bumblebee

General

Target

Desktop.zip
Size

896KB
Sample

220628-bax7sagad6
MD5

b5d120a3cea2782a2e2b1c6528a7a3d2
SHA1

29718ff81a66ae90904820d6d4848f0c8ea960b8
SHA256

6a359aea078faa3feaeddc2e508184994950d74a65ce4ff0330792383c78c473
SHA512

d471511ab3817b5a5b7a67cb7977c46717296614e948a5e93ce6a33269666610f3ea80d7e267fa38ee8037eca90d72640799d06de2cfca5b69618b53b8479071

Score

10^/10

Malware Config

Extracted

Family

bumblebee

Botnet

276r

C2

76.81.225.65:337

41.28.188.77:212

51.199.209.83:290

192.119.77.100:443

68.121.248.35:464

54.37.131.14:443

149.197.87.217:409

224.110.0.53:105

253.13.70.127:340

122.50.173.112:157

103.25.51.23:388

199.61.79.119:346

68.14.88.177:143

227.12.148.222:270

33.93.97.183:112

168.113.169.88:428

64.157.160.42:207

156.151.142.100:123

146.19.253.56:443

135.36.57.27:157

rc4.plain

Targets

- Target
  
  documents.lnk
- Size
  
  2KB
- MD5
  
  663851b4f1b3ad5acd85c4ab15493e71
- SHA1
  
  32060a7f992322ac9bdf6d976d60181111b571d6
- SHA256
  
  68e3bf7eec93dfd4394746769532dbc890207fd6f554c18165e8a2746b3fe2d2
- SHA512
  
  0d51286f76f3f8fd292574b97803891571e3c20a110e7b830208591f69fab86941708e1751d3851724b0a12f610ba603afb259451c9e480e42fc306d0688e828
Score

10^/10

bumblebee 276r evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral1 behavioral2
- Target
  
  n3zarek.dll
- Size
  
  1.4MB
- MD5
  
  b41810bbc67d20adb256a0d30674c881
- SHA1
  
  e332e30611b36bbda3ffa98dbdf57590dab5b932
- SHA256
  
  924eb7c79148a8dc9cd66ace2702788c172a82ca8744b3283bd030ec0414e80b
- SHA512
  
  8a43bfbaa05b4dc1949b7030236ff249d54ead3b50c8ce24960d52f7b13a5903b4c764f59c453f2249ebaddcf65459c9a92b3b7f81304e9506ad5a239b274735
Score

3^/10
behavioral3 behavioral4

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

4

T1497

Credential Access

Discovery

Query Registry

6

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

4

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Checks BIOS information in registry

Checks computer location settings

Identifies Wine through registry keys

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4