Overview

overview

10

Static

static

ton/aerobraking.dll

windows7-x64

3

ton/aerobraking.dll

windows10-2004-x64

3

ton/documents.lnk

windows7-x64

10

ton/documents.lnk

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ton2.zip

  • Size

    1.5MB

  • Sample

    220912-zve4psebf4

  • MD5

    d0475009b46446ab19707e0e10c6e264

  • SHA1

    b5a10e73931b8556d2093531c0d82a152bf9a1e0

  • SHA256

    a3e7f3ea8f906a546002bfd60a18dd732efb0d42f9fd056b1f1a9c91bf17486e

  • SHA512

    1cb5e4dcdf0add15dc115c8b1acb1874ac16cc7dc923c0c44da4095e842eefec96da1dc218fcc13a5a7be09284de3cd6e3b749b3d7009b23bcacbf60322b89e8

  • SSDEEP

    24576:LSlNFnof5r3VYZ/JzInlTe3A1iKUXU/8xISs8ycd3Oditzwtn4WB0cY4r9Hl65pm:LYNofpi/NWEk/8xIBnditzwtn4WU4pHf

Score
10/10
bumblebee1209evasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

1209

C2

142.11.211.32:443

146.59.116.49:443

192.236.155.219:443
rc4.plain

Targets

    • Target

      ton/aerobraking.dat

    • Size

      2.8MB

    • MD5

      a91ffc92b46a8ad90412ae91a4b7ef83

    • SHA1

      beb23a8718b77c6a6d46464e5467920c8f4f1ec7

    • SHA256

      2f18bfaeaae34c7bf895a432b297609edfaec4d449b5e3301252d32006ad3e1c

    • SHA512

      7fb0b389850fb49b252c420d3487c5a4ffc7beb7935ca5e8ac6cc9bf5237dc7b8ac2742c2410d88e1efc9b0aa5ccb4d52d70731aec053ec06ec961f87162516c

    • SSDEEP

      49152:B4MeHCMgGF9ZbAfofXT8OLpDXEBD0zxOB5vIKpy8hQmf+8SNKb:B4RCMqkEGwm8JSNK

    Score
    3/10
    behavioral1behavioral2

    • Target

      ton/documents.lnk

    • Size

      1KB

    • MD5

      91b225881829c940ab5a76b61593e9cc

    • SHA1

      645790942cba7cb63f14891232b22ad978f1141e

    • SHA256

      22546866f19add33035bcf1c135541606ff770df580650195dde6b69c55c37b3

    • SHA512

      1ecbe7dad9128c1ef7c3f9629124db33928a477f84e0a1c65e2afef8c03d9080397d2c1157a03ef942f59fb1f97f722a7d3f679250dc35fe4f0fa69d4ff819bc

    Score
    10/10
    bumblebee1209evasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtCreateThreadExHideFromDebugger

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

4
T1497

Credential Access

Discovery

Query Registry

6
T1012

Virtualization/Sandbox Evasion

4
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks