bumblebee

General

Target

weTransfer_20220616.zip
Size

962KB
Sample

220617-sbwh1scddk
MD5

dcfe9770307daf00d4824f6dd30384a3
SHA1

ad8b044a7be20aabbfcea358b0d24bb09c823c3d
SHA256

23e1e8f940d87509ae7f0ba498cedee27af62f484572091c8235fcc038e4b2f0
SHA512

991d7399e8ca900e78a1300b660d717c40693f29d32604e8e9b376de219f542f06cf8bacbe647ebea44f3d3a0d26d41285a3efcf448b01cb73f2f1d87ebf3c7c

Score

10^/10

Malware Config

Extracted

Family

bumblebee

Botnet

166a

C2

85.239.33.172:443

25.5.198.104:440

223.31.110.102:393

213.226.100.95:443

25.181.64.39:236

199.193.159.46:283

45.138.172.246:443

84.250.88.57:386

145.244.80.29:230

133.17.128.73:319

14.102.170.127:377

1.39.166.217:166

14.40.68.19:391

146.19.173.186:443

199.201.12.90:201

212.110.132.77:289

69.38.43.160:207

131.169.248.28:201

141.178.39.245:323

28.148.236.16:485

rc4.plain

Targets

- Target
  
  project requirements.lnk
- Size
  
  1KB
- MD5
  
  edda66bc860d630aaab6af733006a2c5
- SHA1
  
  900bf9e8428fac53bf932b2af2bd4a87c745c413
- SHA256
  
  d423bf5e25a80f24161fce6d9b9cc8698f5b63106c1470f0ebdfaae5882d50b0
- SHA512
  
  15b0556a1ef3c5d3aaddc8345b237423839a24acb4f8a260adb0b2b4d34f7e6e2d9e92b5f420e18dd04dfcf51b6b1c570073a1d27527a076a0289f86fc449400
Score

10^/10

bumblebee 166a evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral1 behavioral2
- Target
  
  start.dll
- Size
  
  1.8MB
- MD5
  
  ce8aa596ab8c1d075439a9ee29a438c6
- SHA1
  
  415ad86787a40abb95fb67e604aba8a075a41ead
- SHA256
  
  18aed3582da2419ab339bff7d1e84b1eac88d5c9bfaf7320daafcfbb6f6798b3
- SHA512
  
  a5c7d3b9d127bc1ab22a8a8596a6853ae721fb3286e0b3d5d6592d9be603f1ec31055b7598aad4c9e5ee8adb351a122f12605aa4d76a3842ace8f01645f7af1c
Score

10^/10

bumblebee 166a evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral3 behavioral4

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

4

T1497

Credential Access

Discovery

Query Registry

6

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

4

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Checks BIOS information in registry

Checks computer location settings

Identifies Wine through registry keys

BumbleBee

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Checks BIOS information in registry

Identifies Wine through registry keys

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4