bumblebee | 8b8dad2c17f06198db3d988b60ba48629d767a0d2c8a493f9919ac0dccb95609

Resubmissions

15-09-2022 12:22

220915-pj5vwadad7 10

11-04-2022 16:15

220411-tp8aeaahg9 9

Analysis

max time kernel
43s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
15-09-2022 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vil.dll
Size

2.1MB
MD5

ff6db6c6dfb7c7a9da47d359702ec4b3
SHA1

69dd95131829bb8b983d5fe0ee611e7ff63037b2
SHA256

6168d9f1cb0bc329fe76a0ebb8a782617de9bb0da2372e1f2728db856daf5007
SHA512

a386fbd06168c9aa0b105cee148098706b77e1d1733da5bbda62012dd0736fcbf4e36f696148fdb0d020b5a64192b424cc8b7dcb2ff7e781ffa949118eacc744
SSDEEP

49152:9pfaMa7wkHW4GnVibdZAi6WcJQc2CU/Z9dYn0XZW1:T4KVIZAiTcqcHkdEII1

Score

10^/10

bumblebee ra1104 evasion trojan

Malware Config

Extracted

Family

bumblebee

Botnet

RA1104

142.91.3.109:443

23.83.133.216:443

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Enumerates VirtualBox registry keys 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	rundll32.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__	rundll32.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	rundll32.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Wine	rundll32.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1052	rundll32.exe
1052	rundll32.exe
1052	rundll32.exe
1052	rundll32.exe
1052	rundll32.exe
1052	rundll32.exe
1052	rundll32.exe
1052	rundll32.exe
1052	rundll32.exe
1052	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vil.dll,#1
1⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
PID:1052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1052-54-0x0000000002040000-0x000000000228B000-memory.dmp

Filesize
2.3MB

Download