Overview

overview

10

Static

static

9266985ca3...3c.dll

windows7_x64

10

9266985ca3...3c.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    46s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    17/06/2022, 12:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9266985ca39ce357d011543b618d868065eafa22e0988f64a831a2745337b93c.dll

  • Size

    1.7MB

  • MD5

    d5e252ef513f49804ed1867091348af4

  • SHA1

    f28b33dcca97748f8c65c5595fa836d6e5d9d374

  • SHA256

    9266985ca39ce357d011543b618d868065eafa22e0988f64a831a2745337b93c

  • SHA512

    1adcfab752d50e33b04a2760a01500399396031ed8c1bddf4c60715909d81b203e613a8a63033f715bc817768290b1becb494e5db22d4a411a9431d2102f4ec4

Score
10/10
bumblebee166evasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

166

C2

104.249.160.104:286

189.66.81.34:163

100.79.105.250:260

13.212.226.118:312

116.157.108.199:453

222.15.28.157:129

27.214.38.131:299

121.20.115.136:206

20.177.54.206:269

136.184.59.56:157

84.143.63.63:316

185.51.254.4:352

104.208.208.176:177

137.153.85.43:164

204.72.212.17:482

24.74.224.0:496

207.215.82.34:399

255.187.179.67:466

204.224.251.90:185

189.139.73.10:456
rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

    trojanbumblebee
  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9266985ca39ce357d011543b618d868065eafa22e0988f64a831a2745337b93c.dll
    1⤵
    • Enumerates VirtualBox registry keys
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Looks for VirtualBox Guest Additions in registry
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious behavior: EnumeratesProcesses
    PID:1660

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1660-54-0x000007FEFC331000-0x000007FEFC333000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1660-55-0x0000000002540000-0x0000000002657000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1660-57-0x0000000002540000-0x0000000002657000-memory.dmp

    Filesize

    1.1MB

    Download