Overview

overview

10

Static

static

PRD.lnk

windows7_x64

10

PRD.lnk

windows10-2004_x64

10

sec.dll

windows7_x64

10

sec.dll

windows10-2004_x64

10

sec.rsp

windows7_x64

3

sec.rsp

windows10-2004_x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    weTransfer_20220628.zip

  • Size

    1009KB

  • Sample

    220628-zjfwvscber

  • MD5

    ea74a77d035c02d1eba2b8edf032e94c

  • SHA1

    2476fd03768f9a9e6d977b614bde2ccd14156a71

  • SHA256

    829da96f3749a0a174b525c353de071ee8bae67655608a61a8bf83f06d791af4

  • SHA512

    607aba7d5f8fe8dd9ee2d3745ef73c96d6c9c0c4bc3f58255e211a50f9bff3519bd8aec4e188f09db98aaa6050bff0a731ca917aa89a445fcbf25bd510a96666

Score
10/10
bumblebee286aevasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

286a

C2

40.126.50.56:271

185.62.58.175:443

3.27.187.15:317

28.236.100.216:424

75.72.64.79:334

156.148.26.226:446

104.83.15.21:107

199.236.144.121:106

6.23.156.239:194

211.73.200.45:129

240.230.245.154:407

209.141.58.141:443

35.225.143.246:179

212.151.132.229:145

163.192.104.228:409

138.84.254.103:385

52.100.187.210:219

74.205.65.255:245

233.96.129.4:276

114.35.182.27:323
rc4.plain

Targets

    • Target

      PRD.lnk

    • Size

      1KB

    • MD5

      ba087f3dc565e4c1dc54c5e2f581f4a1

    • SHA1

      90940bfa9973a4d455e25d09c2c0f1c4d2ffb06e

    • SHA256

      dfc5072b4874706e6ebe8c47140dedc6051f8dda92351bdea8996154e6a96ed2

    • SHA512

      c3f22c3d24d08b4fe96e097bbb192f1c47afc3933b49d20da98d33edd0fb8c6c7615a102a4f75d6f1ef50c0c85ab574e9b41be9adf780ee27b6667b3e64d648c

    Score
    10/10
    bumblebee286aevasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion
    behavioral1behavioral2

    • Target

      sec.dll

    • Size

      1.7MB

    • MD5

      a30bf883c38b54c3b22a2f8ccfb1bd8a

    • SHA1

      9a5ec009753040c5214b864d9d271901eb4542ac

    • SHA256

      95a6114c8b9879ebc9a0142fcd46d41dd428380a27d5b396a232f42e4a505fb2

    • SHA512

      64d3f30c8564e4eedecd7f3f8c3b1eafaa3d781fb5bef39825ea1b8fdd1f39c38ac477f08a7a147fcb2f404c32ded7ae841b5bb443070945e1aa60668838ed58

    Score
    10/10
    bumblebee286aevasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion
    behavioral3behavioral4

    • Target

      sec.rsp

    • Size

      14B

    • MD5

      178205c1d8cc39f1e6a76bf86d791dc8

    • SHA1

      215b7894b9680f604802b65381c58848ef3f17f5

    • SHA256

      0f1419dcae5228bbe4f9305d5b265478ef5c618adc41540a637e08eb25f66429

    • SHA512

      1dc4edb8c1467d5de639d9f5afaee1bec19edfab83f6d307cdbcb3870c22276029c92f06cb2bdefa1dab04c6f9009e5cc998cc009b68707ec92e59cd311eda78

    Score
    3/10
    behavioral5behavioral6

MITRE ATT&CK Enterprise v6

Tasks