bumblebee

General

Target

documents.zip
Size

923KB
Sample

220627-vr2q3sech2
MD5

f3b48bbfcf2870da35d2944ce6a83db3
SHA1

ea1d53f527b44e402d061cf236a5b2a1dc89fd1e
SHA256

d2cf5e5e1018f5bc2192ed06dca9732d687cc2735aa07bf763c1721df108a36e
SHA512

c6adc570474534cf19968faa6d6f1cd59df6d6a7b78ec87772f7a0625bf23505b12b89db1044f7482b83a4f5fbbb1070b94898162e67ba89583edcadac1ae32d

Score

10^/10

Malware Config

Extracted

Family

bumblebee

Botnet

276r

C2

76.81.225.65:337

41.28.188.77:212

51.199.209.83:290

192.119.77.100:443

68.121.248.35:464

54.37.131.14:443

149.197.87.217:409

224.110.0.53:105

253.13.70.127:340

122.50.173.112:157

103.25.51.23:388

199.61.79.119:346

68.14.88.177:143

227.12.148.222:270

33.93.97.183:112

168.113.169.88:428

64.157.160.42:207

156.151.142.100:123

146.19.253.56:443

135.36.57.27:157

rc4.plain

Targets

- Target
  
  documents.lnk
- Size
  
  2KB
- MD5
  
  663851b4f1b3ad5acd85c4ab15493e71
- SHA1
  
  32060a7f992322ac9bdf6d976d60181111b571d6
- SHA256
  
  68e3bf7eec93dfd4394746769532dbc890207fd6f554c18165e8a2746b3fe2d2
- SHA512
  
  0d51286f76f3f8fd292574b97803891571e3c20a110e7b830208591f69fab86941708e1751d3851724b0a12f610ba603afb259451c9e480e42fc306d0688e828
Score

10^/10

bumblebee 276r evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral1 behavioral2
- Target
  
  n3zarek.dll
- Size
  
  1.4MB
- MD5
  
  8135745a29f02e96db7b075de3bb7fdb
- SHA1
  
  fabafe2e3440dbd71d8d9614a3c8abfb1434eac9
- SHA256
  
  90576eb6754dd1c38fb4cea4bf3f029535900436a02caee891c057c01ca84941
- SHA512
  
  df5b9c699f5f85d3d666b4cb0d05f49f798a8c3fec93e98fdc0ccc703bc1cabc5752852e1a5f4020fdd9c7a1c48337ff4370b18091e03b6155262e77daafe43d
Score

3^/10
behavioral3 behavioral4

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

4

T1497

Credential Access

Discovery

Query Registry

6

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

4

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Checks BIOS information in registry

Checks computer location settings

Identifies Wine through registry keys

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4