General
-
Target
GfsFepFIKsNGpt.dll.exe
-
Size
1.7MB
-
Sample
220901-m4kdkacfcm
-
MD5
14da4c2df839237771865372ce4eee25
-
SHA1
5b0c15e551f989d1702478a50da3fac5bd3dff87
-
SHA256
32d3c8a61ba7a61d1f7466a4a60f7b52bb9bb0e6d000418da5cce79831f55a8c
-
SHA512
dd480f58734d0b5d1b53af599ca665422b1268263bceccd12b9103d95a4554b7b4b781af18eafefc3ba5713ad4cd18ba1513046bad10e7126894bca2761ece17
-
SSDEEP
49152:7mWxtD5wWHxLrApxq7pMKEngsfyJllGVeTQKP7:7vxtD66xLrsxIpMKEngsfyJllGVeTQKD
Malware Config
Extracted
bumblebee
3108
54.203.130.81:428
103.160.22.125:439
100.194.5.156:279
138.10.128.167:465
16.68.199.17:119
49.58.238.45:318
158.121.21.147:265
76.179.109.138:320
219.114.206.84:318
242.123.229.45:306
247.142.48.124:278
137.128.84.3:389
178.18.89.43:472
68.72.230.54:206
253.1.172.156:320
88.12.127.219:297
113.50.222.178:284
135.21.140.60:404
64.44.102.36:443
247.232.101.39:263
Targets
-
-
Target
GfsFepFIKsNGpt.dll.exe
-
Size
1.7MB
-
MD5
14da4c2df839237771865372ce4eee25
-
SHA1
5b0c15e551f989d1702478a50da3fac5bd3dff87
-
SHA256
32d3c8a61ba7a61d1f7466a4a60f7b52bb9bb0e6d000418da5cce79831f55a8c
-
SHA512
dd480f58734d0b5d1b53af599ca665422b1268263bceccd12b9103d95a4554b7b4b781af18eafefc3ba5713ad4cd18ba1513046bad10e7126894bca2761ece17
-
SSDEEP
49152:7mWxtD5wWHxLrApxq7pMKEngsfyJllGVeTQKP7:7vxtD66xLrsxIpMKEngsfyJllGVeTQKD
Score10/10-
BumbleBee
BumbleBee is a webshell malware written in C++.
-
Enumerates VirtualBox registry keys
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Looks for VirtualBox Guest Additions in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-