bumblebee | af2ee66b2d500592d403d7e9d2fefca6bb4dfda332517a9d29d510d6cb43fe2c | Triage

Sharing

General

Target

af2ee66b2d500592d403d7e9d2fefca6bb4dfda332517a9d29d510d6cb43fe2c
Size

1.8MB
Sample

220902-x9nnaabbcj
MD5

8e5b5977740c91b2c6c2c7a1526ce773
SHA1

e09187f29416d8e8b5176cb4cf22cdfdf743313d
SHA256

af2ee66b2d500592d403d7e9d2fefca6bb4dfda332517a9d29d510d6cb43fe2c
SHA512

a006467db7f5457d91a82190c5ecad87d722ba2f82123a8c113279764b3341384d8487709213ec82e26b02a7c750b28576196127fefbbe8876f0716044f06901
SSDEEP

49152:+c3D/V8zHZRDr0VzoLMahBrfWvmn2H6C0n:+g/V8zHZRDWzoLRhBrfWvm2H6C0n

Score

10^/10

bumblebee 3108 evasion trojan

Malware Config

Extracted

Family

bumblebee

Botnet

3108

C2

247.123.99.147:290

163.159.161.98:338

84.88.36.128:126

213.3.241.78:174

82.124.63.119:343

134.3.181.250:300

165.197.104.159:211

104.168.162.242:443

100.141.139.132:293

228.12.17.45:122

9.12.182.210:246

21.197.211.56:328

128.14.205.155:194

218.163.29.18:219

21.141.107.203:196

214.151.80.130:288

49.167.40.130:467

155.217.214.178:149

197.216.31.35:336

90.184.109.195:201

rc4.plain

Targets

- Target
  
  af2ee66b2d500592d403d7e9d2fefca6bb4dfda332517a9d29d510d6cb43fe2c
- Size
  
  1.8MB
- MD5
  
  8e5b5977740c91b2c6c2c7a1526ce773
- SHA1
  
  e09187f29416d8e8b5176cb4cf22cdfdf743313d
- SHA256
  
  af2ee66b2d500592d403d7e9d2fefca6bb4dfda332517a9d29d510d6cb43fe2c
- SHA512
  
  a006467db7f5457d91a82190c5ecad87d722ba2f82123a8c113279764b3341384d8487709213ec82e26b02a7c750b28576196127fefbbe8876f0716044f06901
- SSDEEP
  
  49152:+c3D/V8zHZRDr0VzoLMahBrfWvmn2H6C0n:+g/V8zHZRDWzoLRhBrfWvm2H6C0n
Score

10^/10

bumblebee 3108 evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bumblebee3108evasiontrojan

behavioral2

bumblebee3108evasiontrojan