General
-
Target
required documents.zip
-
Size
3.2MB
-
Sample
220908-c2k7zaafck
-
MD5
e90a8f435a6195e481568c18030722cd
-
SHA1
8a208ec067c7e4d6ac12d5c1c2bd16a00823d3dd
-
SHA256
34006f226a726c57ee055fa5520a333e34657db681ba4add71c580b2ea179fe2
-
SHA512
e9bdab4ce5c3c4ccea486278113a4c0eebcf24bcdc1cafd971fa15f58276387785b374d67c90002875b2f54fee29a2351e03865aa198302b0c8993fac7cc9101
-
SSDEEP
49152:qivSCQ/OKrPtUJMo3OqiLd/+VeKUiGOxjYSguvSfc:qivSCQ/jzaT
Malware Config
Extracted
bumblebee
0709lg
253.99.168.157:367
114.13.1.160:226
34.113.116.119:165
204.227.208.101:422
90.128.124.215:224
95.45.92.109:292
211.135.230.28:111
199.40.74.224:435
85.230.106.25:390
189.255.181.14:334
213.227.154.169:443
232.196.162.145:304
214.20.238.201:145
87.216.172.198:397
171.201.228.43:398
87.63.40.34:125
120.83.66.17:278
34.65.29.63:243
45.153.240.94:443
232.179.211.66:291
Targets
-
-
Target
required documents.zip
-
Size
3.2MB
-
MD5
e90a8f435a6195e481568c18030722cd
-
SHA1
8a208ec067c7e4d6ac12d5c1c2bd16a00823d3dd
-
SHA256
34006f226a726c57ee055fa5520a333e34657db681ba4add71c580b2ea179fe2
-
SHA512
e9bdab4ce5c3c4ccea486278113a4c0eebcf24bcdc1cafd971fa15f58276387785b374d67c90002875b2f54fee29a2351e03865aa198302b0c8993fac7cc9101
-
SSDEEP
49152:qivSCQ/OKrPtUJMo3OqiLd/+VeKUiGOxjYSguvSfc:qivSCQ/jzaT
Score10/10-
BumbleBee
BumbleBee is a webshell malware written in C++.
-
Enumerates VirtualBox registry keys
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Looks for VirtualBox Guest Additions in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Suspicious use of NtCreateThreadExHideFromDebugger
-