Overview

overview

10

Static

static

Documents.lnk

windows7-x64

10

Documents.lnk

windows10-2004-x64

10

ZRoeaQxZZMZDVb.dll

windows7-x64

10

ZRoeaQxZZMZDVb.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ta578_URLs_20220907.zip

  • Size

    1.1MB

  • Sample

    220907-wamfhahhhk

  • MD5

    4d72f3209205a7caa9caf43e6c9de9be

  • SHA1

    181bfc3600b06bb4385f3de7735c66e377e6c784

  • SHA256

    734e3996a3fedd0744522f70a916d6affaad5fe56b52ef8903f27f1c0fe1337f

  • SHA512

    cf5187824f3fe2e20bcc3b1e421924a2b6684d0b71e66ac01f744931e1327e35192e4357b8de9baaa48f0ba0622d51133fcdf95d35876c486634e1f66dcd07d6

  • SSDEEP

    24576:BDJ3l+u05+iz0eT73ZSPOAUJxn8a86Tgi/qo8kyBl:B13l+p57Io73sCnX86T7y3kyBl

Score
10/10
bumblebee0709lgevasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

0709lg

C2

253.99.168.157:367

114.13.1.160:226

34.113.116.119:165

204.227.208.101:422

90.128.124.215:224

95.45.92.109:292

211.135.230.28:111

199.40.74.224:435

85.230.106.25:390

189.255.181.14:334

213.227.154.169:443

232.196.162.145:304

214.20.238.201:145

87.216.172.198:397

171.201.228.43:398

87.63.40.34:125

120.83.66.17:278

34.65.29.63:243

45.153.240.94:443

232.179.211.66:291
rc4.plain

Targets

    • Target

      Documents.lnk

    • Size

      1KB

    • MD5

      62c2908779e9d600b7f173349b4e0336

    • SHA1

      6cdb058004c035650018a2467c61ac9c70c103b4

    • SHA256

      1b566c56ec82909b3022ca375323a9fee0ccbbd86a8a8735ffc352f4a035b969

    • SHA512

      2d9edca7584c4abcd741b4b206536dd55165b2a08e9c634d7c98dd29885f66eb3ebf112581e03fa058f3332aff7dc238c1b14e4818a9bf715c7a5360a6c3cf42

    Score
    10/10
    bumblebee0709lgevasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtCreateThreadExHideFromDebugger

    behavioral1behavioral2

    • Target

      ZRoeaQxZZMZDVb.dll

    • Size

      2.0MB

    • MD5

      29a405557da7bb24b2f278c5c46dfd3c

    • SHA1

      a089591a65546d9f25e769c7f22b0c61e1836223

    • SHA256

      0e3933b1489a91bfe99dd652d7e64c09380b210d2404f32b26251d34fa58ca8b

    • SHA512

      b332d39986610cc8a1e816d567107778f5c9e45d6bf55c614e673f5853b990abb312a052773afba6eb8a0fb3f5d942d010f7188ccf36f79f3e8a86c7e65731ba

    • SSDEEP

      49152:wivSCQ/OKrPtUJMo3OqiLd/+VeKUiGOxjYSguvSfc:wivSCQ/jzaT

    Score
    10/10
    bumblebee0709lgevasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtCreateThreadExHideFromDebugger

    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks