bumblebee | f1b84562b52c8f60ff161b2f4a6e746276a750e703e43a053658f6f4e7412c4b | Triage

Sharing

General

Target

f1b84562b52c8f60ff161b2f4a6e746276a750e703e43a053658f6f4e7412c4b
Size

1.8MB
Sample

220831-ww94pabga6
MD5

ce1f05304d82acde02b39c22e237d256
SHA1

0b569e1b4b24f479d608dace86fb8382cc57e85e
SHA256

f1b84562b52c8f60ff161b2f4a6e746276a750e703e43a053658f6f4e7412c4b
SHA512

bf0ed3597b24f1f926c0fea76965f0478d853a5854af04ee96d63ffb828b5960c2bf06bf6073430cb1a63fd0067dce130bc00670d18bc5e2b18bffd3942ae284
SSDEEP

24576:e+zUAOg1kx1D+acFnaBpCTt0PLDDkrF0GI1ib+2sq5tcGKaPI8zeMqqj4Dy5dD:e+zqgafArTtAfaFy1e+2sq55Dey04

Score

10^/10

bumblebee 3108 evasion trojan

Malware Config

Extracted

Family

bumblebee

Botnet

3108

C2

54.203.130.81:428

103.160.22.125:439

100.194.5.156:279

138.10.128.167:465

16.68.199.17:119

49.58.238.45:318

158.121.21.147:265

76.179.109.138:320

219.114.206.84:318

242.123.229.45:306

247.142.48.124:278

137.128.84.3:389

178.18.89.43:472

68.72.230.54:206

253.1.172.156:320

88.12.127.219:297

113.50.222.178:284

135.21.140.60:404

64.44.102.36:443

247.232.101.39:263

rc4.plain

Targets

- Target
  
  f1b84562b52c8f60ff161b2f4a6e746276a750e703e43a053658f6f4e7412c4b
- Size
  
  1.8MB
- MD5
  
  ce1f05304d82acde02b39c22e237d256
- SHA1
  
  0b569e1b4b24f479d608dace86fb8382cc57e85e
- SHA256
  
  f1b84562b52c8f60ff161b2f4a6e746276a750e703e43a053658f6f4e7412c4b
- SHA512
  
  bf0ed3597b24f1f926c0fea76965f0478d853a5854af04ee96d63ffb828b5960c2bf06bf6073430cb1a63fd0067dce130bc00670d18bc5e2b18bffd3942ae284
- SSDEEP
  
  24576:e+zUAOg1kx1D+acFnaBpCTt0PLDDkrF0GI1ib+2sq5tcGKaPI8zeMqqj4Dy5dD:e+zqgafArTtAfaFy1e+2sq55Dey04
Score

10^/10

bumblebee 3108 evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bumblebee3108evasiontrojan

behavioral2

bumblebee3108evasiontrojan