General
-
Target
NOwPpfBRiTFTYD.dll
-
Size
1.8MB
-
Sample
220906-znw4msfden
-
MD5
b3ab9b4d0f69155cc7df3f72b647afc1
-
SHA1
4698056d14689edbf8d7ef1d6b0b327644eecee5
-
SHA256
8bf1c0d4bf445006046e26fce66e8c45d034c23ec3f73a14d5230b090bf3662d
-
SHA512
8de0d2cf3be709740e5205bfcb3dbff9077cbaa1ec6cd3c52f7b36d7c6e23940c4230e8c378d0f575952f9120c46e9f44008a4a9f2b52032d9671692bdd8e3d5
-
SSDEEP
24576:T3HZCk3SJpRELLhZZ63PdojKS9S5Kz+qKyTENoQk9jYfcoucV:T3HZCKLJKVoj/YtOFYfcIV
Malware Config
Extracted
bumblebee
0609
84.167.88.233:345
215.145.61.202:308
137.40.97.52:338
246.203.125.82:132
70.248.138.150:450
246.254.85.162:227
101.50.12.208:402
14.62.107.26:472
205.185.121.173:443
177.8.108.125:102
187.128.248.53:325
107.189.1.156:443
85.76.146.210:369
41.1.133.165:470
249.69.10.40:322
155.198.230.103:351
33.11.192.227:449
28.229.156.200:263
159.128.17.14:415
46.67.127.195:493
Targets
-
-
Target
NOwPpfBRiTFTYD.dll
-
Size
1.8MB
-
MD5
b3ab9b4d0f69155cc7df3f72b647afc1
-
SHA1
4698056d14689edbf8d7ef1d6b0b327644eecee5
-
SHA256
8bf1c0d4bf445006046e26fce66e8c45d034c23ec3f73a14d5230b090bf3662d
-
SHA512
8de0d2cf3be709740e5205bfcb3dbff9077cbaa1ec6cd3c52f7b36d7c6e23940c4230e8c378d0f575952f9120c46e9f44008a4a9f2b52032d9671692bdd8e3d5
-
SSDEEP
24576:T3HZCk3SJpRELLhZZ63PdojKS9S5Kz+qKyTENoQk9jYfcoucV:T3HZCKLJKVoj/YtOFYfcIV
Score10/10-
BumbleBee
BumbleBee is a webshell malware written in C++.
-
Enumerates VirtualBox registry keys
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Looks for VirtualBox Guest Additions in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-