bumblebee

General

Target

file.zip
Size

1.5MB
Sample

221004-tp1wbsbger
MD5

1759f953ebb404712e8a007b2f2ce3f1
SHA1

21abd8da602d80a8354bd41a06924760baba0192
SHA256

ee868be2d9b4762b0568773ef5b2d5dd16f9cd46b0785ea178b24a44c0fa25ae
SHA512

5282810fdcc9541995d158cf9abfcd0d3ed7cb511af69ef2068764d7abc3cc431bcedf896b0525ac32f01423e062313c1627c0afe685b80882f959aa020dcd8a
SSDEEP

24576:RN1dnQDA9/v5gKyKDXPcDmfrE7Vr6xRN9MAKJalxEoVCSnmlQ4R:31V3thgKyWXPcDmjq649JalxEYMQ4R

Score

10^/10

Malware Config

Extracted

Family

bumblebee

Botnet

0310

C2

146.59.117.200:443

192.255.188.11:443

149.3.170.62:443

rc4.plain

Targets

- Target
  
  NDA.lnk
- Size
  
  1KB
- MD5
  
  fdc406b3cd7bdcbc6353cd24613136d0
- SHA1
  
  fdbd4e1724ee0c44856e634d7c4eef797eced829
- SHA256
  
  3d2f1bbad8936c9f555642b7ab2af20a6dfaae047378d352989b8d9d5d5efad4
- SHA512
  
  1148b23b1ba84d997653b53552f3008e8cca9c29a93c24cb3ea6f7c03a962ac3a96772504406fd2e733f0ae05d2f0871a2a109e3a76a8ebe9cae91cb93b639a5
Score

10^/10

bumblebee 0310 evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral1 behavioral2
- Target
  
  clear.dll
- Size
  
  2.8MB
- MD5
  
  c04feb8231da5188c2fd829a04b08c80
- SHA1
  
  a70ebd8d5ae4a926f1227364c014be27e08fd8a0
- SHA256
  
  231d52de3ac6088dbf23871340e5495af9e441e0fd56f562f0f22bcb0d7a1f3e
- SHA512
  
  eadf248f4fe599af7b889ff1b143eb09ee5b3d5c68e922d06f5e6643c15fadaddc8a61d17fc8ab24991aba75d393e36790a8d5d94b5acd11083a635e2d920b6a
- SSDEEP
  
  49152:LUV3vtDSorKBLIXzOp4OuDkSSpc0hRpCLOdX+il7WAVnq:QDdrKBMCN6
Score

3^/10
behavioral3 behavioral4

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

4

T1497

Credential Access

Discovery

Query Registry

6

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

4

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Executes dropped EXE

Checks BIOS information in registry

Checks computer location settings

Identifies Wine through registry keys

Loads dropped DLL

Suspicious use of NtCreateThreadExHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4