bumblebee | df60787a0c3b400b1e61a30dc7c998131594f512e9fc43dfd6f18097ccfc55a9 | Triage

Sharing

General

Target

required.zip
Size

1.5MB
Sample

220916-yyq5pscdbr
MD5

7c6fbf4eacde629c2300baf16a39b2db
SHA1

756a840ebc1f060433a5aae79bb09a8ed5d758b7
SHA256

df60787a0c3b400b1e61a30dc7c998131594f512e9fc43dfd6f18097ccfc55a9
SHA512

3bb342c65e801f927960728b9de4b7731fb901b4086e30b6b3f1f45bd241eb1f7b1cf7666c5f35db2994d74bb9cdbed372a2802f4eac7c4364693072091533e0
SSDEEP

24576:wC2lPbS+Zn2DFMfppXmTM42J/bDViCzuN5DBg/OP2J99WyYaBCJueMnoP+:wtPbS+ZnkCp8TM42xbDViJm/4k9oyYza

Score

10^/10

bumblebee 1209 evasion trojan

Malware Config

Extracted

Family

bumblebee

Botnet

1209

C2

103.144.139.138:443

154.56.0.119:443

158.20.4.234:443

205.185.123.115:443

146.70.143.140:443

rc4.plain

Targets

- Target
  
  bhaks.dll
- Size
  
  2.8MB
- MD5
  
  423ad8cdb5c51a3486c7eb5fb9b72816
- SHA1
  
  64ed16216926c2348ad2ef1125fa063dc7e075d0
- SHA256
  
  0f2c4a96f3d63ee582adc36ac2c8c95dfacab53a1a61a49a8b7de8e8d3e50185
- SHA512
  
  d341c546a46fec6368121984407c9a770071b997f7a264413dd101d327a8de0944bc447b172c3fed703fa510ce0557eb6045f82d61606b2f66d36aa569f5fa6b
- SSDEEP
  
  24576:5W59BWsG5R3lVLFM9uyxBzkucmWxD//1wpIDbrWoKJHw2tcbT+d/zvkav6ISYtEZ:569cFNlSYXeqyYav63iEHMvjvOQK
Score

3^/10
behavioral1 behavioral2
- Target
  
  exit.bat
- Size
  
  926B
- MD5
  
  ac5ac9522b475f3f9ffe4ff760d214b9
- SHA1
  
  a684c4618a78590ff572f4009e78829052f63dd8
- SHA256
  
  67b38543ed6ba39a442d1563cbae37b6c6cb27679ddf62804a720b4fd8af6873
- SHA512
  
  1001cf2e6780c913398825a7ee4e42ac983203fc9e6e100528f2996411028bc9d6a5396e71229a1df0755c22610d6d66b0713cf21b92b04ec20715bcc08a9648
Score

10^/10

bumblebee 1209 evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral3 behavioral4
- Target
  
  required information.lnk
- Size
  
  1KB
- MD5
  
  58fb2aa4cdc631b102abd92cad34f054
- SHA1
  
  2df65dd90d13d13fe3a4070c85347e8eda82c935
- SHA256
  
  3b6b4238e4557235e44df73530bf6577df2897ba625f7f2879d102ff08086819
- SHA512
  
  79a364cd0b900fd7a816c57ffe9ad317ad16e0aa7c7f067ebe9f114dd3a2682cbce41cb66bf1d8a1de2dea303ef38c1f379925e5beca113f7ae8722f72e9fcef
Score

10^/10

bumblebee 1209 evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral5 behavioral6

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

bumblebee1209evasiontrojan

behavioral4

bumblebee1209evasiontrojan

behavioral5

bumblebee1209evasiontrojan

behavioral6

bumblebee1209evasiontrojan