Overview

overview

10

Static

static

appbuild.exe

windows7_x64

10

appbuild.exe

windows10-2004_x64

10

documents.lnk

windows7_x64

10

documents.lnk

windows10-2004_x64

10

Resubmissions

11/06/2022, 13:38

220611-qxsm5sbaa9 10

30/03/2022, 15:09

220330-sjyncadcd5 9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Invoice-32235 (3).zip

  • Size

    1.8MB

  • Sample

    220611-qxsm5sbaa9

  • MD5

    b0e98d7d30d1b9c82734b153efcc1d53

  • SHA1

    8f7bb34d8393898976982c22399619790f7a9421

  • SHA256

    8149cfdaf8eb8c810c0439a3461c62f032b268448b6054a78157a425a4ce679c

  • SHA512

    b3fcceceeb43a214de3bb442c072c35a8d4df642508cd47e5fc71a624ba5d73e00e6eb6221b948e7c58e0d19fbf565ca53098ca08ac807884049bd08d457103e

Score
10/10
bumblebeeleg1evasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

LEG1

C2

45.147.229.177:443

Targets

    • Target

      appbuild.exe

    • Size

      3.0MB

    • MD5

      cd2cce5e7cc63f6947305cfe8509d3a9

    • SHA1

      677517444d5311991874856e9a56959eb4f22eb0

    • SHA256

      9d75278f48c145f9bdb1c7916ab92965fa5a079de0fd8d22a894b2307b80f2c1

    • SHA512

      f3ee3854340906a127f24ed0bb1eb56c53abef4e4fbb1472a6b2cda1ad9fe51dff1cf0ff19e707c47fe0e415381ac8ab2c3ed08a1ac15902262cd4992417047d

    Score
    10/10
    bumblebeeleg1evasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion
    behavioral1behavioral2

    • Target

      documents.lnk

    • Size

      1KB

    • MD5

      63249b1d5afdb63750f55dad00e211d0

    • SHA1

      116046209898e4d4004dfa7517d56416cc360190

    • SHA256

      467d6e92d3a3c27b2e6c0c75ce20a031c3408f1a58ff09dd5f2c60d6996ad4a0

    • SHA512

      697ebc4a06f65c0409be386b8655024ee59d99ed588eb0c59ec00daec64e2623c74279f411719f152bfd5fb0eb21f07790755d7ba6373891e8eca89985166e51

    Score
    10/10
    bumblebeeleg1evasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion
    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks