bumblebee | fb4d8eab720bfa491d4cd6dc732bb6d2f74c77a37c8056d7eafdb7a01bcba3bd | Triage

Sharing

General

Target

7991976155.zip
Size

1.7MB
Sample

220915-nk69nagfbl
MD5

6513227c631b99ff7954611dae63aec0
SHA1

7abe610537a832ed506713d4d76904c3b1761af1
SHA256

fb4d8eab720bfa491d4cd6dc732bb6d2f74c77a37c8056d7eafdb7a01bcba3bd
SHA512

d1d745e45ce29a1c889331307229af85ce0dd37522fe4da7b408ca29bf6b448952cab09ad6d6dfad87d9c01567e3823fa726d1504934e5ee118a549a94063850
SSDEEP

49152:2jvkPJP3kYN+nnb3ikBoD6BGcbDrNEKcKXVG2Y:2jvwN3kRnb3ikBTxbVLm

Score

10^/10

bumblebee vps1 evasion trojan

Malware Config

Extracted

Family

bumblebee

Botnet

VPS1

C2

45.147.229.23:443

Targets

- Target
  
  ad1a90f2f253a9adf45be85682d7b44994ab4e8ceafc1a5805316c39c803ccc8
- Size
  
  2.5MB
- MD5
  
  a91ca42fe60d0c2d1008e909c8b23cb5
- SHA1
  
  14f812a695879f33acc81ab32568ed974cdfbea1
- SHA256
  
  ad1a90f2f253a9adf45be85682d7b44994ab4e8ceafc1a5805316c39c803ccc8
- SHA512
  
  d409e627d458d753fff8e888f3e211ebf5ad6a11e21b30811e4e46f398f7fa93a033deb97c8acc6e0a5b98c852cc0b773c83cbbad4130db3d3f8a5ae06f8e232
- SSDEEP
  
  49152:/Y8+6OwVQpMQ08Fk1BGrXN3fLXZOMU9EeF2gYNpJsv9:/g6OXp0KC0rXptVeum
Score

3^/10
behavioral1 behavioral2
- Target
  
  9n3.dll
- Size
  
  2.5MB
- MD5
  
  7c3eacc5af118753850b18ed37aec4fd
- SHA1
  
  15e1cd059e3cb6d6e63bd2c7718844b917f42705
- SHA256
  
  3ecd8e4cab18d088b8394b6880fb00e6d17d8fe19ba2b0f7f7abd9cb738a3f54
- SHA512
  
  db731a0a387e8cecc499ef90415ddee213526f4fffe2fc0394855b77b1602f2cfbd0817031a1bc47d8650d84e0268baeb27f3ffdd72a1ab26c52080b664e6a09
- SSDEEP
  
  49152:EY8+6OwVQpMQ08Fk1BGrXN3fLXZOMU9EeF2gYNpJsv9:Eg6OXp0KC0rXptVeum
Score

10^/10

bumblebee vps1 evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral3 behavioral4
- Target
  
  document.lnk
- Size
  
  823B
- MD5
  
  90442d37ab692ae4654ef8462bd3c1fd
- SHA1
  
  3ef15315d9a4b7a557937df3377ad4d7f4be6e85
- SHA256
  
  0332e171c940c7f8fe48a803022cd327f588b12e71ecc3bf04bfc97d85a76bea
- SHA512
  
  388573ffaef1fab7a408bcc636bb43f1402f51bca76af740f8b654e12a43900165c0b3d96d3d5230ab377a87959e572a41dfdf8a37dc3b0b4a43af9afeb91b51
Score

10^/10

bumblebee vps1 evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral5 behavioral6

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

bumblebeevps1evasiontrojan

behavioral4

bumblebeevps1evasiontrojan

behavioral5

bumblebeevps1evasiontrojan

behavioral6

bumblebeevps1evasiontrojan