Overview

overview

10

Static

static

bumblebee.dll

windows10_x64

3

run.bat

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bumblebee_3_220624.zip

  • Size

    911KB

  • Sample

    220625-jn7mdaeaf4

  • MD5

    ce8903b2a5d6c47659f798cb1d58d279

  • SHA1

    0f2e079ca9bead693d480e74bd3cd7cd25662265

  • SHA256

    73637ba8d3f8b8bba4e965768d6ebb50e7ce9f81a38f26420fd757e3cf0c0fc0

  • SHA512

    d2ebe7951a71f35995fda83bc4115a2a6388354ac6463e68898cdc8d40dc7852f26ebbce60d4e7f265620f29424e6fd88e38035567cd7021d22e52ca1e5fb6d9

Score
10/10
bumblebee236revasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

236r

C2

54.38.136.111:443

103.200.32.188:492

74.57.128.223:112

13.2.200.200:338

228.194.82.251:473

247.224.208.140:372

0.151.228.146:282

192.119.77.241:443

186.150.217.235:221

50.41.225.93:478

50.167.186.112:239

173.77.219.120:201

187.210.45.242:299

239.11.133.48:421

207.6.99.3:471

98.28.11.39:201

193.239.152.108:242

133.209.39.126:217

146.19.173.202:443

97.194.155.116:446
rc4.plain

Targets

    • Target

      bumblebee.dll

    • Size

      2.5MB

    • MD5

      5d8c2e7885564f4424a30465c7a2b273

    • SHA1

      79c443c99b0c18d5f7374f6ac62325492b6e4a7b

    • SHA256

      0a8d0d2b177b315ba8facc7d5029ed126840867d065a4f832e53f564c6b0cc32

    • SHA512

      a457399c51b387186019d4149fa733d9c572cf3d4fb9b2c34f69b8cb0c7429e34b788e9eb738d7ebbee3333598f9713d25b439cc70065cc8155e50ae6e6bafc1

    Score
    3/10
    behavioral1

    • Target

      run.bat

    • Size

      58B

    • MD5

      21f479b64e1b4cac98f71d55d928a124

    • SHA1

      a5381cb0557dc3d1ec5a1ce8f76a97adc3d9f4ec

    • SHA256

      6ae8417806a564871b70d7adb4baa557a1ad1cf6f4b61efbff7b00c8bbca1a7a

    • SHA512

      c8ef4a263eefe2f2ded6e146614dd102aa8b41051a7a8e670fa1e3683e608feba507f18ae5a3a5de337df264492c074d489504109909e0afab9b3ee502960315

    Score
    10/10
    bumblebee236revasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion
    behavioral2

MITRE ATT&CK Enterprise v6

Tasks