Overview

overview

10

Static

static

oFWkRTFwjm.zip

windows10-2004_x64

10

documents.lnk

windows10-2004_x64

10

lipes.dll

windows10-2004_x64

10

Resubmissions

10-10-2022 17:13

221010-vrjkhacggj 10

03-06-2022 21:56

220603-1tra1seah3 1

03-06-2022 21:55

220603-1swt4sabgp 1

03-06-2022 21:38

220603-1hbq7adhf4 10

03-06-2022 21:28

220603-1brttsdha7 10

Analysis

  • max time kernel
    491s
  • max time network
    493s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    03-06-2022 21:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    oFWkRTFwjm.zip

  • Size

    1.9MB

  • MD5

    972038d369ec6f134fc9b6c617adc328

  • SHA1

    0b74896a84f8e22645d8518135836ea22ae98cde

  • SHA256

    d184c7fac35e68924cf520d33fabc0703198756e096592dd31eec6101b5551e5

  • SHA512

    6ffeefd8c13785500a546e114cd766c8a2b804723511e2bb5ebeca1c5bfe44349b8c91695ac97bcf2da2d77c01530247f771655b132c649fdd9e00e710b4d8af

Score
10/10
bumblebee106revasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

106r

C2

144.19.20.11:443

150.27.81.2:443

46.21.153.145:443

109.45.29.202:443

6.30.139.246:443

236.110.58.103:443

36.110.58.103:443

149.255.35.134:443

9.63.15.101:443

45.147.229.50:443

184.23.74.168:443

139.24.56.111:443

243.45.135.100:443

21.246.85.34:443

79.44.167.23:443

30.17.4.146:443

56.134.87.45:443

16.46.4.333:443

224.145.6.33:443
rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

    trojanbumblebee
  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\oFWkRTFwjm.zip
    1⤵
      PID:4780
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:5116
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\oFWkRTFwjm\" -spe -an -ai#7zMap30480:100:7zEvent10485
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:4584
      • C:\Windows\System32\rundll32.exe
        "C:\Windows\System32\rundll32.exe" lipes.dll,oFWkRTFwjm
        1⤵
        • Enumerates VirtualBox registry keys
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Looks for VirtualBox Guest Additions in registry
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:440

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\oFWkRTFwjm\lipes.dll
        Filesize

        1.5MB

        MD5

        9ef37bfa9f7e30500ad9edf136ee59d1

        SHA1

        7b31d4ec43c65666f2e08bb73ec7877cf74d34a0

        SHA256

        a1040e1d6b43eda731179d139f76949afb962b8cb28c55f4097cf5a5c6c445c1

        SHA512

        1a52c2bb2775476a14220f79483582b5b09a310fcc5b017df8482ad3e5a0fb6438e28ae23da4cc76e6f05972ccec0d077065dcbd8d8d219d5897250ce38393bd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\oFWkRTFwjm\lipes.dll
        Filesize

        1.5MB

        MD5

        9ef37bfa9f7e30500ad9edf136ee59d1

        SHA1

        7b31d4ec43c65666f2e08bb73ec7877cf74d34a0

        SHA256

        a1040e1d6b43eda731179d139f76949afb962b8cb28c55f4097cf5a5c6c445c1

        SHA512

        1a52c2bb2775476a14220f79483582b5b09a310fcc5b017df8482ad3e5a0fb6438e28ae23da4cc76e6f05972ccec0d077065dcbd8d8d219d5897250ce38393bd

        Download Submit

      • memory/440-132-0x000001C6062C0000-0x000001C6063D7000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/440-133-0x00007FF87B200000-0x00007FF87B210000-memory.dmp

        Filesize

        64KB

        Download