bumblebee | 2c5f32ed4fc225f2783892b3999e0f543451be596fa3c6d2716235177dfa6558 | Triage

Sharing

General

Target

2c08a491b19efc57e53fbfb8f393eb40d786ea5832bed28148bd12e9ffc51f9c.rar
Size

912KB
Sample

220701-bx32jsedgp
MD5

d451ef85c3c17a8513e0583992d47f5a
SHA1

86e57089e3d7afc986fbd177c7a4356c69558a88
SHA256

2c5f32ed4fc225f2783892b3999e0f543451be596fa3c6d2716235177dfa6558
SHA512

5d16e0bf7fd6685994cf085fea89e2ebc9568ea1b531ae611c80f857ff779d49e836ac5f0c5d94fa74e35a642bbfe4b53880d5679862abe0369388ad1a0e40a8

Score

10^/10

bumblebee 306f evasion trojan

Malware Config

Extracted

Family

bumblebee

Botnet

306f

C2

76.148.239.59:345

164.137.75.183:397

196.230.60.243:288

28.200.131.233:351

156.139.67.244:461

209.141.46.50:443

146.19.173.155:443

60.18.14.24:308

156.26.157.68:310

206.63.122.98:179

255.23.50.218:274

124.177.4.180:404

82.209.238.26:336

122.142.229.194:311

27.183.95.15:443

126.52.147.11:276

104.35.182.83:440

14.58.138.89:277

21.184.24.214:475

214.61.246.124:182

rc4.plain

Targets

- Target
  
  PRD.lnk
- Size
  
  1KB
- MD5
  
  ca9df40e1b6f6349a68ef7b1555b209e
- SHA1
  
  4f4638fef1f9bc68878fa57f447914678e6fd126
- SHA256
  
  c7279842afcbafc33f5e089d48a2b82e91d48e0f76a554e32dc6c99f3aafe49b
- SHA512
  
  26fb54dc463b99d5249cfac02f6fb860cf95af9f28d319b40ca838d422392f81121fbcde51cacbc2fe45bcc0e7523661c4962321acdd114ea01f4acba1eaf18c
Score

10^/10

bumblebee 306f evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bumblebee306fevasiontrojan

behavioral2

bumblebee306fevasiontrojan