Overview

overview

10

Static

static

Project Re...ts.lnk

windows7_x64

10

Project Re...ts.lnk

windows10-2004_x64

10

file.dll

windows7_x64

10

file.dll

windows10-2004_x64

10

file.rsp

windows7_x64

3

file.rsp

windows10-2004_x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Desktop.zip

  • Size

    850KB

  • Sample

    220627-wxjccscgap

  • MD5

    a0305157534d17739475227b6b7d5226

  • SHA1

    03af93160d9419679440cb041621ee06b83c0f82

  • SHA256

    6cf956db3859bd847314f12112f287b8fdd2d2be52774ead74714e6a767a35bb

  • SHA512

    7856b71b48e4781212a8d1050f03939a3082689a26025042bb2fd2317603f411b25ba6ee70aef8bfd87260b04fcbb288917141c48dfa64f62e05220f4b50f0a9

Score
10/10
bumblebee246aevasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

246a

C2

231.215.229.228:485

69.52.231.230:347

239.99.55.244:383

128.197.89.141:438

100.75.172.149:488

23.82.141.11:443

107.77.228.163:260

88.232.241.45:176

51.83.253.131:443

80.194.203.32:143

18.248.93.197:110

200.194.145.202:359

154.56.0.111:443

154.207.124.132:129

174.104.34.167:296

84.224.237.39:382

195.250.7.94:370

237.251.89.198:174

81.39.2.175:407

139.203.193.38:443
rc4.plain

Targets

    • Target

      Project Requirements.lnk

    • Size

      1KB

    • MD5

      256a844abb597fb13643e29a7936810b

    • SHA1

      2b0ab128fc091b5b7c81d776b606b1cff66f5c62

    • SHA256

      5160437927e46c3d9daf1fdff38f52c8d64cb639e1a3678da222e3ab180bce36

    • SHA512

      a4e1a08fd3a9ec265fa134e194d7549f5aa82d50323b91d86b8dd5f5e7de689726b9caa70ef0e4b1ebcad7da85cfc89c84bb9e801f10419453b822e9eb0bbfdf

    Score
    10/10
    bumblebee246aevasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion
    behavioral1behavioral2

    • Target

      file.dll

    • Size

      1.3MB

    • MD5

      2dcdc650159b4147ab3eba65800cf553

    • SHA1

      53658de68b22b1ca5707ab99e9178b75a7320427

    • SHA256

      921f3bfa1f2c1397a749a336c9fb77243932d20eac2a0812348727e5ac83aefa

    • SHA512

      cc30d88a7fc26333d71dbd53fb1e7c54de3069efdaa67947c103030b60c1d13716c37cfde48eb7fae2dc556efb5b29de1e37fc23585055e14940380bf1c9008b

    Score
    10/10
    bumblebee246aevasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion
    behavioral3behavioral4

    • Target

      file.rsp

    • Size

      15B

    • MD5

      1c6a69652e5dcdef6a4c8c8c9e546485

    • SHA1

      46e22f9189a4fc3dc8fd91298b0f5e826a17d7ae

    • SHA256

      499edadfbca140ed6e915a7fb7769b8f3da33c4d2173ff056f489a07da91dc4e

    • SHA512

      c05d4b04a79430c90930d8e841a1bf134990d5e39dd1a3b6c5dd2d8a13a7c0e2b49887cebfa89328a75f45d58f661e6956ce98ed4b1d0d338fd9133286091daf

    Score
    3/10
    behavioral5behavioral6

MITRE ATT&CK Enterprise v6

Tasks