bumblebee

Resubmissions

09-10-2022 13:56

221009-q8rj8ahbhr 10

09-10-2022 13:55

221009-q78r4shbhn 3

09-10-2022 13:38

221009-qxcxpahad5 3

07-10-2022 14:03

221007-rct6xachbp 3

Sharing

Copy URL

Twitter E-mail

General

Target

Invoice_unpaid#4103.iso
Size

2.8MB
Sample

221009-q8rj8ahbhr
MD5

6bb0a020774dcc2f7420ad78148edb97
SHA1

9d44941088da4c1c88900f012a07ec7b5ed3ef55
SHA256

3447ba5b8c816bf1f1429b2f130603efcb7b5d4b3bc004f4694dc2fb68ec9780
SHA512

0c1dabe119488ceec631d58a6f76c80ec9add19c51fd0d00538ffe4231395eaf363501959ac998e22e23a6934b12a820ea22aa69e5869c657b23109e669d1c89
SSDEEP

49152:CCP/6PLKTZLk+qM/6ZakaGs810EntI9mHchyN1fPan8/v4y9:N20v/wSU1082mHzpPan0

Score

10^/10

Malware Config

Extracted

Family

bumblebee

Botnet

0610

45.147.231.156:443

208.115.216.246:443

23.29.115.164:443

45.61.186.18:443

51.83.250.102:443

192.119.77.44:443

rc4.plain

Targets

- Target
  
  Invoice_unpaid#4103.iso
- Size
  
  2.8MB
- MD5
  
  6bb0a020774dcc2f7420ad78148edb97
- SHA1
  
  9d44941088da4c1c88900f012a07ec7b5ed3ef55
- SHA256
  
  3447ba5b8c816bf1f1429b2f130603efcb7b5d4b3bc004f4694dc2fb68ec9780
- SHA512
  
  0c1dabe119488ceec631d58a6f76c80ec9add19c51fd0d00538ffe4231395eaf363501959ac998e22e23a6934b12a820ea22aa69e5869c657b23109e669d1c89
- SSDEEP
  
  49152:CCP/6PLKTZLk+qM/6ZakaGs810EntI9mHchyN1fPan8/v4y9:N20v/wSU1082mHzpPan0
Score

10^/10

bumblebee 0610 evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Checks BIOS information in registry

Checks computer location settings

Identifies Wine through registry keys

Enumerates connected drives

Suspicious use of NtCreateThreadExHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2