Overview

overview

10

Static

static

required d...ts.zip

windows7-x64

10

required d...ts.zip

windows10-2004-x64

10

Analysis

  • max time kernel
    78s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    08-09-2022 02:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    required documents.zip

  • Size

    3.2MB

  • MD5

    e90a8f435a6195e481568c18030722cd

  • SHA1

    8a208ec067c7e4d6ac12d5c1c2bd16a00823d3dd

  • SHA256

    34006f226a726c57ee055fa5520a333e34657db681ba4add71c580b2ea179fe2

  • SHA512

    e9bdab4ce5c3c4ccea486278113a4c0eebcf24bcdc1cafd971fa15f58276387785b374d67c90002875b2f54fee29a2351e03865aa198302b0c8993fac7cc9101

  • SSDEEP

    49152:qivSCQ/OKrPtUJMo3OqiLd/+VeKUiGOxjYSguvSfc:qivSCQ/jzaT

Score
10/10
bumblebee0709lgevasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

0709lg

C2

253.99.168.157:367

114.13.1.160:226

34.113.116.119:165

204.227.208.101:422

90.128.124.215:224

95.45.92.109:292

211.135.230.28:111

199.40.74.224:435

85.230.106.25:390

189.255.181.14:334

213.227.154.169:443

232.196.162.145:304

214.20.238.201:145

87.216.172.198:397

171.201.228.43:398

87.63.40.34:125

120.83.66.17:278

34.65.29.63:243

45.153.240.94:443

232.179.211.66:291
rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

    trojanbumblebee
  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 41 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\required documents.zip"
    1⤵
      PID:360
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:1800
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x44c
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:524
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\required documents\" -spe -an -ai#7zMap1529:116:7zEvent10341
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:1260
      • C:\Windows\System32\odbcconf.exe
        "C:\Windows\System32\odbcconf.exe" /a {REGSVR ZRoeaQxZZMZDVb.dll}
        1⤵
        • Enumerates VirtualBox registry keys
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Looks for VirtualBox Guest Additions in registry
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:1592

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\required documents\ZRoeaQxZZMZDVb.dll
        Filesize

        2.0MB

        MD5

        29a405557da7bb24b2f278c5c46dfd3c

        SHA1

        a089591a65546d9f25e769c7f22b0c61e1836223

        SHA256

        0e3933b1489a91bfe99dd652d7e64c09380b210d2404f32b26251d34fa58ca8b

        SHA512

        b332d39986610cc8a1e816d567107778f5c9e45d6bf55c614e673f5853b990abb312a052773afba6eb8a0fb3f5d942d010f7188ccf36f79f3e8a86c7e65731ba

        Download Submit

      • \Users\Admin\AppData\Local\Temp\required documents\ZRoeaQxZZMZDVb.dll
        Filesize

        2.0MB

        MD5

        29a405557da7bb24b2f278c5c46dfd3c

        SHA1

        a089591a65546d9f25e769c7f22b0c61e1836223

        SHA256

        0e3933b1489a91bfe99dd652d7e64c09380b210d2404f32b26251d34fa58ca8b

        SHA512

        b332d39986610cc8a1e816d567107778f5c9e45d6bf55c614e673f5853b990abb312a052773afba6eb8a0fb3f5d942d010f7188ccf36f79f3e8a86c7e65731ba

        Download Submit

      • memory/1592-58-0x0000000001B10000-0x0000000001C26000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/1800-54-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmp

        Filesize

        8KB

        Download