Analysis
-
max time kernel
44s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
27/06/2022, 18:17
General
-
Target
file.dll
-
Size
1.3MB
-
MD5
2dcdc650159b4147ab3eba65800cf553
-
SHA1
53658de68b22b1ca5707ab99e9178b75a7320427
-
SHA256
921f3bfa1f2c1397a749a336c9fb77243932d20eac2a0812348727e5ac83aefa
-
SHA512
cc30d88a7fc26333d71dbd53fb1e7c54de3069efdaa67947c103030b60c1d13716c37cfde48eb7fae2dc556efb5b29de1e37fc23585055e14940380bf1c9008b
Malware Config
Extracted
bumblebee
246a
231.215.229.228:485
69.52.231.230:347
239.99.55.244:383
128.197.89.141:438
100.75.172.149:488
23.82.141.11:443
107.77.228.163:260
88.232.241.45:176
51.83.253.131:443
80.194.203.32:143
18.248.93.197:110
200.194.145.202:359
154.56.0.111:443
154.207.124.132:129
174.104.34.167:296
84.224.237.39:382
195.250.7.94:370
237.251.89.198:174
81.39.2.175:407
139.203.193.38:443
Signatures
-
BumbleBee
BumbleBee is a webshell malware written in C++.
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious behavior: EnumeratesProcesses 41 IoCs
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\file.dll1⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
-
Filesize
1.1MB
-
Filesize
1.1MB