bumblebee | 8427fe989bc9b71a07d2a26a80e9f88fb2f2a7cb068fff5a7998e6a4628432bc | Triage

Sharing

General

Target

file.zip
Size

892KB
Sample

220627-y6jqladbgm
MD5

a4f2e4e4398d884e46fa2d6c54998c19
SHA1

d0845f2b1dbee849dd52bba2a06fc6a22bbdf027
SHA256

8427fe989bc9b71a07d2a26a80e9f88fb2f2a7cb068fff5a7998e6a4628432bc
SHA512

df684cb7008e3117ee6b5c64ab3ff89879359c45ff9b0d1aff1a5862c6c142e71d2fdc00e4ed53d57bce2a8f575fffaff413a1d293ff952e8facae0ee382bac2

Score

10^/10

bumblebee 276r evasion trojan

Malware Config

Extracted

Family

bumblebee

Botnet

276r

C2

76.81.225.65:337

41.28.188.77:212

51.199.209.83:290

192.119.77.100:443

68.121.248.35:464

54.37.131.14:443

149.197.87.217:409

224.110.0.53:105

253.13.70.127:340

122.50.173.112:157

103.25.51.23:388

199.61.79.119:346

68.14.88.177:143

227.12.148.222:270

33.93.97.183:112

168.113.169.88:428

64.157.160.42:207

156.151.142.100:123

146.19.253.56:443

135.36.57.27:157

rc4.plain

Targets

- Target
  
  loader.bat
- Size
  
  55B
- MD5
  
  7570714d0f7f867da3c26839c45842fd
- SHA1
  
  4d72ffc8ad5aa71c100f732da6eebd5d6e237414
- SHA256
  
  b3cb8e9bd42228a54aebd27f2f1435cb2643f698ab805aac64b691f0c0cdf5a6
- SHA512
  
  24396fa0e43cd8d5efa1c555905aae9ef1d7041d5aaf00e255d71ebbfc7dcaa72172c455148a2cefecfc52c1978ef782ce011473f4d837ae7a30f2c95880a613
Score

10^/10

bumblebee 276r evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral1 behavioral2
- Target
  
  n3zarek.dll
- Size
  
  1.4MB
- MD5
  
  08c3517c5ede72888fbc6f3763ba3066
- SHA1
  
  b9cf2513cd5606927032253a06592412ce8a801e
- SHA256
  
  690877449ad40cac88e0262df350ab3aa9c33fb788a6d8462003530af61e7ec5
- SHA512
  
  7c913d5224aa3ddc798941795f7b53612be8b776190bec0f6bde6c4f9db34c0c5d5a0cf662e0f216150bd8810dd01ac57c0125019f4185499181e07802d16e90
Score

3^/10
behavioral3 behavioral4

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bumblebee276revasiontrojan

behavioral2

bumblebee276revasiontrojan

behavioral3

behavioral4