bumblebee | f1717d697da8cab2e5bd34462f692158728f7102734efe53381d0b0715977545 | Triage

Sharing

General

Target

7997306132.zip
Size

1.7MB
Sample

220915-m1xvgscgh5
MD5

91b49d8be4f7df8de7fc70a089d2b60a
SHA1

9dee96e688453fa619eb59100ca6be45f716add5
SHA256

f1717d697da8cab2e5bd34462f692158728f7102734efe53381d0b0715977545
SHA512

05c262b7bdd81c638f4abc2f39b5c302ea02775996e8095af0da1cee6f0c8b3c83cbe049ad5771e211fb7e04eb77111b8304d7b81a022c74fb174db7531a389a
SSDEEP

49152:YQl9JYKpOmN7ucGwTz2APLZqSpu1GdMnlAjdTMR:Pl9JYKkJqPPLkSpucdMlA9MR

Score

10^/10

bumblebee sp1 evasion trojan

Malware Config

Extracted

Family

bumblebee

Botnet

SP1

C2

45.147.229.23:443

Targets

- Target
  
  4518b5c65eb93ff1e31024f61e25569a9903753816d50e7258722bb608e3cf1b
- Size
  
  2.8MB
- MD5
  
  b87965a169aeed19577d9a78f8feeaf9
- SHA1
  
  2efc40286e1cad294628fb38a9524d9634788908
- SHA256
  
  4518b5c65eb93ff1e31024f61e25569a9903753816d50e7258722bb608e3cf1b
- SHA512
  
  c9ee37525e5a79ef86f39f189cf7a3df69bd421b2ad153ca25b049afeeb18bbb9e1f466dfb9d595bf71f4ec05ca873c001a01814a61b939902890e94c8ee14f4
- SSDEEP
  
  49152:AiU4m3k9LdQ5rrVggzz5UqIdFneQuXnMcjq4lfv9s3c59mf6CKJUQajLWW:yHmLdQtrVggzBITeQunMcW4lfloc59mx
Score

3^/10
behavioral1 behavioral2
- Target
  
  document.lnk
- Size
  
  823B
- MD5
  
  8a64bb558448a278eb268a5959d810e9
- SHA1
  
  b32b55da9c91741ce7e85588d993041d1782595c
- SHA256
  
  07162244bdc900f98fb964c289d510fd1567e9e1bfe834993ddb2a51c52f8450
- SHA512
  
  7596f4a616a5aaef205d9e488b040d76bf6684630daab6d5e93a59cde4dc1e20650136ef49801d36cdd69e74da7b6c6857360f4647f3b8edad3ad861f15bbdcd
Score

10^/10

bumblebee sp1 evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral3 behavioral4
- Target
  
  tar.dll
- Size
  
  2.7MB
- MD5
  
  a3a525339178d35206aff9e6e09ef018
- SHA1
  
  1f5f6dda2d4dfdc1a78b177748144dea72f50534
- SHA256
  
  ea3bec5905da38bd18241be997b00c8de4ad531255a06326e89d5efc062d3f19
- SHA512
  
  693c2f46c3a0ea5dd4fae98afb1a890a440b02d20da4806cabdd07e7aa044a450cf0e0e2a0488d651451f9f011976f04f5bee34d41dd3a9283247116c8030193
- SSDEEP
  
  49152:9iU4m3k9LdQ5rrVggzz5UqIdFneQuXnMcjq4lfv9s3c59mf6CKJUQajLWW:pHmLdQtrVggzBITeQunMcW4lfloc59mx
Score

10^/10

bumblebee sp1 evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral5 behavioral6

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

bumblebeesp1evasiontrojan

behavioral4

bumblebeesp1evasiontrojan

behavioral5

bumblebeesp1evasiontrojan

behavioral6

bumblebeesp1evasiontrojan