Overview

overview

10

Static

static

project re...ts.lnk

windows7_x64

10

project re...ts.lnk

windows10-2004_x64

10

project.rsp

windows7_x64

3

project.rsp

windows10-2004_x64

3

start.dll

windows7_x64

10

start.dll

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    OneDrive_20221616.zip

  • Size

    962KB

  • Sample

    220617-rjkk2sege8

  • MD5

    dcfe9770307daf00d4824f6dd30384a3

  • SHA1

    ad8b044a7be20aabbfcea358b0d24bb09c823c3d

  • SHA256

    23e1e8f940d87509ae7f0ba498cedee27af62f484572091c8235fcc038e4b2f0

  • SHA512

    991d7399e8ca900e78a1300b660d717c40693f29d32604e8e9b376de219f542f06cf8bacbe647ebea44f3d3a0d26d41285a3efcf448b01cb73f2f1d87ebf3c7c

Score
10/10
bumblebee166aevasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

166a

C2

85.239.33.172:443

25.5.198.104:440

223.31.110.102:393

213.226.100.95:443

25.181.64.39:236

199.193.159.46:283

45.138.172.246:443

84.250.88.57:386

145.244.80.29:230

133.17.128.73:319

14.102.170.127:377

1.39.166.217:166

14.40.68.19:391

146.19.173.186:443

199.201.12.90:201

212.110.132.77:289

69.38.43.160:207

131.169.248.28:201

141.178.39.245:323

28.148.236.16:485
rc4.plain

Targets

    • Target

      project requirements.lnk

    • Size

      1KB

    • MD5

      edda66bc860d630aaab6af733006a2c5

    • SHA1

      900bf9e8428fac53bf932b2af2bd4a87c745c413

    • SHA256

      d423bf5e25a80f24161fce6d9b9cc8698f5b63106c1470f0ebdfaae5882d50b0

    • SHA512

      15b0556a1ef3c5d3aaddc8345b237423839a24acb4f8a260adb0b2b4d34f7e6e2d9e92b5f420e18dd04dfcf51b6b1c570073a1d27527a076a0289f86fc449400

    Score
    10/10
    bumblebee166aevasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion
    behavioral1behavioral2

    • Target

      project.rsp

    • Size

      16B

    • MD5

      d8cc9aae0b92ab54b5769aa78de28933

    • SHA1

      da38e228c468936ba3ebb74f724102c27caf0da2

    • SHA256

      3822fbc5d77633fc1943faaf04be48578337182aad480f51415d5d8ac9ce71f2

    • SHA512

      50c86d45f40f709d7778b739d92beaeaf37176689d0491e5a29b48c27300e921decde7be8d2b068e7e664bcff52e0950701086169e19f1b55fb245968bb642d0

    Score
    3/10
    behavioral3behavioral4

    • Target

      start.dll

    • Size

      1.8MB

    • MD5

      ce8aa596ab8c1d075439a9ee29a438c6

    • SHA1

      415ad86787a40abb95fb67e604aba8a075a41ead

    • SHA256

      18aed3582da2419ab339bff7d1e84b1eac88d5c9bfaf7320daafcfbb6f6798b3

    • SHA512

      a5c7d3b9d127bc1ab22a8a8596a6853ae721fb3286e0b3d5d6592d9be603f1ec31055b7598aad4c9e5ee8adb351a122f12605aa4d76a3842ace8f01645f7af1c

    Score
    10/10
    bumblebee166aevasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion
    behavioral5behavioral6

MITRE ATT&CK Enterprise v6

Tasks