bumblebee

General

Target

Desktop.zip
Size

855KB
Sample

220614-zg53zagcg2
MD5

5a186f3b13995ef0cb42c38ae715d432
SHA1

08b1eb23bc099e1b615895e11e8880e13cea2d02
SHA256

ebe801a9a2cd62d435f37fee0be39812d32f23157129e1966bdcc8a7ed9a1c79
SHA512

9260f2bda6b17f01096eee170119da1b75a35baace8cbf905ae0c427e0ba6195d142552e202e8519b2ea78b8a3ea995c9b52124ac6eb414da7b777dd140a18c3

Score

10^/10

Malware Config

Extracted

Family

bumblebee

Botnet

6rr

C2

145.239.30.26:443

194.37.97.135:443

185.62.58.238:443

176.107.177.124:443

192.236.160.254:443

192.236.192.85:443

185.62.56.201:443

103.175.16.59:443

198.98.57.91:443

154.56.0.221:443

64.44.101.250:443

103.175.16.117:443

63.141.248.253:443

192.236.194.136:443

193.239.84.247:443

192.236.161.191:443

185.156.172.123:443

54.38.136.187:443

64.44.102.6:443

192.119.64.21:443

rc4.plain

Targets

- Target
  
  docum.bat
- Size
  
  39B
- MD5
  
  9b2244d9b15b1186430e2feedf1a1cbc
- SHA1
  
  e42ce05798212df517d36cec81435ffb1877c3fd
- SHA256
  
  f17420ec26a57d29eefd782b046a8c7be41bc1da1d9bf08313e6fc83ccca333e
- SHA512
  
  d0cf589d6d31fa45fa7982e3d817920a4dbd06771f2051c0a3d4e4da92d43f4787e73d666351f473684d1db16e0c04909f1b52e87da1eabc87d6d76e5b24d387
Score

10^/10

bumblebee 6rr evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral1 behavioral2
- Target
  
  documents.lnk
- Size
  
  2KB
- MD5
  
  690b95081eb2c3eab4f10f027cb2aca8
- SHA1
  
  b5c7a3e0190126a5c738a39f60e81705b8fd1e7b
- SHA256
  
  10f2cdf35e577ec35e2ac8e1f6a36d97a5dbcf8298dd430bd9777bfb9a9564dd
- SHA512
  
  2b7262f82c93d5ab6e32fb5e711e015a60a2e70366321c53d7434300e6e7bc248634ccdad2619cf8c4077b6b39ce5dca6a3c226a06aa647a71dbfbf781428397
Score

10^/10

bumblebee 6rr evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral3 behavioral4
- Target
  
  parelmo2.dll
- Size
  
  1.2MB
- MD5
  
  750d8c74c04035cdda0e2e4c8022f0f3
- SHA1
  
  eefea7491859a56200b9e5d7d676112039778e3c
- SHA256
  
  f3d6cc38e35b0738ac5968f8c15404bbe17a1cc00cd6af03b99942e3d9174c8e
- SHA512
  
  9d9e6968c9dfe44ad465b652b6b517b875db8a45490f7e22e1099481e813915f4d921d925ee4d6408dc37423a78c4295e0e3260bfa2aac3ad84edff2edef5586
Score

10^/10

bumblebee 6rr evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral5 behavioral6

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

4

T1497

Credential Access

Discovery

Query Registry

6

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

4

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Checks BIOS information in registry

Identifies Wine through registry keys

BumbleBee

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Checks BIOS information in registry

Checks computer location settings

Identifies Wine through registry keys

BumbleBee

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Checks BIOS information in registry

Identifies Wine through registry keys

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6