Overview

overview

10

Static

static

document.lnk

windows7-x64

10

document.lnk

windows10-2004-x64

10

vil.dll

windows7-x64

10

vil.dll

windows10-2004-x64

10

Resubmissions

15-09-2022 12:22

220915-pj5vwadad7 10

11-04-2022 16:15

220411-tp8aeaahg9 9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    docs_pdf_8.iso

  • Size

    2.1MB

  • Sample

    220915-pj5vwadad7

  • MD5

    d7154fc91caef7b5d3f76a68680fd771

  • SHA1

    9cc37055397743238967e575d6f291ca8f453fa6

  • SHA256

    8b8dad2c17f06198db3d988b60ba48629d767a0d2c8a493f9919ac0dccb95609

  • SHA512

    1db47825e08105b276b79111b5a2003b15b8a82fbcd920154717b59f159066497b17fcb266df5bd1a15c061b35e655540f00ff92010a31f5fa2cd4c155a8f7e3

  • SSDEEP

    49152:cpfaMa7wkHW4GnVibdZAi6WcJQc2CU/Z9dYn0XZW1:W4KVIZAiTcqcHkdEII1

Score
10/10
bumblebeera1104evasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

RA1104

C2

142.91.3.109:443

23.83.133.216:443

Targets

    • Target

      document.lnk

    • Size

      823B

    • MD5

      535f612cd22942a8f831c8f08cd880b5

    • SHA1

      b095440d2c2868cbfb0e95ec32da10dd9f2aea48

    • SHA256

      a03ac8dc616ac88e9aca6efe1171dd962df0895935ac1df637533fe6c40a8ca8

    • SHA512

      725e3650ae1724edf247afb5e2c809cb0d277ac887df6f9ca9f03d9386958eac7b07908e91c6cc4fe757a0ed314221d539fff29f48037c56444d8298c2820ea4

    Score
    10/10
    bumblebeera1104evasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion
    behavioral1behavioral2

    • Target

      vil.dll

    • Size

      2.1MB

    • MD5

      ff6db6c6dfb7c7a9da47d359702ec4b3

    • SHA1

      69dd95131829bb8b983d5fe0ee611e7ff63037b2

    • SHA256

      6168d9f1cb0bc329fe76a0ebb8a782617de9bb0da2372e1f2728db856daf5007

    • SHA512

      a386fbd06168c9aa0b105cee148098706b77e1d1733da5bbda62012dd0736fcbf4e36f696148fdb0d020b5a64192b424cc8b7dcb2ff7e781ffa949118eacc744

    • SSDEEP

      49152:9pfaMa7wkHW4GnVibdZAi6WcJQc2CU/Z9dYn0XZW1:T4KVIZAiTcqcHkdEII1

    Score
    10/10
    bumblebeera1104evasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion
    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks