bumblebee

Resubmissions

06-10-2022 12:56

221006-p6exzahfem 10

06-10-2022 12:52

221006-p4h7lshde3 3

19-09-2022 16:57

220919-vggcdshdf9 3

Sharing

Copy URL

Twitter E-mail

General

Target

54dee3dd5f14aba8b0d62ceaa419a777a3f1f070b49767f6545a2729ab65d3b1
Size

3.6MB
Sample

221006-p6exzahfem
MD5

77e5ff1e4eff690fdcc6e0ba9877e1e6
SHA1

721b9448b4e54046e156b8ad3b35a8833ecd5daf
SHA256

54dee3dd5f14aba8b0d62ceaa419a777a3f1f070b49767f6545a2729ab65d3b1
SHA512

dd853f675de53ae50ea1618c097a2acf2c332c9eb35efefbe6e2dc56eaf16b7ef4bde5f496fe3c16ec1a877cbd0865600ce78ee378a30f37bb9df010511cb686
SSDEEP

24576:6uMZRLX8+gpL/+2thqiWjJa9cRXtdN86CHXuPVvDVHBXVWcs+lwWTAYq3/ny1Ow+:6jZJ8+gpL/hWjoe

Score

10^/10

Malware Config

Extracted

Family

bumblebee

Botnet

1909

108.177.235.29:443

23.106.160.117:443

23.106.215.133:443

rc4.plain

Targets

- Target
  
  54dee3dd5f14aba8b0d62ceaa419a777a3f1f070b49767f6545a2729ab65d3b1
- Size
  
  3.6MB
- MD5
  
  77e5ff1e4eff690fdcc6e0ba9877e1e6
- SHA1
  
  721b9448b4e54046e156b8ad3b35a8833ecd5daf
- SHA256
  
  54dee3dd5f14aba8b0d62ceaa419a777a3f1f070b49767f6545a2729ab65d3b1
- SHA512
  
  dd853f675de53ae50ea1618c097a2acf2c332c9eb35efefbe6e2dc56eaf16b7ef4bde5f496fe3c16ec1a877cbd0865600ce78ee378a30f37bb9df010511cb686
- SSDEEP
  
  24576:6uMZRLX8+gpL/+2thqiWjJa9cRXtdN86CHXuPVvDVHBXVWcs+lwWTAYq3/ny1Ow+:6jZJ8+gpL/hWjoe
Score

10^/10

bumblebee 1909 evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Checks BIOS information in registry

Identifies Wine through registry keys

Suspicious use of NtCreateThreadExHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2