bumblebee

General

Target

zippedISO_20220615.zip
Size

997KB
Sample

220615-v5wf8acef9
MD5

61b74d95a63dbb76af5a52e151766a5b
SHA1

277a0ea55ad3e4b40e28da2f14cbdb098e1473f6
SHA256

4b94ef5a7651773545d376bfb6e032549f91286ef99b3c77beda371c11d54b31
SHA512

be91a956e10c6de8585966723378fb4434b2ecf453f9b4a8a14fb0452280086bf851b7e19f5dd5b6417a70d89b2b342d2a5dae55e9cbd3479f0aeba35daf01f8

Score

10^/10

Malware Config

Extracted

Family

bumblebee

Botnet

156r

C2

249.241.29.24:181

124.243.81.221:274

142.11.216.143:443

190.123.237.229:261

208.84.180.22:146

103.175.16.106:443

18.8.71.243:176

37.64.220.2:332

100.93.33.185:487

182.62.4.186:282

239.100.121.57:329

228.78.147.191:253

212.234.34.219:148

138.65.77.29:391

55.14.133.44:292

221.238.146.116:272

91.167.137.83:421

66.23.70.38:168

183.37.64.159:220

241.112.226.151:197

rc4.plain

Targets

- Target
  
  documents.lnk
- Size
  
  2KB
- MD5
  
  0c61c063804dbbe46b16acbfb28d8771
- SHA1
  
  1231e3cddeedc09bb243b9b4536f3029efc4c8b7
- SHA256
  
  7b9a00cbd523a9585abb072f782b0b1447a905a3d63232627591bdf363f776c4
- SHA512
  
  6c2a29ba06bda9b778e2590d45ba698bc7b195c014afd31ede17ce086786413b97d8c9c7f29b38e07022571e0a397d44cad01550fb5a673014246c21a350e35b
Score

10^/10

bumblebee 156r evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral1 behavioral2
- Target
  
  glin3r.dll
- Size
  
  1.5MB
- MD5
  
  dfcee862a58ab04a5fcb9417d81f7084
- SHA1
  
  4fe82f38d826dda103dce02380ad859387d92578
- SHA256
  
  46edbc79fb5779ff1ed0c35641bfda0ceb25782c262c54ce77e94ad7676f727a
- SHA512
  
  b01a706d684de75aa35a12b47fa004c86293c673d6df80cc2d7da6df348f55c191dc8d1cb3653b66e113534983d2604164eda0c18529f705bd762b0f6bae3da5
Score

10^/10

bumblebee 156r evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral3 behavioral4

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

4

T1497

Credential Access

Discovery

Query Registry

6

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

4

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Checks BIOS information in registry

Checks computer location settings

Identifies Wine through registry keys

BumbleBee

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Checks BIOS information in registry

Identifies Wine through registry keys

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4