bumblebee

General

Target

ton2.zip
Size

1.5MB
Sample

220912-zve4psebf4
MD5

d0475009b46446ab19707e0e10c6e264
SHA1

b5a10e73931b8556d2093531c0d82a152bf9a1e0
SHA256

a3e7f3ea8f906a546002bfd60a18dd732efb0d42f9fd056b1f1a9c91bf17486e
SHA512

1cb5e4dcdf0add15dc115c8b1acb1874ac16cc7dc923c0c44da4095e842eefec96da1dc218fcc13a5a7be09284de3cd6e3b749b3d7009b23bcacbf60322b89e8
SSDEEP

24576:LSlNFnof5r3VYZ/JzInlTe3A1iKUXU/8xISs8ycd3Oditzwtn4WB0cY4r9Hl65pm:LYNofpi/NWEk/8xIBnditzwtn4WU4pHf

Score

10^/10

Malware Config

Extracted

Family

bumblebee

Botnet

1209

C2

142.11.211.32:443

146.59.116.49:443

192.236.155.219:443

rc4.plain

Targets

- Target
  
  ton/aerobraking.dat
- Size
  
  2.8MB
- MD5
  
  a91ffc92b46a8ad90412ae91a4b7ef83
- SHA1
  
  beb23a8718b77c6a6d46464e5467920c8f4f1ec7
- SHA256
  
  2f18bfaeaae34c7bf895a432b297609edfaec4d449b5e3301252d32006ad3e1c
- SHA512
  
  7fb0b389850fb49b252c420d3487c5a4ffc7beb7935ca5e8ac6cc9bf5237dc7b8ac2742c2410d88e1efc9b0aa5ccb4d52d70731aec053ec06ec961f87162516c
- SSDEEP
  
  49152:B4MeHCMgGF9ZbAfofXT8OLpDXEBD0zxOB5vIKpy8hQmf+8SNKb:B4RCMqkEGwm8JSNK
Score

3^/10
behavioral1 behavioral2
- Target
  
  ton/documents.lnk
- Size
  
  1KB
- MD5
  
  91b225881829c940ab5a76b61593e9cc
- SHA1
  
  645790942cba7cb63f14891232b22ad978f1141e
- SHA256
  
  22546866f19add33035bcf1c135541606ff770df580650195dde6b69c55c37b3
- SHA512
  
  1ecbe7dad9128c1ef7c3f9629124db33928a477f84e0a1c65e2afef8c03d9080397d2c1157a03ef942f59fb1f97f722a7d3f679250dc35fe4f0fa69d4ff819bc
Score

10^/10

bumblebee 1209 evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral3 behavioral4

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

4

T1497

Credential Access

Discovery

Query Registry

6

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

4

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Checks BIOS information in registry

Checks computer location settings

Identifies Wine through registry keys

Suspicious use of NtCreateThreadExHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4