Overview

overview

10

Static

static

bumblebee.dll

windows10_x64

3

run.bat

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bumblebee_4_220624.zip

  • Size

    911KB

  • Sample

    220625-jm6cxsbghj

  • MD5

    2cd38fcbc0225a45609045c3dea7c5c9

  • SHA1

    43a908bf875a07294fdd301495bd6ef39638dba6

  • SHA256

    9bf6b87372dd49e9404875087de90b409000375419f90332af983568a46c0c0b

  • SHA512

    f924e6e049634d550d8de2640d341c6cf17d7e60a02d75aa5e150374d260d5eb884baaf396134602328ea7a8a10e0a3d796fdfa07bb35f00d80086c23e508434

Score
10/10
bumblebee236revasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

236r

C2

54.38.136.111:443

103.200.32.188:492

74.57.128.223:112

13.2.200.200:338

228.194.82.251:473

247.224.208.140:372

0.151.228.146:282

192.119.77.241:443

186.150.217.235:221

50.41.225.93:478

50.167.186.112:239

173.77.219.120:201

187.210.45.242:299

239.11.133.48:421

207.6.99.3:471

98.28.11.39:201

193.239.152.108:242

133.209.39.126:217

146.19.173.202:443

97.194.155.116:446
rc4.plain

Targets

    • Target

      bumblebee.dll

    • Size

      2.5MB

    • MD5

      5d8c2e7885564f4424a30465c7a2b273

    • SHA1

      79c443c99b0c18d5f7374f6ac62325492b6e4a7b

    • SHA256

      0a8d0d2b177b315ba8facc7d5029ed126840867d065a4f832e53f564c6b0cc32

    • SHA512

      a457399c51b387186019d4149fa733d9c572cf3d4fb9b2c34f69b8cb0c7429e34b788e9eb738d7ebbee3333598f9713d25b439cc70065cc8155e50ae6e6bafc1

    Score
    3/10
    behavioral1

    • Target

      run.bat

    • Size

      58B

    • MD5

      21f479b64e1b4cac98f71d55d928a124

    • SHA1

      a5381cb0557dc3d1ec5a1ce8f76a97adc3d9f4ec

    • SHA256

      6ae8417806a564871b70d7adb4baa557a1ad1cf6f4b61efbff7b00c8bbca1a7a

    • SHA512

      c8ef4a263eefe2f2ded6e146614dd102aa8b41051a7a8e670fa1e3683e608feba507f18ae5a3a5de337df264492c074d489504109909e0afab9b3ee502960315

    Score
    10/10
    bumblebee236revasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion
    behavioral2

MITRE ATT&CK Enterprise v6

Tasks