Overview

overview

10

Static

static

HKpiLfqChJKPLc.dll

windows7-x64

10

HKpiLfqChJKPLc.dll

windows10-2004-x64

10

applications.lnk

windows7-x64

10

applications.lnk

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    applications-09-22-18.vhd

  • Size

    6.0MB

  • Sample

    220901-ynvedacdg7

  • MD5

    49ef54a9366c589c0f1b6e13d0997932

  • SHA1

    3b85704b450414275fc59431b06fa7f4f91a7344

  • SHA256

    1914b8c8cbb22ccebcdeb2c968e41f9113c9ea02179bae858cb76e477c3eb0b7

  • SHA512

    875ea124c3a98232f17acf10888d2a00964e1bf37488cc11b6fb1171ead8722b463a0dab396ce1ddd788c681faa6c0bda867f608fd1ca8ef95133071ed48927b

  • SSDEEP

    24576:K2g6iSk124v3QMwo04WbKpHd/bq2Nf6lRcN5AWwem6EU0MmJO85:3g6iH13l04yK7/bERcLwBLKU

Score
10/10
bumblebee0109evasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

0109

C2

238.135.187.178:122

139.250.85.120:389

48.125.193.25:152

114.213.187.231:380

111.253.120.98:250

226.62.116.55:344

167.157.111.216:424

172.237.68.92:206

16.58.16.45:200

250.119.214.35:204

3.103.169.104:449

241.138.197.72:484

217.78.123.134:168

111.153.255.170:258

44.157.167.56:261

88.38.249.218:141

124.110.55.236:298

248.92.195.241:424

244.202.83.43:409

106.233.170.108:279
rc4.plain

Targets

    • Target

      HKpiLfqChJKPLc.dll

    • Size

      1.2MB

    • MD5

      a2a55bdae16915aea3bc1933b04eb5e1

    • SHA1

      83e2082f4b30e6475fdf0eeb435f7ef8500363a4

    • SHA256

      6b3a8f1b3ee2f33912815aa18ed89184ffcc0ddf8619b7551aba216e20e1fe88

    • SHA512

      46269e04b69f1e8fa6346905becfc3e3cfd08a4ec781b11ef4d16b7c4d70fba5186245986b31f68f57866f755c133c248d057e9ea5ccbbb83175e6905401a9f8

    • SSDEEP

      24576:v2g6iSk124v3QMwo04WbKpHd/bq2Nf6lRcN5AWwem6EU0MmJO85:ug6iH13l04yK7/bERcLwBLKU

    Score
    10/10
    bumblebee0109evasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtCreateThreadExHideFromDebugger

    behavioral1behavioral2

    • Target

      applications.lnk

    • Size

      1KB

    • MD5

      61f4534b554463ef5a6c0695f78c1863

    • SHA1

      a0373390cdc6edce5af66b0c9657f9cd63d3ab78

    • SHA256

      201199f2481044b6f4252e0109d09bb7bd170715d401ed5762539992557455b7

    • SHA512

      79d38cf25d8bc012016ff737c7a3d9923bb831b731c3fe298030a887883d1b65cd67919e7a6658de74683b80af0cb303b1c3069fdb1eb10fd1293f1d997fbb98

    Score
    10/10
    bumblebee0109evasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtCreateThreadExHideFromDebugger

    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks