Overview

overview

10

Static

static

document.lnk

windows7_x64

10

document.lnk

windows10-2004_x64

10

tar.dll

windows7_x64

10

tar.dll

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    220406-cztfkacaen_pw_infected.zip

  • Size

    1.7MB

  • Sample

    220611-n86m2aadd6

  • MD5

    44491cd987b5029c7b0ada02d065d360

  • SHA1

    2b5ea97727c0c967ce08b32c9d6cb133f02bed01

  • SHA256

    f672a1ac7998ea53bf8bc231ec9ec498234004a22ffb299549d4f603867eefcf

  • SHA512

    c6fcfd88bd09a0cbd7c3a5eca44450707e178873edf115b0fb99eef5f7a7d32813baabbfb3deb42b796161597f25e0a92942cb208fb7628727bad0773d1b52c9

Score
10/10
bumblebeesp1evasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

SP1

C2

45.147.229.23:443

Targets

    • Target

      document.lnk

    • Size

      823B

    • MD5

      8a64bb558448a278eb268a5959d810e9

    • SHA1

      b32b55da9c91741ce7e85588d993041d1782595c

    • SHA256

      07162244bdc900f98fb964c289d510fd1567e9e1bfe834993ddb2a51c52f8450

    • SHA512

      7596f4a616a5aaef205d9e488b040d76bf6684630daab6d5e93a59cde4dc1e20650136ef49801d36cdd69e74da7b6c6857360f4647f3b8edad3ad861f15bbdcd

    Score
    10/10
    bumblebeesp1evasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion
    behavioral1behavioral2

    • Target

      tar.dll

    • Size

      2.7MB

    • MD5

      248fab1afb00e6daa4a9d97017ae0677

    • SHA1

      bb3d352aa47c81bd9338605c36f49d26f0cb3a62

    • SHA256

      06e54503e102c2fbaa163bea456ee66b0e2d9abec2a0670fc8f7719e223ea257

    • SHA512

      1e463011edf55a44581636ddb13de2c900ce77f000db81db04e817f875f8fad8306ac60d3c4f76087e8f58b117b4f264645e14b31ab9d7f6c1c74439b0574385

    Score
    10/10
    bumblebeesp1evasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion
    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks