bumblebee

General

Target

document_96.zip
Size

901KB
Sample

220627-xwnfcschdl
MD5

ab08a3ac884b536d066c21a23e4398fc
SHA1

693d2aa814170ab445a7ac6f8484b77331c5a574
SHA256

db659ed35506bd3963f5d631dea78ed965d2f7ba0f8a824412618e37712d66fa
SHA512

ee43182fa2ffbcef873281936d0644547c49a53a0e8f23a18b7310195377d5988c6788ee64bb0814a34d019d40a82d6702fd4a1dabf29ec21671a25976219bfd

Score

10^/10

Malware Config

Extracted

Family

bumblebee

Botnet

276r

C2

76.81.225.65:337

41.28.188.77:212

51.199.209.83:290

192.119.77.100:443

68.121.248.35:464

54.37.131.14:443

149.197.87.217:409

224.110.0.53:105

253.13.70.127:340

122.50.173.112:157

103.25.51.23:388

199.61.79.119:346

68.14.88.177:143

227.12.148.222:270

33.93.97.183:112

168.113.169.88:428

64.157.160.42:207

156.151.142.100:123

146.19.253.56:443

135.36.57.27:157

rc4.plain

Targets

- Target
  
  documents.lnk
- Size
  
  2KB
- MD5
  
  663851b4f1b3ad5acd85c4ab15493e71
- SHA1
  
  32060a7f992322ac9bdf6d976d60181111b571d6
- SHA256
  
  68e3bf7eec93dfd4394746769532dbc890207fd6f554c18165e8a2746b3fe2d2
- SHA512
  
  0d51286f76f3f8fd292574b97803891571e3c20a110e7b830208591f69fab86941708e1751d3851724b0a12f610ba603afb259451c9e480e42fc306d0688e828
Score

10^/10

bumblebee 276r evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral1 behavioral2
- Target
  
  n3zarek.dll
- Size
  
  1.4MB
- MD5
  
  98a63f31289d5b8106140da1d3fc2f60
- SHA1
  
  f479133350af108ed30e633067467df6f17a4fda
- SHA256
  
  c536f15022bc8cc16dede9cbd855008ed6c80908245e129425662948014d90c1
- SHA512
  
  bfe86795b6838cfe4c596d5dda9c7429a85ed61b43580d5b0137c3cdb508b8a1da386da8487907fdd003cda259029b98bdd97563ce2e4a4075fb333eb63ae2ad
Score

3^/10
behavioral3 behavioral4

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

4

T1497

Credential Access

Discovery

Query Registry

6

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

4

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Checks BIOS information in registry

Checks computer location settings

Identifies Wine through registry keys

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4