Analysis
-
max time kernel
43s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20/06/2022, 08:59
General
-
Target
toso3l.dll
-
Size
1.7MB
-
MD5
d6a09a35b18a25b756fd0a2cfe18ecf1
-
SHA1
d14985b445752dbd84698ea9132d597aecf495c7
-
SHA256
47a9ee143d413413a5f92a39d07c02dcd93f379387b1b6a0d26ed978a2c6425c
-
SHA512
f438c7adcec7f691b86c90156ef9816df69cb94323fe0c3ebb502f98d8ce4c6ed0878dcf666a7b56f96f36b5727ed3521cb2d237aecfed02db051c2973d6361b
Malware Config
Extracted
bumblebee
1406r
39.57.152.217:440
69.161.201.181:382
244.6.154.71:111
193.233.203.156:443
221.106.84.123:307
194.135.33.148:443
111.99.39.11:387
223.243.46.133:147
48.165.175.199:316
78.89.31.86:229
157.17.142.85:406
90.81.8.16:370
21.29.238.98:209
154.56.0.252:443
103.175.16.108:443
188.57.4.52:357
15.209.19.148:466
160.70.24.228:486
33.145.184.132:240
235.126.132.170:106
Signatures
-
BumbleBee
BumbleBee is a webshell malware written in C++.
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious behavior: EnumeratesProcesses 41 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\toso3l.dll,#11⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB