Overview

overview

10

Static

static

invo/documents.lnk

windows7_x64

10

invo/documents.lnk

windows10-2004_x64

10

invo/n3zarek.dll

windows7_x64

3

invo/n3zarek.dll

windows10-2004_x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    invo.zip

  • Size

    898KB

  • Sample

    220627-1la9tsddep

  • MD5

    3a8ff231f043c2fa1cd1ffa9d4bdb401

  • SHA1

    cdd2079e963c1a850b051ec877a974ab8c4ffda1

  • SHA256

    7010ea36735e5a720f5f7c30ab1cf560e4d47e4fc4a983ed2f6f3d9770fd7737

  • SHA512

    67df14ffdea0edb153fd02547f00444e9474d16c6bb22e13b2653d065dd8a18d924b5063dc82226150683e93212987c72072e966700b9dea673643816462eff3

Score
10/10
bumblebee276revasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

276r

C2

76.81.225.65:337

41.28.188.77:212

51.199.209.83:290

192.119.77.100:443

68.121.248.35:464

54.37.131.14:443

149.197.87.217:409

224.110.0.53:105

253.13.70.127:340

122.50.173.112:157

103.25.51.23:388

199.61.79.119:346

68.14.88.177:143

227.12.148.222:270

33.93.97.183:112

168.113.169.88:428

64.157.160.42:207

156.151.142.100:123

146.19.253.56:443

135.36.57.27:157
rc4.plain

Targets

    • Target

      invo/documents.lnk

    • Size

      2KB

    • MD5

      663851b4f1b3ad5acd85c4ab15493e71

    • SHA1

      32060a7f992322ac9bdf6d976d60181111b571d6

    • SHA256

      68e3bf7eec93dfd4394746769532dbc890207fd6f554c18165e8a2746b3fe2d2

    • SHA512

      0d51286f76f3f8fd292574b97803891571e3c20a110e7b830208591f69fab86941708e1751d3851724b0a12f610ba603afb259451c9e480e42fc306d0688e828

    Score
    10/10
    bumblebee276revasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion
    behavioral1behavioral2

    • Target

      invo/n3zarek.dll

    • Size

      1.4MB

    • MD5

      3bd955af74d15e226fd00c7c8556858d

    • SHA1

      8bd4d50e485813c5578b59d5e12658e739a9b818

    • SHA256

      c8902ab26a64078ebab618afe410edc41c3d9c6b429a7d84207f112d740cfc51

    • SHA512

      8c47d5360324fba49da30384ee05a34ae1abea772c34ec8fa3d5db2793b39d6aa25e59f1551a72a9cafd931d401ab143f618accdd460bd707d9c09f81f52f758

    Score
    3/10
    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks