Overview

overview

10

Static

static

PRD.lnk

windows7_x64

10

PRD.lnk

windows10-2004_x64

10

install.bat

windows7_x64

10

install.bat

windows10-2004_x64

10

rec.dll

windows7_x64

10

rec.dll

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    20220614_smashSample.zip

  • Size

    987KB

  • Sample

    220614-w277aagfcl

  • MD5

    3a72e13c9b32987c5ba4bdf32adaddb2

  • SHA1

    acb027c1769699ccb9db184b33f655735ca70ae0

  • SHA256

    5cf736ccf0952dc2b6b1cac95841947e5436b690d2f2949f17d5100e8d2e40ab

  • SHA512

    5d2c811bb554a206e515f11fb9e29f06d9a3741e16d3691e35e43e029cd22aacbe99bf69c25b8d23f50e03543cfce5204e194c7862e60ff5cd59ee83ee26318e

Score
10/10
bumblebee146aevasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

146a

C2

12.236.242.155:211

243.92.11.201:387

182.10.38.85:198

117.75.94.181:456

148.70.67.206:267

247.23.37.74:155

122.247.231.47:117

45.142.214.167:443

171.227.174.67:108

204.1.81.223:110

145.239.28.110:443

170.24.243.46:441

69.235.89.243:366

4.165.175.212:387

76.96.116.176:190

128.44.54.202:493

103.175.16.106:443

40.72.17.141:326

146.19.173.186:443

51.68.145.54:443
rc4.plain

Targets

    • Target

      PRD.lnk

    • Size

      1KB

    • MD5

      822fef7c77e9f912441448458ba90a50

    • SHA1

      3ea9d5ee7619072f3211dccd41299f899cb681ad

    • SHA256

      f9dc90e974f2d3abc337cf133e9bc252ced1df4250f85951684dc12ce6f5f091

    • SHA512

      14c4a60ac520e6ab541cf39b93b187b21e46037229fc5c3a120efb2bb72556d189a018843f6b16714dddaa949ad35bda7420679f2c9648021edb3903af315d1d

    Score
    10/10
    bumblebee146aevasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion
    behavioral1behavioral2

    • Target

      install.bat

    • Size

      33B

    • MD5

      7eb1c4dd9c71972cfb9f97a84393095c

    • SHA1

      e88433f7d787f119ae28a7b30263372462388344

    • SHA256

      b9761b63f5538662fba077ef05a16594fec5cf7ee9ec350e9c1b504fcc9ff438

    • SHA512

      72c2d50ebea8b4c9d2700d39d1ba7adae8c4f90678080c557d1d39ba1deb79553105c44e61318b0df0e0f66d10d19226536096e98cf2219891a2aadb91a8f021

    Score
    10/10
    bumblebee146aevasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion
    behavioral3behavioral4

    • Target

      rec.dll

    • Size

      2.0MB

    • MD5

      1f1d96a3f69ce08560740e0595dc0f70

    • SHA1

      2cb4edd8a1c820413ee6e9a811db8d76bacdfe55

    • SHA256

      d9dc399f5583db5e3bfe1998d9296695975dbd2217f7ada8e28a4d605896c8a7

    • SHA512

      2eaa82853ee6386e920f5c86e388e854ca736dc21d0306b52897f7ef1f1c434f306fbb277f9180330409fd0ca794c058e20bedff4bfbc84660a6ca686d21f58c

    Score
    10/10
    bumblebee146aevasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion
    behavioral5behavioral6

MITRE ATT&CK Enterprise v6

Tasks