bumblebee

General

Target

20220706_zippedISO_2.zip
Size

910KB
Sample

220706-rfsr9adegp
MD5

0750bcb0c4885e8f43f964f913cc6654
SHA1

206e1bf99d3b9ffffaa9565f46e605a2c2d1d6c1
SHA256

4cf6f3e5a5d4aa5855df82d40963e46c2fe42876b692ff9f2e535c03cdcc4cd1
SHA512

4df8dc71e372c51d4ee75da203b4fc4bf36ed23d3be6886c5191a57c532515a4367f52dcd3e1274dad0ca81a0c671581c6318e8107fa8138b4e2ae4d7c34496a

Score

10^/10

Malware Config

Extracted

Family

bumblebee

Botnet

507r

C2

146.19.173.184:443

41.15.71.157:274

66.9.9.138:154

36.201.196.202:367

173.200.61.240:100

116.241.116.41:410

242.232.106.206:162

10.195.46.61:489

249.112.226.98:243

130.242.219.205:423

154.56.0.113:443

179.5.59.188:228

217.246.42.10:346

169.197.227.201:474

231.228.102.246:186

185.165.82.120:182

74.230.15.244:376

94.88.121.46:403

120.181.249.142:177

138.141.158.45:217

rc4.plain

Targets

- Target
  
  documents.lnk
- Size
  
  2KB
- MD5
  
  516c04aa962dfa0e35e7c992c0eb88a9
- SHA1
  
  0ebc08f00d9eb38a72b43be9809162d3362a35de
- SHA256
  
  a7885b210054b39cb48f1f95a6697480dfa5f81f5439b69b493ae36a0266d1df
- SHA512
  
  92a0fa2f6c7dab55bf60079b33a00dd96aabc19a4a391bfc458a696da62e78035e251f7856a2f4c5665db115305f0aef97c5ab4fd4571c96a147b79fc370e1fe
Score

10^/10

bumblebee 507r evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral1 behavioral2
- Target
  
  o7m2se.dll
- Size
  
  1.5MB
- MD5
  
  53e39a08c5136787aecaf107f9e0c259
- SHA1
  
  2a64185b5fa2a0e5c30974b4624c31e668f8fadd
- SHA256
  
  e2a4f0f0954cf69f16c7672f6415f80c78492602bb82dc5009b4efde81521d48
- SHA512
  
  642493d839fd9a147c6d02a907cc2b898ffb91c1415359f22f8b1698dce6daa82fa23a26f5d099b837f11185dedafaa12c96e1e9fc5eff9d86a8a6917fa9c638
Score

3^/10
behavioral3 behavioral4

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

4

T1497

Credential Access

Discovery

Query Registry

6

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

4

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Checks BIOS information in registry

Checks computer location settings

Identifies Wine through registry keys

Suspicious use of NtCreateThreadExHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4