General
-
Target
ZDxlKIroVIDBQm.dll
-
Size
1.4MB
-
Sample
220830-rcjp6sbeb8
-
MD5
fa55ff03674d60bfe4a119fc395f847d
-
SHA1
a23c49f7d94a930cbcafa91be56accb66694012d
-
SHA256
083a4678c635f5d14ac5b6d15675d2b39f947bb9253be34d0ab0db18d3140f96
-
SHA512
edbba800c34a31eb38b24dca1cd7a012e3aaa90aa21d560bb4a8b1f4f51afb95596a1f32364ec43e27b5d1d994c9c7c1c2424abf83ce0a5638af8ce3dacb69a0
-
SSDEEP
24576:As2xtHRAeUWVXfEKsjd3c0qd4suo+NFwWAr8IV3oe/6pE9bjk8T4VgqS:Arxtie1VXijdMf2sJ+pGVJ6pEFjIS
Malware Config
Extracted
bumblebee
2908
64.44.98.213:443
100.113.3.207:189
248.191.121.15:332
169.102.141.78:250
161.202.4.242:333
112.151.217.255:451
185.17.40.189:443
10.41.59.121:290
229.229.228.155:345
147.254.231.107:449
105.222.222.48:403
87.37.138.133:474
67.120.105.118:346
159.140.31.255:474
88.205.174.117:143
163.164.171.23:319
111.231.132.164:372
212.58.118.174:298
138.20.6.192:225
156.130.113.183:393
Targets
-
-
Target
ZDxlKIroVIDBQm.dll
-
Size
1.4MB
-
MD5
fa55ff03674d60bfe4a119fc395f847d
-
SHA1
a23c49f7d94a930cbcafa91be56accb66694012d
-
SHA256
083a4678c635f5d14ac5b6d15675d2b39f947bb9253be34d0ab0db18d3140f96
-
SHA512
edbba800c34a31eb38b24dca1cd7a012e3aaa90aa21d560bb4a8b1f4f51afb95596a1f32364ec43e27b5d1d994c9c7c1c2424abf83ce0a5638af8ce3dacb69a0
-
SSDEEP
24576:As2xtHRAeUWVXfEKsjd3c0qd4suo+NFwWAr8IV3oe/6pE9bjk8T4VgqS:Arxtie1VXijdMf2sJ+pGVJ6pEFjIS
Score10/10-
BumbleBee
BumbleBee is a webshell malware written in C++.
-
Enumerates VirtualBox registry keys
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Looks for VirtualBox Guest Additions in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-