Overview

overview

10

Static

static

Project details.lnk

windows7-x64

10

Project details.lnk

windows10-2004-x64

10

XOKQDoJQLOIqdw.dll

windows7-x64

10

XOKQDoJQLOIqdw.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    renamed.vhd

  • Size

    6.0MB

  • Sample

    220831-3pspdsdcgn

  • MD5

    d033574f5a729daa3b135dc384e064c0

  • SHA1

    20b57e7379bf656d6059da528eb113c24a78fd4f

  • SHA256

    bf710851975bd6c5e0df0ed3b145ef1e7d052adff5fbe280fc4601a2c4b03178

  • SHA512

    4b3c3a2312c8c31fd87426f4176c16699796b356b94db087cd1ae3eb15b22f1b5e1ed123ba07e641d6667c93acc8ba1f633efcb20dabc201193b71c04bc15130

  • SSDEEP

    49152:7vsT0Rcbn2wQ0qwPtgeBMZuOHRcS9/cyeMjNIhAiDz:jw0WCwQ0qQtXBMZuOHR//nfjNyAiDz

Score
10/10
bumblebee3108evasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

3108

C2

247.123.99.147:290

163.159.161.98:338

84.88.36.128:126

213.3.241.78:174

82.124.63.119:343

134.3.181.250:300

165.197.104.159:211

104.168.162.242:443

100.141.139.132:293

228.12.17.45:122

9.12.182.210:246

21.197.211.56:328

128.14.205.155:194

218.163.29.18:219

21.141.107.203:196

214.151.80.130:288

49.167.40.130:467

155.217.214.178:149

197.216.31.35:336

90.184.109.195:201
rc4.plain

Targets

    • Target

      Project details.lnk

    • Size

      1KB

    • MD5

      76a589cd46bb2c3a50d2364dde3cb8e8

    • SHA1

      a1835de970f5202ab6ad2550c746383548b81f8e

    • SHA256

      3e9aab53ea6d684b619ef3c14c1e321003f09fbf671c3d7641cd12843460ba6a

    • SHA512

      26030c1569cb3039948386e0c13aaf36905253e04d313f9c502b7218972e1e57f5682681ea908591cef2469a18b649270f38e0556705c459d83817c7715f8d59

    Score
    10/10
    bumblebee3108evasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtCreateThreadExHideFromDebugger

    behavioral1behavioral2

    • Target

      XOKQDoJQLOIqdw.dll

    • Size

      1.7MB

    • MD5

      c12035d098ad89b8c0d74d86fe98aa77

    • SHA1

      59eaea2d2d4fdfbffa03b68cc73169b351feaf70

    • SHA256

      54c53fdcd0e10fc404fda1a37da748df32f47497447db00023d317b323d6311f

    • SHA512

      a8636da2478c6d34c8e450ffe6f8e8333815c0fe2a18ceb0e57b20c0bea751af00c1d92be7c6961095edd7a697a7ce7d2bc6670d8eb712ef05f7fa85b8182b2c

    • SSDEEP

      49152:QvsT0Rcbn2wQ0qwPtgeBMZuOHRcS9/cyeMjNIhAiDz:qw0WCwQ0qQtXBMZuOHR//nfjNyAiDz

    Score
    10/10
    bumblebee3108evasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtCreateThreadExHideFromDebugger

    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks