Overview

overview

10

Static

static

07m2se/documents.lnk

windows7_x64

10

07m2se/documents.lnk

windows10-2004_x64

10

07m2se/o7m2se.dll

windows7_x64

3

07m2se/o7m2se.dll

windows10-2004_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    07m2se.zip

  • Size

    889KB

  • Sample

    220706-vchdwsfadq

  • MD5

    e195a7a25fe6c9be4d74c40664abaa94

  • SHA1

    ad61e47875db7fc97c00596af422cbcd7d0b9d39

  • SHA256

    50c6618f82461059cbe4ee858759d39f990e4431dac74adbe345e8678f0f82ac

  • SHA512

    1ddf327834d0c6bc06a269f629d7c28ddb86784ea1aa5c41bd4abb22b1d8a2468702cc4203498924c4b6e0044800f21325baaf3f7c196a2809604a3708ce3ad3

Score
10/10
bumblebee507revasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

507r

C2

146.19.173.184:443

41.15.71.157:274

66.9.9.138:154

36.201.196.202:367

173.200.61.240:100

116.241.116.41:410

242.232.106.206:162

10.195.46.61:489

249.112.226.98:243

130.242.219.205:423

154.56.0.113:443

179.5.59.188:228

217.246.42.10:346

169.197.227.201:474

231.228.102.246:186

185.165.82.120:182

74.230.15.244:376

94.88.121.46:403

120.181.249.142:177

138.141.158.45:217
rc4.plain

Targets

    • Target

      07m2se/documents.lnk

    • Size

      2KB

    • MD5

      516c04aa962dfa0e35e7c992c0eb88a9

    • SHA1

      0ebc08f00d9eb38a72b43be9809162d3362a35de

    • SHA256

      a7885b210054b39cb48f1f95a6697480dfa5f81f5439b69b493ae36a0266d1df

    • SHA512

      92a0fa2f6c7dab55bf60079b33a00dd96aabc19a4a391bfc458a696da62e78035e251f7856a2f4c5665db115305f0aef97c5ab4fd4571c96a147b79fc370e1fe

    Score
    10/10
    bumblebee507revasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtCreateThreadExHideFromDebugger

    behavioral1behavioral2

    • Target

      07m2se/o7m2se.dll

    • Size

      1.5MB

    • MD5

      aa24e9ee74b1ad6d41c59dbf31d7f710

    • SHA1

      41a51bf7fa95bc229a9f6fa6a6d91a05404c996b

    • SHA256

      c6b2d8db11137aa172cacfba7e63f05664a9888b97b72082d0da1f7eaecd8468

    • SHA512

      7271b898af8c50aec37fd5fcd0f0e73cddae480a86cb3110b6411217c67b33346cc527cfa0cdb72a6f7a9ef838b347b5d2f4cbd917ad9762cdcf44e0e18f01d6

    Score
    3/10
    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks