Overview

overview

10

Static

static

PRD.lnk

windows7_x64

10

PRD.lnk

windows10-2004_x64

10

projectr.dll

windows7_x64

10

projectr.dll

windows10-2004_x64

10

projectr.rsp

windows7_x64

3

projectr.rsp

windows10-2004_x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Desktop.zip

  • Size

    941KB

  • Sample

    220623-zs26fsfchm

  • MD5

    4f0c69d8fdfc8c550b0fd2f45dbf8c81

  • SHA1

    aa8d0194de6755319cf246cda532edb3861fee07

  • SHA256

    90923ced3d4068824d8b0708434ffab89ba71ecfadacd306ada936ef7ca8f9db

  • SHA512

    97582f74c9c7d8ecf8ee3a00e9d190741a72d9cf1dcf9d725d864401bdb007fc07833cd9165f902b5b06f12c8d67cb59c62ce5c794bf1113bfd6d7a107bfcd3c

Score
10/10
bumblebee236aevasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

236a

C2

146.19.173.191:443

205.218.26.106:335

133.228.15.13:127

60.3.192.137:146

146.70.124.97:443

40.178.16.145:137

216.149.130.58:162

121.214.140.226:358

54.200.237.168:311

85.217.238.89:286

23.82.141.11:443

135.49.247.231:357

105.99.153.173:436

226.179.144.85:474

115.177.167.79:268

23.29.115.172:443

242.165.229.167:492

238.78.243.167:401

28.192.253.108:405

82.217.32.8:253
rc4.plain

Targets

    • Target

      PRD.lnk

    • Size

      1KB

    • MD5

      1a9b5960c26658ffa3424a6810ee86a0

    • SHA1

      391b80628d2402518693d457ff863c1091475c03

    • SHA256

      0250c86129cd0bddd7094f5ea76377d5f30bb8ef039499424570ab568e7e7312

    • SHA512

      1c065fc862cccec778ced1343a29ef792b3ca39fb69f1cb28bab4c5deb10b9d77dd2aa9a5ef2acadb85a9886522a2bcbecb31f4fa981c3d260b3a2308579bbf3

    Score
    10/10
    bumblebee236aevasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion
    behavioral1behavioral2

    • Target

      projectr.dll

    • Size

      1.8MB

    • MD5

      546d975e638d044bc23c7f1bf4122d26

    • SHA1

      2efd0d398b648d5c70db7d15b1893eb19519ae74

    • SHA256

      287055194e83ab2a8d91ef4d187de57345c19018cf3a85024c4fd20c64ad689e

    • SHA512

      7e4709e4dd18965966466334870488b4469e9920c5ae5bbc8bbd2249d2071744ba9c3d169be5d1d9280555465fc8659df4e7059a67f5ceca7f76dc8aa388a610

    Score
    10/10
    bumblebee236aevasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion
    behavioral3behavioral4

    • Target

      projectr.rsp

    • Size

      19B

    • MD5

      96dc58c3dc67a1bbea87e350f07dcd54

    • SHA1

      be9cce20ca83a96acd39f9af4a620c264515734a

    • SHA256

      fc394b8bf75b4279f2752d3dcdd17d56cb00ef7714063f18915b75ae49e54eda

    • SHA512

      ef6bab70d8b3ff1f8ceae592884a516fcdf90028881ad1ce56485ffc4d215fa85df874b16367567b8db5fcd5ae845dddbec6d310f809963e3e0290970b8b9931

    Score
    3/10
    behavioral5behavioral6

MITRE ATT&CK Enterprise v6

Tasks