Overview

overview

10

Static

static

GfsFepFIKsNGpt.dll

windows7-x64

10

GfsFepFIKsNGpt.dll

windows10-2004-x64

10

request.lnk

windows7-x64

10

request.lnk

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Request-08-22-77.vhd

  • Size

    6.0MB

  • Sample

    220831-wcavgsbdb9

  • MD5

    b93dc51a8e8fd9a2823568d16e647050

  • SHA1

    a5b949649aeed6fb6c00ba9b96675f959635dcf6

  • SHA256

    8ce84fae3e55520c041d70bdb90900060eff61c6f9c4282cb48a899e15db0f50

  • SHA512

    65fde34b64a4e439933176817b9cd44afe70d2f60a5019ba326488fc12dc7ebeaf384d56c9a909b544cfaf56d365eb4601988bfa07863bfc13a330fd2d100c5a

  • SSDEEP

    98304:xvxtD66xLrsxIpMKEngsfyJllGVeTQKP7:xvxcWcxIpM/nTfEl8Vef

Score
10/10
bumblebee3108evasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

3108

C2

54.203.130.81:428

103.160.22.125:439

100.194.5.156:279

138.10.128.167:465

16.68.199.17:119

49.58.238.45:318

158.121.21.147:265

76.179.109.138:320

219.114.206.84:318

242.123.229.45:306

247.142.48.124:278

137.128.84.3:389

178.18.89.43:472

68.72.230.54:206

253.1.172.156:320

88.12.127.219:297

113.50.222.178:284

135.21.140.60:404

64.44.102.36:443

247.232.101.39:263
rc4.plain

Targets

    • Target

      GfsFepFIKsNGpt.dll

    • Size

      1.7MB

    • MD5

      14da4c2df839237771865372ce4eee25

    • SHA1

      5b0c15e551f989d1702478a50da3fac5bd3dff87

    • SHA256

      32d3c8a61ba7a61d1f7466a4a60f7b52bb9bb0e6d000418da5cce79831f55a8c

    • SHA512

      dd480f58734d0b5d1b53af599ca665422b1268263bceccd12b9103d95a4554b7b4b781af18eafefc3ba5713ad4cd18ba1513046bad10e7126894bca2761ece17

    • SSDEEP

      49152:7mWxtD5wWHxLrApxq7pMKEngsfyJllGVeTQKP7:7vxtD66xLrsxIpMKEngsfyJllGVeTQKD

    Score
    10/10
    bumblebee3108evasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtCreateThreadExHideFromDebugger

    behavioral1behavioral2

    • Target

      request.lnk

    • Size

      1KB

    • MD5

      1d0f13665c86358fa7ac3c9f6ea11aab

    • SHA1

      85755e92d2a690eb47e12ef98034c6e7aeef467c

    • SHA256

      cdac9fcc6ae12f37231ab1be5515275f1c301f7e10a542059ad0fb82174b30b3

    • SHA512

      8596dadb49514ecc94c6cfad0b8e0b8c59ba9d4e01d61c1b54390f83c4261ba8ed3d8fc92535916f0fd3ca950961c5b90a319eb688a1a34d0f4748b2a65782a7

    Score
    10/10
    bumblebee3108evasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtCreateThreadExHideFromDebugger

    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks