Overview

overview

10

Static

static

applications.lnk

windows7-x64

10

applications.lnk

windows10-2004-x64

10

hWnSpOvpRhOazT.dll

windows7-x64

10

hWnSpOvpRhOazT.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    applications-09-22-13.vhd

  • Size

    6.0MB

  • Sample

    220901-yghf8sacar

  • MD5

    cf13cd1409f6b352835542ae8dc17e3c

  • SHA1

    fa4aa447deaa54cd7127ed8c1e59ea67848092f1

  • SHA256

    8a73c9931e09a15c13e7c7faa24c2eeb9c517941f11e01c7f54b63ac69916753

  • SHA512

    f6a80dd0985c2cf6e17ee84d73e56808cfb366f04f06c52f7b238e79fe965322d2bfa1958ae6e20e07d7b9be2f833680aad2766a029c3ec1d01f9d608db72cd4

  • SSDEEP

    24576:GdFModrSTrbU4ErfCUQgQSnlGFNJygYfwvYWMdsA:IF5rST3XSlGFNJydfwv2d5

Score
10/10
bumblebee0109evasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

0109

C2

238.135.187.178:122

139.250.85.120:389

48.125.193.25:152

114.213.187.231:380

111.253.120.98:250

226.62.116.55:344

167.157.111.216:424

172.237.68.92:206

16.58.16.45:200

250.119.214.35:204

3.103.169.104:449

241.138.197.72:484

217.78.123.134:168

111.153.255.170:258

44.157.167.56:261

88.38.249.218:141

124.110.55.236:298

248.92.195.241:424

244.202.83.43:409

106.233.170.108:279
rc4.plain

Targets

    • Target

      applications.lnk

    • Size

      1KB

    • MD5

      8e6a8c26d28b532737bee33c678ce4c1

    • SHA1

      58b2afed5538ff1c65552dfb2ea5059edacf00f4

    • SHA256

      777a7dbf91be6ae40c3ae08bdf42fcdabfbddb7f62c8d39fa604c9de5f6a17eb

    • SHA512

      dad7132bf6483ec651a57c3a5a543e62a4a30e2eebf115ec37f35d295a8b7b0bec7294c0fc376a4b3d93663cc76715baa6cbc88f042826c417e72b69fe88d6d1

    Score
    10/10
    bumblebee0109evasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtCreateThreadExHideFromDebugger

    behavioral1behavioral2

    • Target

      hWnSpOvpRhOazT.dll

    • Size

      1.2MB

    • MD5

      8f0cd21b81355bc7add20183c8001343

    • SHA1

      620347cfd30f1283a96ac9317bc32ad1f49937db

    • SHA256

      ef8811267e17be79b5960297a655c1281697fcba193269156a15aae0ac293e8d

    • SHA512

      3295a6911c669a2c9bb8f250af5d0fae2f50b91e7ee3b147759ab063a097e5705ee98d253991cd47fbcbbeb0cbf4a729f8a50559ed53f685e33241373dbbfb20

    • SSDEEP

      24576:zdFModrSTrbU4ErfCUQgQSnlGFNJygYfwvYWMdsA:BF5rST3XSlGFNJydfwv2d5

    Score
    10/10
    bumblebee0109evasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtCreateThreadExHideFromDebugger

    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks