bumblebee

General

Target

toso3l.zip
Size

903KB
Sample

220614-te3l6sbeb3
MD5

8c98753aa302f67ef9a2290ed36f5b10
SHA1

d1f3f0ebcce1d9e4915e3966be5c1300ff41b62d
SHA256

37104c67794383d81a4bacb301c4e3b4e04d12bcb914494fb8f7c5a2e0ff9994
SHA512

87e994859709d0a16af649c88f8ac39fb55b5221ce2b9696fec882c2fc9f34a7c7efa3ffe5721fd2c64e8fda74a3c273275265af3cdc26e1258c63267f3adac2

Score

10^/10

Malware Config

Extracted

Family

bumblebee

Botnet

1406r

C2

39.57.152.217:440

69.161.201.181:382

244.6.154.71:111

193.233.203.156:443

221.106.84.123:307

194.135.33.148:443

111.99.39.11:387

223.243.46.133:147

48.165.175.199:316

78.89.31.86:229

157.17.142.85:406

90.81.8.16:370

21.29.238.98:209

154.56.0.252:443

103.175.16.108:443

188.57.4.52:357

15.209.19.148:466

160.70.24.228:486

33.145.184.132:240

235.126.132.170:106

rc4.plain

Targets

- Target
  
  toso3l/documents.lnk
- Size
  
  2KB
- MD5
  
  fd76759f202a3f3651d445f022a8f308
- SHA1
  
  47daf80efb7af421f01f7af22ed367f52695645d
- SHA256
  
  7ea93d3194137b5e8e11609733b6d1dbefda22cc1e129e25a06e8623f2bbc3e3
- SHA512
  
  f56b94e835d02d2fdb20f35022599584de23631cb7b5eeab52b68522404d5e7f82c9a8964d866b920314c0546ddaf4bd563a3b48e9cd5596e0777c656f75f3c2
Score

10^/10

bumblebee 1406r evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral1 behavioral2
- Target
  
  toso3l/toso3l.dll
- Size
  
  1.7MB
- MD5
  
  e4cd57d7cca00316c3654ce36b4d6418
- SHA1
  
  4384cc2613d9edba5052ca97c34509ef7a5424e1
- SHA256
  
  48c9b5335b17f314acef74aec578e9d9770779179903175f1b18a7b7d953841c
- SHA512
  
  c5b6a93e76ee82d6433e201205620e90e6f982daf95500f957d0820a4bdb7414fd166acf11a44c4f73e3f83d120bbd9f03281c391605ce9a4beaf88ac6fe171d
Score

10^/10

bumblebee 1406r evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral3 behavioral4

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

4

T1497

Credential Access

Discovery

Query Registry

6

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

4

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Checks BIOS information in registry

Checks computer location settings

Identifies Wine through registry keys

BumbleBee

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Checks BIOS information in registry

Identifies Wine through registry keys

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4