Overview

overview

10

Static

static

bb.img

windows7-x64

3

bb.img

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-09-2022 07:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bb.img

  • Size

    2.7MB

  • MD5

    19b54d91705cce89218ece1e52bdb7ad

  • SHA1

    905723cb555878c30990b4dde712279a9dd62f25

  • SHA256

    fe2568cea3666dd24343675139ecc41ed6515bb7ef3a8c429d081d77ce4fecb4

  • SHA512

    9c03491da4b2f2232e3a41532bc5dfca3c311c4661e4ad04a4f0af1cfe0c26f1f7b171190531e4b2362c280cfdd93bdc4ac9dcf290f157edb90be33a37f48adc

  • SSDEEP

    49152:2ayur8YwnS01ZT37lLtdgnU46t5ABYUwdXgHJS0IHgGRtO2a8:2jQ8YwnS01pt5ABYUwdXgOA0

Score
10/10
bumblebee0209evasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

0209

C2

159.196.99.235:220

46.241.88.151:473

163.42.208.175:408

145.251.206.111:433

132.48.91.216:310

161.93.194.47:182

218.182.82.154:398

145.239.30.219:443

202.2.19.182:100

98.24.210.54:363

235.13.194.195:257

56.105.54.206:125

212.182.37.77:468

206.189.172.134:307

172.87.185.49:402

210.164.71.146:202

95.102.250.247:112

17.218.240.241:314

118.117.38.104:479

254.167.162.25:158
rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

    trojanbumblebee
  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\bb.img
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:1476
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3876
    • C:\Windows\System32\odbcconf.exe
      "C:\Windows\System32\odbcconf.exe" /a {REGSVR ZxGEglpFzQMQIL.dll}
      1⤵
      • Enumerates VirtualBox registry keys
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Looks for VirtualBox Guest Additions in registry
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:2108

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2108-133-0x000001700F180000-0x000001700F296000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2108-134-0x00007FFA862E0000-0x00007FFA862F0000-memory.dmp

      Filesize

      64KB

      Download