General
-
Target
KcZmTWntdDTIOB.dll
-
Size
1.3MB
-
Sample
220830-lr5nasfbbk
-
MD5
ded3f8dbe77045060f65ad7a4c27a567
-
SHA1
f49e9840be5077139a57ed487a6ff86717120b28
-
SHA256
df19530dba164f8209342cc992fc2822dc233d025affa9a5f8134dc822a5e334
-
SHA512
efa4b914302b6886b6e954a37942b6c1a339808476c4b29df356f9339a851c37084f996e87814f2ae7d099bc96e28f64d19547493f7c951aed7254828d553705
-
SSDEEP
24576:ts2hTjqX3PE7W5OIw1KMSQcH/DEQur1NNpNtfEKBKeQ7ENH:ts2ljqvEz1zSZwQuJNNHhEKBKe
Malware Config
Extracted
bumblebee
2908
64.44.98.213:443
100.113.3.207:189
248.191.121.15:332
169.102.141.78:250
161.202.4.242:333
112.151.217.255:451
185.17.40.189:443
10.41.59.121:290
229.229.228.155:345
147.254.231.107:449
105.222.222.48:403
87.37.138.133:474
67.120.105.118:346
159.140.31.255:474
88.205.174.117:143
163.164.171.23:319
111.231.132.164:372
212.58.118.174:298
138.20.6.192:225
156.130.113.183:393
Targets
-
-
Target
KcZmTWntdDTIOB.dll
-
Size
1.3MB
-
MD5
ded3f8dbe77045060f65ad7a4c27a567
-
SHA1
f49e9840be5077139a57ed487a6ff86717120b28
-
SHA256
df19530dba164f8209342cc992fc2822dc233d025affa9a5f8134dc822a5e334
-
SHA512
efa4b914302b6886b6e954a37942b6c1a339808476c4b29df356f9339a851c37084f996e87814f2ae7d099bc96e28f64d19547493f7c951aed7254828d553705
-
SSDEEP
24576:ts2hTjqX3PE7W5OIw1KMSQcH/DEQur1NNpNtfEKBKeQ7ENH:ts2ljqvEz1zSZwQuJNNHhEKBKe
Score10/10-
BumbleBee
BumbleBee is a webshell malware written in C++.
-
Enumerates VirtualBox registry keys
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Looks for VirtualBox Guest Additions in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-