bumblebee | b47bad8968dbe798ac7dc1a5648206c1819160ecd68449d9dd82ba19a0296288 | Triage

Resubmissions

28-09-2022 17:46

220928-wcfezahghq 1

28-09-2022 17:45

220928-wbw2bsgga4 1

28-09-2022 17:41

220928-v9h2pagfh3 3

28-09-2022 17:38

220928-v7n5xshggr 1

28-09-2022 17:33

220928-v4vtasgfg2 1

28-09-2022 17:30

220928-v3f9hshggk 1

28-09-2022 17:23

220928-vyaaeahgfk 10

28-09-2022 17:13

220928-vrh9qshgdq 1

28-09-2022 17:10

220928-vpztpshgdn 1

28-09-2022 17:08

220928-vnl68ahgdk 3

Sharing

General

Target

Invoice_09-12-22_order_157.iso
Size

4.2MB
Sample

220928-vyaaeahgfk
MD5

b1938ffbd6dcc69183382302604e84e5
SHA1

6d9984400b133cf92289d8ccd129f5d7133ce268
SHA256

b47bad8968dbe798ac7dc1a5648206c1819160ecd68449d9dd82ba19a0296288
SHA512

736e695281ed259e616d0862c64ebff16cd845767e5998162f0e7e0fe0161a0be037d17be5beb8ccade317008004880b834dab851cff04897bfa434995d33a3c
SSDEEP

49152:PA4O7LDVaMxLT7IHXcnfwYcoAVGnUmEd70dl4ievKgTN:PAZD3SYUmE2dl4jK

Score

10^/10

bumblebee 1209 evasion trojan

Malware Config

Extracted

Family

bumblebee

Botnet

1209

C2

142.11.211.32:443

146.59.116.49:443

192.236.155.219:443

rc4.plain

Targets

- Target
  
  Invoice_09-12-22_order_157.iso
- Size
  
  4.2MB
- MD5
  
  b1938ffbd6dcc69183382302604e84e5
- SHA1
  
  6d9984400b133cf92289d8ccd129f5d7133ce268
- SHA256
  
  b47bad8968dbe798ac7dc1a5648206c1819160ecd68449d9dd82ba19a0296288
- SHA512
  
  736e695281ed259e616d0862c64ebff16cd845767e5998162f0e7e0fe0161a0be037d17be5beb8ccade317008004880b834dab851cff04897bfa434995d33a3c
- SSDEEP
  
  49152:PA4O7LDVaMxLT7IHXcnfwYcoAVGnUmEd70dl4ievKgTN:PAZD3SYUmE2dl4jK
Score

10^/10

bumblebee 1209 evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

bumblebee1209evasiontrojan