bumblebee | 68fdb41c691ceb43c69cd409a086c687b813c0b1d5d1b8e8a3b612ee4646e1a5 | Triage

Sharing

General

Target

for redacted.vhd
Size

8.0MB
Sample

220920-x3a4lseca5
MD5

ee9447835bc330fbf85ef3e6198c7668
SHA1

e84b64998373b05eee19f2cd5ad29c66bd49a797
SHA256

68fdb41c691ceb43c69cd409a086c687b813c0b1d5d1b8e8a3b612ee4646e1a5
SHA512

ffb353f2b3aebee135a7126730d3d18662537ee753fb5096aa3d6a23450aff0b935485fa50ec988950a1464e661394b101f03fe40d0c285845377a37676a8c78
SSDEEP

49152:3QSHFuj7kV1RjKx55USO8SA7BpdEB2dPQMo6qMXgzOMfk:gSHw7kV1RhSO8Sc+sQMHq9Bf

Score

10^/10

bumblebee 2009 evasion trojan

Malware Config

Extracted

Family

bumblebee

Botnet

2009

C2

45.153.241.245:443

195.133.192.117:443

146.70.147.16:443

rc4.plain

Targets

- Target
  
  Project info.lnk
- Size
  
  995B
- MD5
  
  273502c7d02ade545ba9663b5fff3ba7
- SHA1
  
  c56fbfc96f13def520955e299f438532e2eff952
- SHA256
  
  c7c018f5a1246622c27013d3ae1e8f4d67525d11ab19aa175451a356dd4f8afe
- SHA512
  
  63fa9193b15f45ed03a0e9bfbac72a1772e9424806f5c070de3d0393bede323cb7ef21eafa05b784dc28d86c81ca1f2dd0d21b0b0831a8aefb1cca178e2a18f6
Score

10^/10

bumblebee 2009 evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral1 behavioral2
- Target
  
  iyXaimiAupRils.dll
- Size
  
  2.4MB
- MD5
  
  0ec0f3a857810ad082d8df86aef72250
- SHA1
  
  2ba93d61975b752c55f685920d68632cb08476fb
- SHA256
  
  9fe39ac91448cc12f2e9050dd81844ba630db20e7ad63c7c124242c68ac4f23b
- SHA512
  
  4b7b6536555749050f24fefc69dcfb5728de6ffbf6ce69e12d9883b783298f5156895aad9b8d036c9f7520cb9a5136863aa16a4a3e4e82862c7e5b80f69a0455
- SSDEEP
  
  49152:xQSHFuj7kV1RjKx55USO8SA7BpdEB2dPQMo6qMXgzOMfk:2SHw7kV1RhSO8Sc+sQMHq9Bf
Score

3^/10
behavioral3 behavioral4
- Target
  
  mKvXxKFuXZEtgH.bat
- Size
  
  977B
- MD5
  
  0b2981c65f49936014b1f71436375f82
- SHA1
  
  31e9567584fdd57503e7aa8a54295dd06f24ee26
- SHA256
  
  ffdd491ffe1256a06149e8f5e04e1863a02319a54d4cd9b8e5b5241267844aab
- SHA512
  
  9e4dbf211b2f4ea18fcc6bef58ebb5ab37553436884f8a19a30001b95ced510316d2ecc204ad47c1119c4c3b53e0edad6a3400fd6904503f5678ead619ab21b6
Score

10^/10

bumblebee 2009 evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral5 behavioral6

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bumblebee2009evasiontrojan

behavioral2

bumblebee2009evasiontrojan

behavioral3

behavioral4

behavioral5

bumblebee2009evasiontrojan

behavioral6

bumblebee2009evasiontrojan