bumblebee

General

Target

gate.ps1
Size

197B
Sample

220921-x4822aghh5
MD5

f6fb7d0f27c0f475c1c8e4ee5a926c0a
SHA1

81e71f0b5d07eae5d6adcaed5365131058747f34
SHA256

de4a414a2f1f7f52e1febf7246605fb2c3b5af4fe7dc9af482321e812da5a1eb
SHA512

fe4dc9d0e48805906e20e0d3d2565a24328171a597603baabb340c4b348f78db598746d088621ec758e690f92b0d0b5ee2bad1046855612b0008cd31d65b0b72

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://banuscip.com/gate/dll/7.dll

Extracted

Family

bumblebee

Botnet

1209

C2

142.11.211.32:443

146.59.116.49:443

192.236.155.219:443

rc4.plain

Targets

- Target
  
  gate.ps1
- Size
  
  197B
- MD5
  
  f6fb7d0f27c0f475c1c8e4ee5a926c0a
- SHA1
  
  81e71f0b5d07eae5d6adcaed5365131058747f34
- SHA256
  
  de4a414a2f1f7f52e1febf7246605fb2c3b5af4fe7dc9af482321e812da5a1eb
- SHA512
  
  fe4dc9d0e48805906e20e0d3d2565a24328171a597603baabb340c4b348f78db598746d088621ec758e690f92b0d0b5ee2bad1046855612b0008cd31d65b0b72
Score

10^/10

bumblebee 1209 evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

4

T1497

Credential Access

Discovery

Query Registry

5

T1012

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

4

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Blocklisted process makes network request

Downloads MZ/PE file

Checks BIOS information in registry

Identifies Wine through registry keys

Loads dropped DLL

Suspicious use of NtCreateThreadExHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2