Overview

overview

10

Static

static

DFSdDHyafGNBMb.dll

windows7-x64

10

DFSdDHyafGNBMb.dll

windows10-2004-x64

10

project info.lnk

windows7-x64

10

project info.lnk

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Desktop_20220907.zip

  • Size

    1.1MB

  • Sample

    220907-r7wyzscch4

  • MD5

    5a1cb62d734e2e7f04bba41eb90df8dc

  • SHA1

    3647e757bf91125824924ec6cacfe33abefef3ba

  • SHA256

    7cc598a77e4808201dabb766c9b10f89b3a25bd0f50ee35e6bac5f57ca43f49d

  • SHA512

    32e441bfbde1cac59b5685c71b9369ad3c60dff94da5c787e74e4dab39d01115ef8addd4d6fb58e004ee0d88507d9885bb6e946bfaefcff4abcd8d6b39048c72

  • SSDEEP

    24576:P2KYgAtYePgeTQhwVxBDKT/XrPjh1cGf/yCUFIDAhxVu0DtocTzE:P2KV8YGgN4DUXrr3cUJDaHuutocTzE

Score
10/10
bumblebee0709evasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

0709

C2

8.88.91.79:136

167.76.161.23:157

77.177.118.96:231

69.233.15.174:491

117.146.34.48:461

23.200.170.60:184

170.246.180.67:323

37.140.146.139:221

130.209.86.69:354

146.92.77.172:282

182.27.60.90:232

49.120.53.41:234

17.27.91.226:169

103.144.139.135:443

122.241.46.136:429

107.69.244.155:270

104.168.243.204:443

185.216.240.69:197

52.45.172.134:339

6.230.209.231:316
rc4.plain

Targets

    • Target

      DFSdDHyafGNBMb.dll

    • Size

      2.0MB

    • MD5

      8f9387ca6c1e41ba72d508ec6ea4d5c4

    • SHA1

      0064cee66185c74bf3ceef803338f5761f6f530a

    • SHA256

      f1aa85cd3d3ed3d2b3ff8e705d81c32d2e7794208f7f7a76f7314ef408b897d2

    • SHA512

      2cf22ab0f2ecf00d1fac9a12855ae98c46b2017e9ad0c95b495f1f1d28139a6fe05f288b2338a677c749f056c62e8ffa0bd5e53118b9a41c512a5bfac792ee09

    • SSDEEP

      49152:8G7rRbE0bvTj0KvJirCjyGVgjuUTuD70644yeK:8MKATvJi

    Score
    10/10
    bumblebee0709evasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtCreateThreadExHideFromDebugger

    behavioral1behavioral2

    • Target

      project info.lnk

    • Size

      1KB

    • MD5

      a3014c117e11c1116f9e51eb79529ab9

    • SHA1

      d9acd73a1898a632bee558d4a0f96995352e1fc0

    • SHA256

      d16b76e0b7e88750733ebc46df80708a539c60d936add5a4fba66f35d3ab260a

    • SHA512

      8b72991786f5f27b3b56bc0cc239cdb24a6ee2649b311320b481f02c4972ea30d9a2e62e95a056fb8bf55b6c2d14d6d749f944d0ae29d2a2cbca9fdae9180dd8

    Score
    10/10
    bumblebee0709evasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtCreateThreadExHideFromDebugger

    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks