bumblebee

General

Target

20220613_StolenImagesSample.zip
Size

855KB
Sample

220613-w68zdaaacj
MD5

ccb8cad6666e829c0470b94972c3ff3e
SHA1

4e2aeac853ae3e4cc0898d8ec134ec03e5049a3c
SHA256

5926ee3d73171776633b4305dc2915a02961455d5cea06486856b6155b295219
SHA512

78a85fd1271cb66b5722751e68820e682e72ac0a8836816520565762e470826b902d5cc1faa4be88bc5f7f93e6cd600d7183eb6b2b761013449030c392e4b014

Score

10^/10

Malware Config

Extracted

Family

bumblebee

Botnet

6rr

C2

145.239.30.26:443

194.37.97.135:443

185.62.58.238:443

176.107.177.124:443

192.236.160.254:443

192.236.192.85:443

185.62.56.201:443

103.175.16.59:443

198.98.57.91:443

154.56.0.221:443

64.44.101.250:443

103.175.16.117:443

63.141.248.253:443

192.236.194.136:443

193.239.84.247:443

192.236.161.191:443

185.156.172.123:443

54.38.136.187:443

64.44.102.6:443

192.119.64.21:443

rc4.plain

Targets

- Target
  
  docum.bat
- Size
  
  39B
- MD5
  
  9b2244d9b15b1186430e2feedf1a1cbc
- SHA1
  
  e42ce05798212df517d36cec81435ffb1877c3fd
- SHA256
  
  f17420ec26a57d29eefd782b046a8c7be41bc1da1d9bf08313e6fc83ccca333e
- SHA512
  
  d0cf589d6d31fa45fa7982e3d817920a4dbd06771f2051c0a3d4e4da92d43f4787e73d666351f473684d1db16e0c04909f1b52e87da1eabc87d6d76e5b24d387
Score

10^/10

bumblebee 6rr evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral1 behavioral2
- Target
  
  documents.lnk
- Size
  
  2KB
- MD5
  
  c89d0d285c1a7e2433849b541ddd6dcd
- SHA1
  
  92b348df912a354fafc6788403bd6dc9f081a923
- SHA256
  
  e105a1d7fae4d0cb63d068b328d83d41e07b7b27b2bfdc65b2e47c5dfb90466b
- SHA512
  
  abf62809d26fb85561735b2d99e30618458ba2298c5e2de834f0313dee419c2c3c75fabcb517c84914a2b93d624814e32e8c24768b83a710a752d84f9d77d55d
Score

10^/10

bumblebee 6rr evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral3 behavioral4
- Target
  
  parelmo2.dll
- Size
  
  1.2MB
- MD5
  
  750d8c74c04035cdda0e2e4c8022f0f3
- SHA1
  
  eefea7491859a56200b9e5d7d676112039778e3c
- SHA256
  
  f3d6cc38e35b0738ac5968f8c15404bbe17a1cc00cd6af03b99942e3d9174c8e
- SHA512
  
  9d9e6968c9dfe44ad465b652b6b517b875db8a45490f7e22e1099481e813915f4d921d925ee4d6408dc37423a78c4295e0e3260bfa2aac3ad84edff2edef5586
Score

10^/10

bumblebee 6rr evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral5 behavioral6

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

4

T1497

Credential Access

Discovery

Query Registry

6

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

4

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Checks BIOS information in registry

Identifies Wine through registry keys

BumbleBee

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Checks BIOS information in registry

Checks computer location settings

Identifies Wine through registry keys

BumbleBee

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Checks BIOS information in registry

Identifies Wine through registry keys

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6