bumblebee

General

Target

zippedISO_20220614.zip
Size

927KB
Sample

220614-trp7lsbfe4
MD5

461466365b039bfa8fc4a4cfa299ad37
SHA1

16cdd51302badaba8434e0209755f141ca486a47
SHA256

0527bafd1a42fd4ffda323a70547d3bb5a9c2d2e4d9566ca8e9a5a0e5380f4e3
SHA512

bde9befdd28733973f4c54dd62ff32501e776f13359684b70b6ca3c87f25067058337e8454d350084cce0b0871958ce1ee3be0b7ac2b207b5c462439e1b52aa0

Score

10^/10

Malware Config

Extracted

Family

bumblebee

Botnet

1406r

C2

39.57.152.217:440

69.161.201.181:382

244.6.154.71:111

193.233.203.156:443

221.106.84.123:307

194.135.33.148:443

111.99.39.11:387

223.243.46.133:147

48.165.175.199:316

78.89.31.86:229

157.17.142.85:406

90.81.8.16:370

21.29.238.98:209

154.56.0.252:443

103.175.16.108:443

188.57.4.52:357

15.209.19.148:466

160.70.24.228:486

33.145.184.132:240

235.126.132.170:106

rc4.plain

Targets

- Target
  
  documents.lnk
- Size
  
  2KB
- MD5
  
  0dec891322ec208f9fc252e3469d3467
- SHA1
  
  5360130698f866a41625addf03acd977425272f1
- SHA256
  
  9c7e01c2c39dadc020a0cf8dc74b62e6453b56413f09705b4ad4d391981f5a3f
- SHA512
  
  46f1a5daf5b88f4c8c2a70f5f9e2b77578c7e6b4711dc6e62d4ae8147639f5409496f2eb9ce62b1f9b9e12ffc8560f7c0538fd3c3d0c00fa05a9211be268faf3
Score

10^/10

bumblebee 1406r evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral1 behavioral2
- Target
  
  toso3l.dll
- Size
  
  1.7MB
- MD5
  
  9e7d45b4f097d4274aa74b5eaade65d9
- SHA1
  
  e7b0de2872002621f1aab89fe3c54d579fbe46a0
- SHA256
  
  2e349b3224cc0d958e6945623098c2d28cc8977e0d45480c0188febbf7b8aa78
- SHA512
  
  5b5518638bd52e3a4253b020b779b85d65563f930692c51b39e78f8df7060bf4fac5aca4b9b70a0dbbeeeb67bba34c627d2978f30a86c4f6e900bba0c3520424
Score

10^/10

bumblebee 1406r evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral3 behavioral4

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

4

T1497

Credential Access

Discovery

Query Registry

6

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

4

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Checks BIOS information in registry

Checks computer location settings

Identifies Wine through registry keys

BumbleBee

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Checks BIOS information in registry

Identifies Wine through registry keys

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4