Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
27/06/2022, 18:55
General
-
Target
req.dll
-
Size
1.4MB
-
MD5
de26dc1fee02ba446cad6c2f4c21fc31
-
SHA1
3ec4e5303d938f49db3393cb86364f144e18d514
-
SHA256
9e697d49727101d423116274df53a15676ad447e086df0972f91ae78064c9bc1
-
SHA512
800302fdbb4cb33528647f785b951a9f2d8f9d37bfe76d1db951e63a04a4272fd2eae727912cf5533783d4ee73fe6621b3b6dbd50e387b6a242addb40e17400a
Malware Config
Extracted
bumblebee
276a
100.65.168.129:171
207.177.53.164:325
32.87.78.10:384
117.162.18.77:404
116.176.236.58:151
123.2.128.107:267
169.146.162.63:373
55.115.177.92:239
224.248.147.154:499
88.7.179.62:135
187.218.226.58:319
146.70.106.52:443
8.34.35.232:389
98.116.138.87:321
255.161.114.204:370
159.90.121.44:362
150.226.60.234:160
161.254.115.117:308
211.66.121.128:361
43.10.228.15:400
Signatures
-
BumbleBee
BumbleBee is a webshell malware written in C++.
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious behavior: EnumeratesProcesses 41 IoCs
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\req.dll1⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
-
Filesize
1.1MB
-
Filesize
1.1MB