Overview

overview

10

Static

static

applications.lnk

windows7-x64

10

applications.lnk

windows10-2004-x64

10

hWnSpOvpRhOazT.dll

windows7-x64

10

hWnSpOvpRhOazT.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    38s
  • max time network
    42s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    01-09-2022 19:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    applications.lnk

  • Size

    1KB

  • MD5

    8e6a8c26d28b532737bee33c678ce4c1

  • SHA1

    58b2afed5538ff1c65552dfb2ea5059edacf00f4

  • SHA256

    777a7dbf91be6ae40c3ae08bdf42fcdabfbddb7f62c8d39fa604c9de5f6a17eb

  • SHA512

    dad7132bf6483ec651a57c3a5a543e62a4a30e2eebf115ec37f35d295a8b7b0bec7294c0fc376a4b3d93663cc76715baa6cbc88f042826c417e72b69fe88d6d1

Score
10/10
bumblebee0109evasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

0109

C2

238.135.187.178:122

139.250.85.120:389

48.125.193.25:152

114.213.187.231:380

111.253.120.98:250

226.62.116.55:344

167.157.111.216:424

172.237.68.92:206

16.58.16.45:200

250.119.214.35:204

3.103.169.104:449

241.138.197.72:484

217.78.123.134:168

111.153.255.170:258

44.157.167.56:261

88.38.249.218:141

124.110.55.236:298

248.92.195.241:424

244.202.83.43:409

106.233.170.108:279
rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

    trojanbumblebee
  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 41 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\applications.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:544
    • C:\Windows\System32\odbcconf.exe
      "C:\Windows\System32\odbcconf.exe" /a {REGSVR hWnSpOvpRhOazT.dll}
      2⤵
      • Enumerates VirtualBox registry keys
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Looks for VirtualBox Guest Additions in registry
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1044

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/544-54-0x000007FEFBB21000-0x000007FEFBB23000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1044-92-0x00000000021D0000-0x00000000022E6000-memory.dmp

    Filesize

    1.1MB

    Download