Overview

overview

10

Static

static

000/documents.lnk

windows7_x64

10

000/documents.lnk

windows10-2004_x64

10

000/o7m2se.dll

windows7_x64

3

000/o7m2se.dll

windows10-2004_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    000.zip

  • Size

    889KB

  • Sample

    220707-sg5zmsbdd3

  • MD5

    e762de5d75d43eeed93152c4f356f353

  • SHA1

    d08565b83406965daaa8e01608a469f33678fb4b

  • SHA256

    edffb9c437f1f4c6e68eace259b37d9cfa86012522876004c25e4fb360132d2a

  • SHA512

    b25d401915c8d4cbe30f5b242c2984a025a7c35cb2aa903af99202f92e3b70f7f0a6a9b6f02a08587b10e14efc32da37f0b468fe0c572d75ab7f794d7da69322

Score
10/10
bumblebee507revasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

507r

C2

146.19.173.184:443

41.15.71.157:274

66.9.9.138:154

36.201.196.202:367

173.200.61.240:100

116.241.116.41:410

242.232.106.206:162

10.195.46.61:489

249.112.226.98:243

130.242.219.205:423

154.56.0.113:443

179.5.59.188:228

217.246.42.10:346

169.197.227.201:474

231.228.102.246:186

185.165.82.120:182

74.230.15.244:376

94.88.121.46:403

120.181.249.142:177

138.141.158.45:217
rc4.plain

Targets

    • Target

      000/documents.lnk

    • Size

      2KB

    • MD5

      516c04aa962dfa0e35e7c992c0eb88a9

    • SHA1

      0ebc08f00d9eb38a72b43be9809162d3362a35de

    • SHA256

      a7885b210054b39cb48f1f95a6697480dfa5f81f5439b69b493ae36a0266d1df

    • SHA512

      92a0fa2f6c7dab55bf60079b33a00dd96aabc19a4a391bfc458a696da62e78035e251f7856a2f4c5665db115305f0aef97c5ab4fd4571c96a147b79fc370e1fe

    Score
    10/10
    bumblebee507revasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtCreateThreadExHideFromDebugger

    behavioral1behavioral2

    • Target

      000/o7m2se.dll

    • Size

      1.5MB

    • MD5

      d35823ecb2ecf107fda8ad5f70bf34c6

    • SHA1

      e2f168167206830a98d4897fcba3a1973118979b

    • SHA256

      d39a9ee4ea88ff2189fd57ec1d26ded5f91c3545663ef12402abecdb10ee5b06

    • SHA512

      c8d7759f7aba1e9ae7212f937fe7abf99b5422a19231d7e9037d4cb3ad5648d1ec622e7fc090f598e4a2ae3c2f2d1ec33b598ad9265764e3ac3273550e52a99b

    Score
    3/10
    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks