Overview

overview

10

Static

static

ISO/documents.lnk

windows7-x64

10

ISO/documents.lnk

windows10-2004-x64

10

ISO/timi4r.dll

windows7-x64

10

ISO/timi4r.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ISO.zip

  • Size

    901KB

  • Sample

    220829-m4gmnsgbfl

  • MD5

    b6654246a06bd0c3005d8265fb01278f

  • SHA1

    78cb6a92d61064a4f22f620f1f260a94e1cbef77

  • SHA256

    8b458925785c1e855221df2f36719c93b69f6e3e2e18b91ff0d7cea06ed12fc8

  • SHA512

    657976c6a8db65673ad593cef2685c2c18f72c04247fdeef901c2c9e4ce670e2cceaca462f3b5a3bfec42f96163e32f3d17d912ba4713e2082f0e6b5aa715cf8

  • SSDEEP

    24576:uHx9gjDGpw/UXKsRWq+VwvSGSn9bpMoOP62c2y9u5k/PrBwe:uHbg0gUXKsRWqBSGSn9FMt6ay9uuie

Score
10/10
bumblebee1406revasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

1406r

C2

39.57.152.217:440

69.161.201.181:382

244.6.154.71:111

193.233.203.156:443

221.106.84.123:307

194.135.33.148:443

111.99.39.11:387

223.243.46.133:147

48.165.175.199:316

78.89.31.86:229

157.17.142.85:406

90.81.8.16:370

21.29.238.98:209

154.56.0.252:443

103.175.16.108:443

188.57.4.52:357

15.209.19.148:466

160.70.24.228:486

33.145.184.132:240

235.126.132.170:106
rc4.plain

Targets

    • Target

      ISO/documents.lnk

    • Size

      2KB

    • MD5

      224e06dd94c06af1e883dd7e21ae58ff

    • SHA1

      7a0e842d2c78c8e31d114d7b3f53a678c3f14168

    • SHA256

      f10f7b6b90f1fabd7d55822fa50d11cda7e8651df246daa8f1cf2360cebca61e

    • SHA512

      6d83201c43231c91f0b6ed4efc579c3502bfe5b414320d837f6c9c8df404e8e33c365e69197e6774fcd62b5fed8ee701ee874513afaed9deabbb4bb9f0dbb620

    Score
    10/10
    bumblebee1406revasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion
    behavioral1behavioral2

    • Target

      ISO/timi4r.dll

    • Size

      1.7MB

    • MD5

      6b57fa501321b2ac4f67643f3efc389f

    • SHA1

      a4654130534ad4644da52f758b35de784c01913d

    • SHA256

      76e4742d9e7f4fd3a74a98c006dfdce23c2f9434e48809d62772acff169c3549

    • SHA512

      ccbac2fe07f5490226cbd05314af4c93557aca8fd2ea943a1f75cdd6fa94aff94533ab0ef2ad00ca1be9cc4623e4b8025fe56fadf348d8bf8fe2a312b3e34ea6

    • SSDEEP

      24576:FlfKjRXMDFHC/bemHc+X2eiE3WwDFecqDR9:F9+RUHCjem8+GeCwDFecqDR9

    Score
    10/10
    bumblebee1406revasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion
    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks