e50e392e2d44cf835f9f012d5b129b736f18d7e
Malware Config
Extracted
Family
bumblebee
Botnet
mc405
C2
23.82.128.149:443
108.62.12.203:443
rc4.plain
Signatures
-
Enumerates VirtualBox registry keys 2 TTPs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Wine rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe