Overview

overview

10

Static

static

of/Office_Install.lnk

windows7-x64

10

of/Office_Install.lnk

windows10-2004-x64

10

of/office.dll

windows7-x64

10

of/office.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    of.zip

  • Size

    881KB

  • Sample

    220906-s5qvmaceel

  • MD5

    4643bef1e86f0070621fa8f19bb987d0

  • SHA1

    475f126aa23f7b4cc82edd46810e96b477e6d4e7

  • SHA256

    7d26abac30a5196738805e5376717b23776f52133f3e983bc981650ac8ca15a2

  • SHA512

    39da7e1e978ead749aba02cb5d7f860a9fb48f9a86f0ecdce46bbbdac248e85cec107e48db4a5b34d7cd62d0c39a543eedceeb4121d0fd6bccd1fafa750ca16a

  • SSDEEP

    24576:YLFbhw5Q6N57qj8YyfcN+RBgqRDnmcuyDv7e1WBoHKvcyx5:YLFdw1N57bfqktzmgv7e1kvF5

Score
10/10
bumblebee176evasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

176

C2

70.164.10.27:408

26.41.31.179:151

114.231.91.156:187

133.178.159.62:149

14.62.208.157:254

25.98.245.218:116

118.68.44.63:384

17.129.76.222:497

169.218.206.202:179

74.82.20.46:385

146.19.173.233:443

224.139.76.178:199

203.204.185.83:210

144.253.119.113:310

143.161.126.207:367

23.67.101.88:308

36.73.68.161:435

23.82.141.11:443

172.93.181.233:443

250.96.42.74:399
rc4.plain

Targets

    • Target

      of/Office_Install.lnk

    • Size

      1KB

    • MD5

      6b235a615c34bb2f86e23f9bd86e9bb0

    • SHA1

      5d0acfef254761ee10ef3c89c7c078b19dbf2bf2

    • SHA256

      baa473b56fc40b073f0e0b5f32944857016e6e7fda120385e5ce677710d9e08d

    • SHA512

      2facf906c4cd1004c9f3e75bf3be458f6ae44847f3447d933f3d849d5cc03d064cae1594e8dd9e6d70e71f09e1e514cbce3de185281934bc5ab253afb418312a

    Score
    10/10
    bumblebee176evasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion
    behavioral1behavioral2

    • Target

      of/office.dll

    • Size

      1.5MB

    • MD5

      1b0a14fc9aeb3b9c184fd011dbe69027

    • SHA1

      261fe4a73360fc1902705c1bc9d45ce979094cee

    • SHA256

      ca99667840a239c1a7d7f91b9432c0dcb5b7d8f7696cf79dd94ec2a9773f9bc3

    • SHA512

      3fd5e9bcdedd45b4c686544902086225c1f0b86d5156eec74e13737a6fb467edf3de4ff3e31bc02dfbafb16c07b58ba876174c29da489126397dcd999b73f8d8

    • SSDEEP

      49152:6J/gKqeCzyMiBTe49pFNEI7BAcPz0AhbzC32N8JfTJJwQrsUoT1TCjK0q58un0K6:6JtBCwFt7BAcPz0AhbzC32N8JfTJJwQF

    Score
    10/10
    bumblebee176evasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion
    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks