Overview

overview

10

Static

static

PRD.lnk

windows7_x64

10

PRD.lnk

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PRD.zip

  • Size

    3KB

  • Sample

    220617-yjt8tafff3

  • MD5

    841f17ecb332860de8e6b4724bb6d83e

  • SHA1

    0c110e26e2142682e4ae0550f7dd99c21553ee96

  • SHA256

    a1fcac59a0ba12009a3bec84f8609311fb4044183ad6c6a211f897aa2c6b4726

  • SHA512

    e37e47f5e2b0d394ffe85437f3b40c364ca1e1476ef468318b15aa6f5226b2a5d9848be3ac37e7059312ee365bb0cf2e48b36060377cedf1ef72b0421cabbb42

Score
10/10
bumblebeea17evasiontrojan

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://pidipurev.com/a1799.hta

Extracted

Language
hta
Source
URLs
hta.dropper

https://pidipurev.com/a1799.hta

Extracted

Family

bumblebee

Botnet

a17

C2

220.111.119.123:476

90.12.112.169:180

146.70.124.116:443

47.27.63.45:115

77.45.24.148:444

11.1.201.27:344

224.200.37.92:481

103.175.16.38:443

188.8.220.88:269

12.202.229.195:440

41.56.181.200:486

173.171.60.50:394

5.152.80.211:121

88.158.143.245:189

57.242.85.233:131

30.205.76.70:490

45.138.172.246:443

213.226.100.95:443

46.44.240.53:361

151.75.118.144:368
rc4.plain

Targets

    • Target

      PRD.lnk

    • Size

      1.9MB

    • MD5

      6d3b37ea0e22cb04d9227dee552663f4

    • SHA1

      2e1d39395fc36693d2abff8709db4261909e7cda

    • SHA256

      9c4cfd85af061badf6bab38ace88be3a6a21e64fd99571eee8e93fed745261f9

    • SHA512

      3089cecd1b4fb2c843aec61f1cb5a28f8c1052c5ff7296301a6702050b0916b847f199bf78134d88bca1797eabfa70721a9d26d425bc50053018954e290302c7

    Score
    10/10
    bumblebeea17evasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks