Analysis
-
max time kernel
39s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24/06/2022, 22:54
General
-
Target
file.dll
-
Size
1.3MB
-
MD5
18aca7481b515ac30a6e2122fcc02a28
-
SHA1
6ba63d95420b58e8a98d886159afe4ec529d08b9
-
SHA256
0301a8c454da987b5ef35e0b2242903b809e2bec76d495d172c3824d4e396c61
-
SHA512
7110d6887c53c314ad7e41fbed6ee0167fc97694fa74fa39879a563648bfec6c756103d9ce1410a2f3150d461f582a805d0610dad1fa5929f40451caa350ac1c
Malware Config
Extracted
bumblebee
246a
231.215.229.228:485
69.52.231.230:347
239.99.55.244:383
128.197.89.141:438
100.75.172.149:488
23.82.141.11:443
107.77.228.163:260
88.232.241.45:176
51.83.253.131:443
80.194.203.32:143
18.248.93.197:110
200.194.145.202:359
154.56.0.111:443
154.207.124.132:129
174.104.34.167:296
84.224.237.39:382
195.250.7.94:370
237.251.89.198:174
81.39.2.175:407
139.203.193.38:443
Signatures
-
BumbleBee
BumbleBee is a webshell malware written in C++.
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious behavior: EnumeratesProcesses 41 IoCs
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\file.dll1⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
-
Filesize
1.1MB
-
Filesize
1.1MB