bumblebee | b571faa608a981105f0460162742a4174d2d02ff5aae88e6ddd06bd8c1cc51a7 | Triage

Sharing

General

Target

tXH6pgipgRBfBGAWJ0KkF00tAv9arojm3dBr2MHMUac.bin
Size

2.3MB
Sample

221019-t493jsgdak
MD5

cde5d48f6b460234aea878aaf816eb6e
SHA1

aab774d9da9efc296c9951578f264075e719b9a1
SHA256

b571faa608a981105f0460162742a4174d2d02ff5aae88e6ddd06bd8c1cc51a7
SHA512

5ed0524ec7911ac190e88de7e480446c2cc80e89f8180fc397b71523149e6c77c09e5e5b67abc7d04352dbf87d77c49cf7b0b0c82665ac46504ee707ecffb698
SSDEEP

49152:wf3/T7IEjqQK7GmsMKyNFyHbL8A0B1cJP:g3//3mn7G0vy7QA0B1cJP

Score

10^/10

bumblebee 1710 evasion trojan

Malware Config

Extracted

Family

bumblebee

Botnet

1710

C2

198.98.59.245:443

146.19.173.148:443

45.61.185.227:443

rc4.plain

Targets

- Target
  
  DETAILS.lnk
- Size
  
  995B
- MD5
  
  cadc4156a4d9e1c398f6eb54957a8c9b
- SHA1
  
  2fe2e1366bfcb30249188043d14f6cb749292989
- SHA256
  
  7e4816c16bd3766ccb4dba5e4dff725f3936233f8aff9cddb904347f17118cd7
- SHA512
  
  88a8c007d791c7dccf500762a587dd4438da4c53253cb43588e7ac216cd77ba97d5f6d59559a671ebcc120b8f2ae2befc6e03d5f3b8024c8d529f5805058db4e
Score

10^/10

bumblebee 1710 evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral1 behavioral2
- Target
  
  HcDTvUxhMvlLtX.dll
- Size
  
  2.3MB
- MD5
  
  bc1835f0440c14366ec2f9938e4f3179
- SHA1
  
  8baed6529536aec22a320248b3dc80d02d6e3219
- SHA256
  
  c78290da99475f965ce54f737e0927a9855e03c9a27f2ee7a797562533779305
- SHA512
  
  b303957bce012e38ddfb78c9dd0237647623dcfff7919feadceef1f0f52185ead5dcab94f65597abc97d979d8b0735086f83b575f3117324e70f2871f8398134
- SSDEEP
  
  49152:if3/T7IEjqQK7GmsMKyNFyHbL8A0B1cJPr:K3//3mn7G0vy7QA0B1cJPr
Score

3^/10
behavioral3 behavioral4
- Target
  
  lZrFnyxCjMmiEL.bat
- Size
  
  1KB
- MD5
  
  51e6d846c536f09bb850653ae80658ba
- SHA1
  
  00d1f6aeb5eb543ea5dbcbabd1ecf150d835e252
- SHA256
  
  88da40b5d0a5d9b1adeda161d460ea7598211ab52bc2eac03a098eb665994a16
- SHA512
  
  1f1043cd472355f5532eb18678b3ebfd1b805910c8b3f9faa6430a4d84434eeab6d5f561cfa1dc568371e82d7d6fdb49d3e98865dfc858c318d038ca9fcaafbc
Score

10^/10

bumblebee 1710 evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral5 behavioral6

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bumblebee1710evasiontrojan

behavioral2

bumblebee1710evasiontrojan

behavioral3

behavioral4

behavioral5

bumblebee1710evasiontrojan

behavioral6

bumblebee1710evasiontrojan