Overview

overview

10

Static

static

oFWkRTFwjm.zip

windows7-x64

1

oFWkRTFwjm.zip

windows10-2004-x64

10

document.iso

windows7-x64

3

document.iso

windows10-2004-x64

10

documents.lnk

windows7-x64

10

documents.lnk

windows10-2004-x64

10

lipes.dll

windows7-x64

10

lipes.dll

windows10-2004-x64

10

Resubmissions

10-10-2022 17:13

221010-vrjkhacggj 10

03-06-2022 21:56

220603-1tra1seah3 1

03-06-2022 21:55

220603-1swt4sabgp 1

03-06-2022 21:38

220603-1hbq7adhf4 10

03-06-2022 21:28

220603-1brttsdha7 10

Analysis

  • max time kernel
    1573s
  • max time network
    1612s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-10-2022 17:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    oFWkRTFwjm.zip

  • Size

    1.9MB

  • MD5

    972038d369ec6f134fc9b6c617adc328

  • SHA1

    0b74896a84f8e22645d8518135836ea22ae98cde

  • SHA256

    d184c7fac35e68924cf520d33fabc0703198756e096592dd31eec6101b5551e5

  • SHA512

    6ffeefd8c13785500a546e114cd766c8a2b804723511e2bb5ebeca1c5bfe44349b8c91695ac97bcf2da2d77c01530247f771655b132c649fdd9e00e710b4d8af

  • SSDEEP

    49152:zD5Dc1SO2G7y/yephIpER7APBVL3z7SlBPu73fpQ3O7J:BD+6G72yeXIYwBR3Mu7PG30

Score
10/10
bumblebee106revasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

106r

C2

144.19.20.11:443

150.27.81.2:443

46.21.153.145:443

109.45.29.202:443

6.30.139.246:443

236.110.58.103:443

36.110.58.103:443

149.255.35.134:443

9.63.15.101:443

45.147.229.50:443

184.23.74.168:443

139.24.56.111:443

243.45.135.100:443

21.246.85.34:443

79.44.167.23:443

30.17.4.146:443

56.134.87.45:443

16.46.4.333:443

224.145.6.33:443
rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

    trojanbumblebee
  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\oFWkRTFwjm.zip
    1⤵
      PID:4928
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1732
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\oFWkRTFwjm\" -an -ai#7zMap7338:100:7zEvent9544
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:1468
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\oFWkRTFwjm\" -an -ai#7zMap25951:100:7zEvent9323
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2400
      • C:\Windows\System32\rundll32.exe
        "C:\Windows\System32\rundll32.exe" lipes.dll,oFWkRTFwjm
        1⤵
        • Enumerates VirtualBox registry keys
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Looks for VirtualBox Guest Additions in registry
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Suspicious behavior: EnumeratesProcesses
        PID:4092

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/4092-132-0x000001759C450000-0x000001759C567000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/4092-133-0x00007FF8350E0000-0x00007FF8350F0000-memory.dmp

        Filesize

        64KB

        Download