Overview

overview

10

Static

static

Project re...ts.lnk

windows7_x64

10

Project re...ts.lnk

windows10-2004_x64

10

upload.dll

windows7_x64

10

upload.dll

windows10-2004_x64

10

upload.rsp

windows7_x64

3

upload.rsp

windows10-2004_x64

3

Analysis

  • max time kernel
    28s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    07-07-2022 16:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    upload.dll

  • Size

    2.0MB

  • MD5

    d7bb608a3b370fa7f457b4e89bbdb594

  • SHA1

    0c82220151415e6cbce25d2615d29f4352e0ecd5

  • SHA256

    f0fdc0b64b747f348a87a382ff5dfe016107f95ab5953318cc8d9548a983efd1

  • SHA512

    10c16d38e7fc6b8ccf9e023f50ae3600790d225ad5b170f4f76eb0d3c47d0cd3e01047fe89f7788cd482277ad91477bc369ab7e2a93acc7005f7cc9e7a8f2dd0

Score
10/10
bumblebee707aevasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

707a

C2

172.240.175.194:183

171.85.135.192:358

223.7.203.157:407

45.153.242.183:443

211.68.220.197:102

174.119.130.65:369

202.41.22.30:314

58.10.113.168:308

12.33.69.160:285

205.185.123.137:443

112.188.178.13:332

168.205.228.104:480

83.218.135.147:151

228.175.209.140:269

240.114.36.128:411

8.109.227.172:304

142.11.245.185:443

214.233.117.120:167

198.135.200.7:254

73.74.56.146:272
rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

    trojanbumblebee
  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\upload.dll
    1⤵
    • Enumerates VirtualBox registry keys
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Looks for VirtualBox Guest Additions in registry
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtCreateThreadExHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:1640

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1640-54-0x000007FEFBF11000-0x000007FEFBF13000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1640-55-0x0000000002650000-0x0000000002766000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1640-57-0x0000000002650000-0x0000000002766000-memory.dmp

    Filesize

    1.1MB

    Download