Overview

overview

10

Static

static

request/Jw...tB.dll

windows7-x64

10

request/Jw...tB.dll

windows10-2004-x64

10

request/request.lnk

windows7-x64

10

request/request.lnk

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    request.zip

  • Size

    922KB

  • Sample

    220830-l7h48sggd4

  • MD5

    66e25dc86d66ee7c8da2bc653cf11367

  • SHA1

    382acd345cb21dddd3d0e4b13fccf2811af227dd

  • SHA256

    c021cd6c46672918c040eb69b0f714d981c1c401b843f1e17e1e129d548f8b99

  • SHA512

    e7c462aa7c1747236d0cf02d0118cfdbbdd6f79986be4389921e81c09e33bdba3a0a7633e943c047acafe52282dda614d32ec55961fa92b17648ba3355456952

  • SSDEEP

    12288:7B3N4avM42eJlfVRz6MZx2CQ8rjVQZU1zk+qxOmnLbWtEN5rHSVwQg4/U75jhJ5b:HxpJlL6MZBvEUVQU3ENkGQg4cTJ5pJ

Score
10/10
bumblebee2908evasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

2908

C2

64.44.98.213:443

100.113.3.207:189

248.191.121.15:332

169.102.141.78:250

161.202.4.242:333

112.151.217.255:451

185.17.40.189:443

10.41.59.121:290

229.229.228.155:345

147.254.231.107:449

105.222.222.48:403

87.37.138.133:474

67.120.105.118:346

159.140.31.255:474

88.205.174.117:143

163.164.171.23:319

111.231.132.164:372

212.58.118.174:298

138.20.6.192:225

156.130.113.183:393
rc4.plain

Targets

    • Target

      request/JwiggegecGrAtB.dll

    • Size

      1.4MB

    • MD5

      0452d7a9495c0d52cca77823d7ed038a

    • SHA1

      10b2622cff8169d8925af69cb82e92741be4fa1c

    • SHA256

      d61a8789efb9ce1d88d747e25b35bde938f7b749190470a29ec94334fca17259

    • SHA512

      fb71ae9fb2a940d6c8226702475764118c3d6229e7d8501785c42d2cd99afca3b63928f7cdcab0ba626af2e4095b1f7cffa3fe4cb998649b036224fef83150b0

    • SSDEEP

      24576:uYdzZyfNddAr0UjQ3YTF++P8rebQacJ0RVxPiW3IW/Hk0wGaW:uYNEfNYrZjAaF++dY0X6mIWfkHGa

    Score
    10/10
    bumblebee2908evasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtCreateThreadExHideFromDebugger

    behavioral1behavioral2

    • Target

      request/request.lnk

    • Size

      1KB

    • MD5

      1cfeaa2c13c3f59448c13fd001716e00

    • SHA1

      bd4c7d8eb86b76acfc15943ce447aed2279a3e96

    • SHA256

      8407679b8a594a66db48cd92560fac278749e233531254a048215cc948f17d16

    • SHA512

      12d752c7b7721a91e15ae0d3da41a66600a83446797f37d7f91f9e21d6bf443f053095331fa83fa01a64434a9738f09e1b19a188f74cfb0fb4c10c09def45da8

    Score
    10/10
    bumblebee2908evasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtCreateThreadExHideFromDebugger

    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks