General
-
Target
a1756.hta.zip
-
Size
24KB
-
Sample
220618-damr6aebgp
-
MD5
64d3f8a88fde8961d0de7b484023afb1
-
SHA1
3e4e3bd675b9a64b6b9eb9b61fb703b658e7767a
-
SHA256
00dc21b505bde611bc9d8141372054e34de205f521b0de1374b7d0834b5c9f08
-
SHA512
f1937c96e21aa6b9270be62bdf4ab865e3a6880fe17025986069bea7a04e9b293852dea573d6c2dce36698192f9eaf77ca3c08ac5db7cb125f8f5af74973672c
Malware Config
Extracted
bumblebee
a17
220.111.119.123:476
90.12.112.169:180
146.70.124.116:443
47.27.63.45:115
77.45.24.148:444
11.1.201.27:344
224.200.37.92:481
103.175.16.38:443
188.8.220.88:269
12.202.229.195:440
41.56.181.200:486
173.171.60.50:394
5.152.80.211:121
88.158.143.245:189
57.242.85.233:131
30.205.76.70:490
45.138.172.246:443
213.226.100.95:443
46.44.240.53:361
151.75.118.144:368
Targets
-
-
Target
a1756.hta
-
Size
106KB
-
MD5
77e0ff485132eb2eb9f87ad6eab9a503
-
SHA1
46eb0a58f4e0d34649a9bd07a63d0fda8b6cf4a9
-
SHA256
9464c5521abc33590b6388f41d53d306f33c8e6a4b20358155a3cbfbdf31b0ff
-
SHA512
8fd76911715e85adc2335f0daa8ce8a916823a369056d860d56e5eb188faca5dfe0b6a6fbf545384dce7fd4b54971f754d076cdc1386a440f42ec05c64713d06
Score10/10-
BumbleBee
BumbleBee is a webshell malware written in C++.
-
Enumerates VirtualBox registry keys
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Looks for VirtualBox Guest Additions in registry
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-