General
-
Target
ZRoeaQxZZMZDVb.dll.exe
-
Size
2.0MB
-
Sample
220908-teha8sfab8
-
MD5
29a405557da7bb24b2f278c5c46dfd3c
-
SHA1
a089591a65546d9f25e769c7f22b0c61e1836223
-
SHA256
0e3933b1489a91bfe99dd652d7e64c09380b210d2404f32b26251d34fa58ca8b
-
SHA512
b332d39986610cc8a1e816d567107778f5c9e45d6bf55c614e673f5853b990abb312a052773afba6eb8a0fb3f5d942d010f7188ccf36f79f3e8a86c7e65731ba
-
SSDEEP
49152:wivSCQ/OKrPtUJMo3OqiLd/+VeKUiGOxjYSguvSfc:wivSCQ/jzaT
Malware Config
Extracted
bumblebee
0709lg
253.99.168.157:367
114.13.1.160:226
34.113.116.119:165
204.227.208.101:422
90.128.124.215:224
95.45.92.109:292
211.135.230.28:111
199.40.74.224:435
85.230.106.25:390
189.255.181.14:334
213.227.154.169:443
232.196.162.145:304
214.20.238.201:145
87.216.172.198:397
171.201.228.43:398
87.63.40.34:125
120.83.66.17:278
34.65.29.63:243
45.153.240.94:443
232.179.211.66:291
Targets
-
-
Target
ZRoeaQxZZMZDVb.dll.exe
-
Size
2.0MB
-
MD5
29a405557da7bb24b2f278c5c46dfd3c
-
SHA1
a089591a65546d9f25e769c7f22b0c61e1836223
-
SHA256
0e3933b1489a91bfe99dd652d7e64c09380b210d2404f32b26251d34fa58ca8b
-
SHA512
b332d39986610cc8a1e816d567107778f5c9e45d6bf55c614e673f5853b990abb312a052773afba6eb8a0fb3f5d942d010f7188ccf36f79f3e8a86c7e65731ba
-
SSDEEP
49152:wivSCQ/OKrPtUJMo3OqiLd/+VeKUiGOxjYSguvSfc:wivSCQ/jzaT
Score10/10-
BumbleBee
BumbleBee is a webshell malware written in C++.
-
Enumerates VirtualBox registry keys
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Looks for VirtualBox Guest Additions in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-