Resubmissions
04-10-2022 21:13
221004-z2w1sschal 10General
-
Target
Invoice_6177_october_PDF.iso
-
Size
3.1MB
-
Sample
221004-z2w1sschal
-
MD5
8d74533876dfa9dba4dd9a5c49fe1c97
-
SHA1
a644ed59f66b3b3af47497a47fe9ab26831b2a99
-
SHA256
0c2ba8cd204753743de636ed9714b1ff24a7cc090b117b02388cb79210085edb
-
SHA512
41fd93881dd93527b5d9e87c67db701a44f8d5c61e1b3b46f29e6b845a6709621c1d592d61b42aa3528274bc3ec34c8ac8a4b07db67c4d9861995e0a6fdb659f
-
SSDEEP
49152:xxkyekKLHC3cjPUV3vkFwJkDZ8nf/yAcJ0beJRMr1TXUhCstOtCp2FmUZr45kq69:KtFQkDAf/rcJ0be3s
Malware Config
Extracted
bumblebee
0310
192.119.74.28:443
54.38.138.5:443
45.141.58.37:443
146.70.147.39:443
146.70.149.48:443
103.144.139.158:443
Targets
-
-
Target
Invoice_6177_october_PDF.iso
-
Size
3.1MB
-
MD5
8d74533876dfa9dba4dd9a5c49fe1c97
-
SHA1
a644ed59f66b3b3af47497a47fe9ab26831b2a99
-
SHA256
0c2ba8cd204753743de636ed9714b1ff24a7cc090b117b02388cb79210085edb
-
SHA512
41fd93881dd93527b5d9e87c67db701a44f8d5c61e1b3b46f29e6b845a6709621c1d592d61b42aa3528274bc3ec34c8ac8a4b07db67c4d9861995e0a6fdb659f
-
SSDEEP
49152:xxkyekKLHC3cjPUV3vkFwJkDZ8nf/yAcJ0beJRMr1TXUhCstOtCp2FmUZr45kq69:KtFQkDAf/rcJ0be3s
Score10/10-
BumbleBee
BumbleBee is a webshell malware written in C++.
-
Enumerates VirtualBox registry keys
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Looks for VirtualBox Guest Additions in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-