bumblebee

General

Target

glin3r.zip
Size

967KB
Sample

220615-y6b1racahp
MD5

ced222973926dafa4227fec62603eff8
SHA1

777d3e3b29624f5c6d2e70f15fd1f243aef11698
SHA256

04c3b637aadb63a545ec3570a1026ddd220843fbd280702427739c4d4763c1d3
SHA512

93363ffd546b7f13308a0b4356bd4511486179d87ed76d0ac483f054e66f68bbfb1afd82ee3cdf25bc11e144b9bf64e558ac698ce8302c4d24b7ec6893a76455

Score

10^/10

Malware Config

Extracted

Family

bumblebee

Botnet

156r

C2

249.241.29.24:181

124.243.81.221:274

142.11.216.143:443

190.123.237.229:261

208.84.180.22:146

103.175.16.106:443

18.8.71.243:176

37.64.220.2:332

100.93.33.185:487

182.62.4.186:282

239.100.121.57:329

228.78.147.191:253

212.234.34.219:148

138.65.77.29:391

55.14.133.44:292

221.238.146.116:272

91.167.137.83:421

66.23.70.38:168

183.37.64.159:220

241.112.226.151:197

rc4.plain

Targets

- Target
  
  glin3r/documents.lnk
- Size
  
  2KB
- MD5
  
  0c61c063804dbbe46b16acbfb28d8771
- SHA1
  
  1231e3cddeedc09bb243b9b4536f3029efc4c8b7
- SHA256
  
  7b9a00cbd523a9585abb072f782b0b1447a905a3d63232627591bdf363f776c4
- SHA512
  
  6c2a29ba06bda9b778e2590d45ba698bc7b195c014afd31ede17ce086786413b97d8c9c7f29b38e07022571e0a397d44cad01550fb5a673014246c21a350e35b
Score

10^/10

bumblebee 156r evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral1 behavioral2
- Target
  
  glin3r/glin3r.dll
- Size
  
  1.5MB
- MD5
  
  f5ce1054c971dc73f2c5ea5395147145
- SHA1
  
  064359e7f83119cde898819c7197d3aee0d0013c
- SHA256
  
  69528c51e24fec01328da497e2af91379dd09720a36c673f9d0cd568ec6baa03
- SHA512
  
  557970a18426487f209fbe72d2c752fe952f6099fdaa750cc6c90c41792adfa40aba236d41d0bffae066cd990a4c98e4aa5f40a2fd0be6e26a0585cffda6f261
Score

10^/10

bumblebee 156r evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral3 behavioral4

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

4

T1497

Credential Access

Discovery

Query Registry

6

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

4

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Checks BIOS information in registry

Checks computer location settings

Identifies Wine through registry keys

BumbleBee

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Checks BIOS information in registry

Identifies Wine through registry keys

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4