bumblebee | cc08a3371f0b7ac0fe01423a33cd490568d819fa0db0fd58a42358ec35ddaf58 | Triage

Sharing

General

Target

files.zip
Size

1.6MB
Sample

220920-s3vqsshbdk
MD5

d33dffe19ef2b8774eac508d2941e543
SHA1

eca5f81e0a88361898513c4caf56202522534d20
SHA256

cc08a3371f0b7ac0fe01423a33cd490568d819fa0db0fd58a42358ec35ddaf58
SHA512

b82363a14b7c35a0b5ef103b3ceb73aafd9cfe2ebd6625e7d21247defcb38753ecce87d43bd9b34a005b4835afcbf0e8e8792444b143c23c3b044e3cc5c18b67
SSDEEP

49152:Uc4PIXS54lRojHuEVfd6G7u7mVc1Wt2JtorwuSsL:D4PIC54gjuEVf0Fic1Y2IrwuSO

Score

10^/10

bumblebee 1909 evasion trojan

Malware Config

Extracted

Family

bumblebee

Botnet

1909

C2

172.93.193.42:443

45.153.243.126:443

213.227.154.19:443

rc4.plain

Targets

- Target
  
  Details.lnk
- Size
  
  995B
- MD5
  
  fc6d9fe3fae2bc903bae5b0b2afaca0e
- SHA1
  
  c9509d46c804b5d71e197f9c56dcadc2a2c19f79
- SHA256
  
  cda1e1f1bcf7047878596723ef13fc1231aad4b49ac0e0df335d885099e0694c
- SHA512
  
  69e0c8b50659238135241bcf48ab83abf39b952d60c9266da347bee0f6ff9224a833841fd67e224bfaddae624bfe553770a35a1b206485ebeeb0ac35f995f0ab
Score

10^/10

bumblebee 1909 evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral1 behavioral2
- Target
  
  XLojGEhKNSWWGb.bat
- Size
  
  973B
- MD5
  
  63de17452db09348dea473ff97592d32
- SHA1
  
  9d5bdddbc277b1440ed0097df5dc6041f2cdec56
- SHA256
  
  29f73ca6dd1c1f7477eec453215140feb67504f97ea58dbd2835411585eef24a
- SHA512
  
  059453fa5266b4b453fb05026e6ee5b3c2646c3aeac9e79e09f0a3c6ab6a531a9a8866ed0ce9693791ff567be5b099a157f1ad58daeef2235051208f60e209c2
Score

10^/10

bumblebee 1909 evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral3 behavioral4
- Target
  
  uOAxPaiprCVzvn.dll
- Size
  
  3.6MB
- MD5
  
  60658cdb2f273a1a9c18ee8ff5118112
- SHA1
  
  d4665150bec840c6e8be62c2c6cdebc42ef5ea19
- SHA256
  
  ded7c0c21ca7f16e70ed2b1a774bab54019d6b3fb865677eba254edeafd7b91e
- SHA512
  
  05989c1aefce87569dfe31de09507ec965123e8b776db237c8c974cebe8c5c275858ccfbcec3124e5fc0450442afac0d2a08cee3919ac9bc68e19c06128c46e6
- SSDEEP
  
  24576:Q4kkbEgHWUYr/Ql/V6+Zr0dyFMftqscMOdIYro8u6c4KCtrw9:QhkbEg29sl6O
Score

3^/10
behavioral5 behavioral6

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bumblebee1909evasiontrojan

behavioral2

bumblebee1909evasiontrojan

behavioral3

bumblebee1909evasiontrojan

behavioral4

bumblebee1909evasiontrojan

behavioral5

behavioral6