bumblebee

General

Target

32ber.zip
Size

1.8MB
Sample

220611-rnlc5sehgl
MD5

9526ac0c9b85978151a086ffe2eb01ba
SHA1

445693248c63e7c65aeab9ab9a21ae0303867055
SHA256

c38246e03d97f75b720e884bbfd07c9c951cf23c6e8b6ff70223f8a18a02a6da
SHA512

c70cdc915a5bf6ecd1ee2dad2744a508d368942d4a4645f4ec86d4a90911a86ca8993404752eb0fe43e555301dd915801b3533a68aba25df2b138f9454f4a2be

Score

10^/10

Malware Config

Extracted

Family

bumblebee

Botnet

1904r

C2

199.80.55.44:443

209.141.59.96:443

23.106.160.120:443

rc4.plain

Targets

- Target
  
  32ber/32ber.dll
- Size
  
  3.2MB
- MD5
  
  a899ebf9331b90b5931b73a71362cedc
- SHA1
  
  fd53b8071f2843ae08febb214bc6f971c58cf6b6
- SHA256
  
  9e5a484d501af67a87c6f0f553360e5dc4c4fbf24c01724cf10eecd34df6be3c
- SHA512
  
  176823050ab467f4d0c4163ccca3533acf34b96137406be5ee261d47f4e1181e12c0196bc668750f9024f6d7bcb63d9667ec447fc4cb0bfbb387a2d7cbaa3fae
Score

10^/10

bumblebee 1904r evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral1 behavioral2
- Target
  
  32ber/qsdqsd.lnk
- Size
  
  1KB
- MD5
  
  b45fa425a03c562272d570d2c5f6e421
- SHA1
  
  68e1fe09e4e772c9e4f8887081a7664da77fca6b
- SHA256
  
  9cabff084b106f1de0027a3038bd5343ec22d9f1d132808498d290a1260157e7
- SHA512
  
  15c8907ae8fc9d2e49eec6c8ea55f06216ff0611e201023c018cff5ad15685e8e2d6c4c2b6da4feb99b5e0913cebd8a7c5540f10986374d322945620a5efc21b
Score

10^/10

bumblebee 1904r evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral3 behavioral4

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

4

T1497

Credential Access

Discovery

Query Registry

6

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

4

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Checks BIOS information in registry

Identifies Wine through registry keys

BumbleBee

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Checks BIOS information in registry

Checks computer location settings

Identifies Wine through registry keys

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4