Overview

overview

10

Static

static

date.bat

windows7-x64

10

date.bat

windows10-2004-x64

10

nda.dll

windows7-x64

1

nda.dll

windows10-2004-x64

1

project details.lnk

windows7-x64

10

project details.lnk

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    projectdetails.zip

  • Size

    1.4MB

  • Sample

    220913-z5v8nscdfj

  • MD5

    105260b7bba2b846c6e89a937937ef1d

  • SHA1

    8fe18c1608931fc7997fc777002c1553cad66e7f

  • SHA256

    3908c6bf8a4e2075c96eab04aea242cae7099c902d4a587f0c5a314c86574b32

  • SHA512

    82224a963668ea3d8b4a904113b64c75b2dd5611645d6e0179a6d121b141f3b9698b1a5cf7cb6b9f298f02b85da795ce64243f3899c57391bea5a569ed5bbb08

  • SSDEEP

    24576:1am4ivSISOWgCl8ZztO4VW6X0oBdq+Qi+dg/Iu89oDdLh1homZYY3KUYjrKeH:h6ISDghZzokdvq+Qndg/Iu/t1homyY6L

Score
10/10
bumblebeeevasiontrojan

Malware Config

Targets

    • Target

      date.bat

    • Size

      910B

    • MD5

      652df2302ccf03eef2e2afdcd3f6a989

    • SHA1

      860cd1625a486903b69b40d997beecff5251072b

    • SHA256

      9a03515a444099863795a429e0966bdb04eacce93c968f27a588296992657617

    • SHA512

      892ac5a89e0cfef9d98c26f2432f024622172aeaa845c88c472922708d7c33823e846c8955b1db9cbc03dd7ece71f38e3d89367b7def6590c47e7353c7a0bae9

    Score
    10/10
    bumblebeeevasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtCreateThreadExHideFromDebugger

    behavioral1behavioral2

    • Target

      nda.dll

    • Size

      3.3MB

    • MD5

      004a11030bdf210d2f36c5280e4eeaa1

    • SHA1

      d156d3f25550b641872e5e3ee6ce8c73929211f2

    • SHA256

      22f7098c8701542bde29f6276c4d0a2a1b02fb8e724845b8a8948c7adcf94193

    • SHA512

      47daa0e7029a7d33491fe627717e2d5778b2271fbc19ed7adbc7a30f920ff88a49ad51270d5c47cfcbfd669781898fc9bd1cb8de7f1fa4c9bffe5aedcf52d1de

    • SSDEEP

      49152:5/eK7iIVhF9PcqvVJE8jp3xUw15c4xh2V0muT4:ReSUw15c4xh2V0muT4

    Score
    1/10
    behavioral3behavioral4

    • Target

      project details.lnk

    • Size

      1KB

    • MD5

      bb29ceef1d0fe4bb80a72e4f353c181a

    • SHA1

      84762568338708fa34ef2f891bf467fbdfcdff44

    • SHA256

      ba1a303a44ebe7586740a88d3482cd2d212a46b90df0759eda88bab08ba37a4d

    • SHA512

      3cc8b6a4dd7c70ae46d76aeccf51cedfc499a17e199946436d1db92e2e45f6429a8af5b840030a547a72ec797d89b2a7930fef60c111064d52630c11286a5524

    Score
    10/10
    bumblebeeevasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtCreateThreadExHideFromDebugger

    behavioral5behavioral6

MITRE ATT&CK Enterprise v6

Tasks