bumblebee | 43a1c18af9fd05064e90c71f096262524ca181aa98df211c2365396067e9994b | Triage

Resubmissions

16-10-2022 15:45

221016-s7jjbshffn 10

19-09-2022 15:00

220919-sdbxdshgdj 10

Sharing

General

Target

project-details-09-22-25.vhd
Size

8.0MB
Sample

221016-s7jjbshffn
MD5

0e4a2adbf17815f16b4a988553b7c28b
SHA1

93d0b4b7da66c6dcc2b395bccec4a76ff412f2d3
SHA256

43a1c18af9fd05064e90c71f096262524ca181aa98df211c2365396067e9994b
SHA512

930790e9e58fbb1ca3bc9817a55dc2e7045ccb65fb43ba0e50d74c53f363ada9759344e271184ad10e4d475956d3e24ff673ca28b09930148fd5af76fca5221c
SSDEEP

24576:F4kkbEgHWUYr/Ql/V6+Zr0dyFMftqscMOdIYro8u6c4KCtrw9:FhkbEg29sl6O

Score

10^/10

bumblebee 1909 evasion trojan

Malware Config

Extracted

Family

bumblebee

Botnet

1909

C2

172.93.193.42:443

45.153.243.126:443

213.227.154.19:443

rc4.plain

Targets

- Target
  
  Details.lnk
- Size
  
  995B
- MD5
  
  fc6d9fe3fae2bc903bae5b0b2afaca0e
- SHA1
  
  c9509d46c804b5d71e197f9c56dcadc2a2c19f79
- SHA256
  
  cda1e1f1bcf7047878596723ef13fc1231aad4b49ac0e0df335d885099e0694c
- SHA512
  
  69e0c8b50659238135241bcf48ab83abf39b952d60c9266da347bee0f6ff9224a833841fd67e224bfaddae624bfe553770a35a1b206485ebeeb0ac35f995f0ab
Score

10^/10

bumblebee 1909 evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral1
- Target
  
  XLojGEhKNSWWGb.bat
- Size
  
  973B
- MD5
  
  63de17452db09348dea473ff97592d32
- SHA1
  
  9d5bdddbc277b1440ed0097df5dc6041f2cdec56
- SHA256
  
  29f73ca6dd1c1f7477eec453215140feb67504f97ea58dbd2835411585eef24a
- SHA512
  
  059453fa5266b4b453fb05026e6ee5b3c2646c3aeac9e79e09f0a3c6ab6a531a9a8866ed0ce9693791ff567be5b099a157f1ad58daeef2235051208f60e209c2
Score

10^/10

bumblebee 1909 evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral2
- Target
  
  uOAxPaiprCVzvn.dll
- Size
  
  3.6MB
- MD5
  
  60658cdb2f273a1a9c18ee8ff5118112
- SHA1
  
  d4665150bec840c6e8be62c2c6cdebc42ef5ea19
- SHA256
  
  ded7c0c21ca7f16e70ed2b1a774bab54019d6b3fb865677eba254edeafd7b91e
- SHA512
  
  05989c1aefce87569dfe31de09507ec965123e8b776db237c8c974cebe8c5c275858ccfbcec3124e5fc0450442afac0d2a08cee3919ac9bc68e19c06128c46e6
- SSDEEP
  
  24576:Q4kkbEgHWUYr/Ql/V6+Zr0dyFMftqscMOdIYro8u6c4KCtrw9:QhkbEg29sl6O
Score

3^/10
behavioral3

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bumblebee1909evasiontrojan

behavioral2

bumblebee1909evasiontrojan

behavioral3