bumblebee

General

Target

oFWkRTFwjm.zip
Size

1.9MB
Sample

220603-1hbq7adhf4
MD5

972038d369ec6f134fc9b6c617adc328
SHA1

0b74896a84f8e22645d8518135836ea22ae98cde
SHA256

d184c7fac35e68924cf520d33fabc0703198756e096592dd31eec6101b5551e5
SHA512

6ffeefd8c13785500a546e114cd766c8a2b804723511e2bb5ebeca1c5bfe44349b8c91695ac97bcf2da2d77c01530247f771655b132c649fdd9e00e710b4d8af

Score

10^/10

Malware Config

Extracted

Family

bumblebee

Botnet

106r

C2

144.19.20.11:443

150.27.81.2:443

46.21.153.145:443

109.45.29.202:443

6.30.139.246:443

236.110.58.103:443

36.110.58.103:443

149.255.35.134:443

9.63.15.101:443

45.147.229.50:443

184.23.74.168:443

139.24.56.111:443

243.45.135.100:443

21.246.85.34:443

79.44.167.23:443

30.17.4.146:443

56.134.87.45:443

16.46.4.333:443

224.145.6.33:443

rc4.plain

Targets

- Target
  
  oFWkRTFwjm.zip
- Size
  
  1.9MB
- MD5
  
  972038d369ec6f134fc9b6c617adc328
- SHA1
  
  0b74896a84f8e22645d8518135836ea22ae98cde
- SHA256
  
  d184c7fac35e68924cf520d33fabc0703198756e096592dd31eec6101b5551e5
- SHA512
  
  6ffeefd8c13785500a546e114cd766c8a2b804723511e2bb5ebeca1c5bfe44349b8c91695ac97bcf2da2d77c01530247f771655b132c649fdd9e00e710b4d8af
Score

10^/10

bumblebee 106r evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
behavioral1
- Target
  
  documents.lnk
- Size
  
  1KB
- MD5
  
  dcfc03467dc198612184a307837073d0
- SHA1
  
  1fc2d8047e27d14e91c1061a07cc77fd8404747b
- SHA256
  
  23e0f3debe5e378bd4ca50ee5243ec67f979ab66507b8ca97310c94706901c4a
- SHA512
  
  97ba6aab3917be2da603cc7c9fd629dea478c13b7947400d2bf9bba6676e41b04b5588dc61ee9d39a2121d427bf2a602117fbec0d7071109be69333afbea1afa
Score

10^/10

bumblebee 106r evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral2
- Target
  
  lipes.dll
- Size
  
  1.5MB
- MD5
  
  9ef37bfa9f7e30500ad9edf136ee59d1
- SHA1
  
  7b31d4ec43c65666f2e08bb73ec7877cf74d34a0
- SHA256
  
  a1040e1d6b43eda731179d139f76949afb962b8cb28c55f4097cf5a5c6c445c1
- SHA512
  
  1a52c2bb2775476a14220f79483582b5b09a310fcc5b017df8482ad3e5a0fb6438e28ae23da4cc76e6f05972ccec0d077065dcbd8d8d219d5897250ce38393bd
Score

10^/10

bumblebee 106r evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral3

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

4

T1497

Credential Access

Discovery

Query Registry

6

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

4

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Checks BIOS information in registry

Identifies Wine through registry keys

Loads dropped DLL

BumbleBee

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Checks BIOS information in registry

Checks computer location settings

Identifies Wine through registry keys

BumbleBee

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Checks BIOS information in registry

Identifies Wine through registry keys

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3