Overview

overview

10

Static

static

Project re...ts.lnk

windows7-x64

10

Project re...ts.lnk

windows10-2004-x64

10

prjct.dll

windows7-x64

10

prjct.dll

windows10-2004-x64

10

Resubmissions

13-10-2022 05:26

221013-f44zmsagfm 10

13-10-2022 05:21

221013-f2ft2abae7 1

05-07-2022 20:58

220705-zsep6achfq 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    transferxlSample_20220705.zip

  • Size

    902KB

  • Sample

    221013-f44zmsagfm

  • MD5

    d66ea6735b47272a98cf7ec20bb9a8f4

  • SHA1

    b8ced910cffb3a4623b28ae679572d92d48304f9

  • SHA256

    c5ae818f3e0fe518e0aaadac7b21ba6477943b57465fe2ded1717b7a9f1705b6

  • SHA512

    6abb17878d558d8efdc19aa01aba1fa43648b0e2d193456e12d85e9fbdd5c567df2c43e8a7a204d53c5028aeccc5cec854e385784ed76d06733fed0fe1368ed8

  • SSDEEP

    24576:9eHjG3yJ0Efhkgb0Dei7L/gFjSKlFvEXoDnTRO3:9eHcm7hP0DeV9XaXoPM

Score
10/10
bumblebee407aevasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

407a

C2

103.175.16.49:443

209.141.41.46:443

45.153.242.183:443
rc4.plain

Targets

    • Target

      Project requirements.lnk

    • Size

      1KB

    • MD5

      6ca6a8b1a8d781bc91444dc2402d3f58

    • SHA1

      a66015ece818c3c35d0ae8a400ee9c102425186b

    • SHA256

      3926bec362d86edc8fcc4e283d6b93b21108d6b9d194de9fc1108df2944b0319

    • SHA512

      f778da9c3762ceb37b65c6ba6864e6158e44a99eb776108825c02b4bb56dc309ec4998eb66b053cff99984294f49365b6a50bf8e83e07ec58782a80fbdf5b2a9

    Score
    10/10
    bumblebee407aevasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtCreateThreadExHideFromDebugger

    behavioral1behavioral2

    • Target

      prjct.dll

    • Size

      1.5MB

    • MD5

      dd9751f48c134f502d5a7a5b39b482be

    • SHA1

      d7ecfa85e28318bd0179d321be7d32c468fc9dae

    • SHA256

      cbef35e0d91b5f169a3bd617c9ebcb3ea025439cb98e3d4a7dbeed4be65b6ef2

    • SHA512

      381889e149f2b49a50f312c47e1e42cefd7bb5eb79013b2ff3213b5161160015f7f75d6b3d4d4f9b07a303599e904433a271fdcada8255e7deb229e8ad6dc6b9

    • SSDEEP

      24576:0nA0ZF8YNPCW9dlicjpZVCkgJ0jlSN/wUx1DmFbxsxhz4tW7:0nA0oKPCWocjpZVz00jhUx1D5z3

    Score
    10/10
    bumblebee407aevasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtCreateThreadExHideFromDebugger

    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks