Analysis
-
max time kernel
42s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21/06/2022, 20:35
General
-
Target
pop3ram.dll
-
Size
1.2MB
-
MD5
5ad508a693799dc062d05bd74c92dca2
-
SHA1
f753f49d262a838cb7e39f31c92f7ab65941761d
-
SHA256
cee0f9f532ba26beaf22ca8895d0904f1d763dc15daca6e8ed44105f863718be
-
SHA512
94ddd6564e34f12a4fbbeae1e6bb9437678f8518942692ddd27d38d09cc7f2e7d7208038fa459dc0146f9d08a719b116aef90b378d9d50ac20e3c1adbda021f9
Malware Config
Extracted
bumblebee
1306r
185.62.57.182:443
185.250.148.136:443
158.69.98.105:443
193.233.203.156:443
145.239.135.155:443
146.70.125.82:443
146.70.104.250:443
103.175.16.108:443
185.62.58.133:443
194.135.33.148:443
194.135.33.149:443
154.56.0.241:443
23.254.201.97:443
45.147.229.101:443
185.62.58.169:443
192.236.249.68:443
193.239.84.254:443
37.120.198.248:443
146.19.173.139:443
Signatures
-
BumbleBee
BumbleBee is a webshell malware written in C++.
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious behavior: EnumeratesProcesses 41 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\pop3ram.dll,#11⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB