bumblebee | 581d2841fe9a17155f33fff07a4edd99d126c835ec2a702a74b57209296fea9d | Triage

Sharing

General

Target

8014406124.zip
Size

1.7MB
Sample

220915-mlrd6ageam
MD5

bc3e0fb297c6d9ee9d8d9b8c99f56d5e
SHA1

0ed80abf5b4b70c4ff354e9842d145c9f0be2d00
SHA256

581d2841fe9a17155f33fff07a4edd99d126c835ec2a702a74b57209296fea9d
SHA512

f944c6a067557227c354b2c8756dbad934b3c5ee1153ce07c7432d075ab898e409472188a8ef145cc13097398fa00289fc7012e810deb4f56a01aa7ac84d93a4
SSDEEP

49152:/6NYA6vlwte+sd02m2ryCUMb6w381d6ep1xq:/cYA6H+bD2rDew34T14

Score

10^/10

bumblebee all0504 evasion trojan

Malware Config

Extracted

Family

bumblebee

Botnet

ALL0504

C2

192.236.198.63:443

Targets

- Target
  
  a3e023f9666dfacbbc028212682390de436a78e4291c512b0b9f022a05b138f8
- Size
  
  2.4MB
- MD5
  
  39a919e20cfbf620f4daa0a2089e3998
- SHA1
  
  2df3ed2f9a2022d13559f09da0656ef61bdcd984
- SHA256
  
  a3e023f9666dfacbbc028212682390de436a78e4291c512b0b9f022a05b138f8
- SHA512
  
  2ea7b161d155473e07561d501a3de68c3579011bed759e43630caed7c235d4b032de7b7031a5f88af54b395b595e8f0ef3f7af39cf16e6a19cce62fe9b1b32e3
- SSDEEP
  
  49152:c7wq/1JsO/mzk/B84wEkqcKKEit/nLYpieYHpzoHM41/:c7w27ekpWRIe4YHpzos4V
Score

3^/10
behavioral1 behavioral2
- Target
  
  documents.lnk
- Size
  
  1KB
- MD5
  
  2b879216747e8ce7c01073e5ee197494
- SHA1
  
  bf357b8e46fc3ff717807fec3362733fc159f99f
- SHA256
  
  9dfb32ed9b5756151623a8049eaa7785bf761601eb6c7165beff489cce31bb08
- SHA512
  
  66fd20e6f4f7316b65d17e8488c7d4cb41cceb8118b0d5970fd9d845f1d80d6d355bdc1104786ce867658244a32a2ce49c56715ee8d897cc4c26b0db0d074c35
Score

10^/10

bumblebee all0504 evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral3 behavioral4
- Target
  
  setting.dll
- Size
  
  2.4MB
- MD5
  
  810beaab7e74d7b37dfd3b8b319a2ca6
- SHA1
  
  fb07e024c28064ab5e6accf248e74bc12c31cf06
- SHA256
  
  131f7e18bc3ea50cdcf74b618c24f5ae1b38594f8649d80538566b1cceeec683
- SHA512
  
  e41e4588d9cb9d9e1adc72a862f2816070f9cc204833cdd7527260ea1f710077076ec67c9eca786e99c49e8e14c28619ab96bb0ce1324e2fb4d9110bc6419c2b
- SSDEEP
  
  49152:d7wq/1JsO/mzk/B84wEkqcKKEit/nLYpieYHpzoHM41/:d7w27ekpWRIe4YHpzos4V
Score

10^/10

bumblebee all0504 evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral5 behavioral6

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

bumblebeeall0504evasiontrojan

behavioral4

bumblebeeall0504evasiontrojan

behavioral5

bumblebeeall0504evasiontrojan

behavioral6

bumblebeeall0504evasiontrojan