bumblebee

General

Target

rec.zip
Size

982KB
Sample

220615-gccazsbed8
MD5

a44d8fd22fa132e2273859f9d5139862
SHA1

89780782d57de4b4a68ff2cbc4a039f6200720eb
SHA256

67a789a53741e630ac4c33b27c0d5f0f75de5c4363d0468580106b52c48b5b61
SHA512

af1265229ae8f4e3068a04323c7da855c19c7a2816aa2c679a2edab5a0555ddad71cd17cbd9eaa93510ee14c495142c183da7b045789378e26613d69440f0276

Score

10^/10

Malware Config

Extracted

Family

bumblebee

Botnet

146a

C2

12.236.242.155:211

243.92.11.201:387

182.10.38.85:198

117.75.94.181:456

148.70.67.206:267

247.23.37.74:155

122.247.231.47:117

45.142.214.167:443

171.227.174.67:108

204.1.81.223:110

145.239.28.110:443

170.24.243.46:441

69.235.89.243:366

4.165.175.212:387

76.96.116.176:190

128.44.54.202:493

103.175.16.106:443

40.72.17.141:326

146.19.173.186:443

51.68.145.54:443

rc4.plain

Targets

- Target
  
  rec/replay.dll
- Size
  
  2.0MB
- MD5
  
  fc5b7fb7c307677abf16d477e674c3cb
- SHA1
  
  28c0bc94ae81e4df179d050d8f353f6b2a7e01ca
- SHA256
  
  4fd180dfad7c544ada012af536d34740995027cb1a0b651f9b9fa68b53481756
- SHA512
  
  f4742d7b8a8e3fab84fd025cc74780a86e06b22ef70fc8cc54fc9754bf50431dbd471ffd2cdee688f3d8551c80a08b18297a265e39d99aaa23cca8c40078a0be
Score

10^/10

bumblebee 146a evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral1 behavioral2
- Target
  
  rec/replay.lnk
- Size
  
  1KB
- MD5
  
  4e543f7a1f8d9c3014623983c74c570f
- SHA1
  
  9d71a451a20f5c14fa97ce12f38e64e11576361b
- SHA256
  
  c0987d05cb86664e27d0f3cb7ed5142f38935e8ce7754cbe5e4525fdca480cdd
- SHA512
  
  c539f4694b59567c33754d92e74e7f56968abe5325efc12aba308f53fd19ea4901164326a003735335418f4ae9539fe9e03e1e54b72827dc9f38dfe463faa58d
Score

10^/10

bumblebee 146a evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral3 behavioral4

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

4

T1497

Credential Access

Discovery

Query Registry

6

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

4

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Checks BIOS information in registry

Identifies Wine through registry keys

BumbleBee

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Checks BIOS information in registry

Checks computer location settings

Identifies Wine through registry keys

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4