bumblebee | 38621b07458c3e8494115cd3cd6673ffaca372e87745f08d70a4838fcac33dbf | Triage

Sharing

General

Target

files.zip
Size

2.0MB
Sample

221019-zfbsqsgbak
MD5

131f51b3c756f33e58d3d202291358f5
SHA1

5dae4eb347ca9d4485471a61a013a877986eae8e
SHA256

38621b07458c3e8494115cd3cd6673ffaca372e87745f08d70a4838fcac33dbf
SHA512

c01c6005fd2c7a9f669c740f8d6827b101d995f3a4a9a88e22a3a1a02080331aa0baf4dcebc3a8155061e00827903975ded25d956774014e811df633367ca2d0
SSDEEP

49152:G+F3zuPlHMbXGIXNEDNVh1brQ3RVOhLUKXKQWVhKwm6lc:G+Fju9OjNErngVWLUKXKQ4JBlc

Score

10^/10

bumblebee 1710 evasion trojan

Malware Config

Extracted

Family

bumblebee

Botnet

1710

C2

198.98.59.245:443

146.19.173.148:443

45.61.185.227:443

rc4.plain

Targets

- Target
  
  DETAILS.lnk
- Size
  
  995B
- MD5
  
  cadc4156a4d9e1c398f6eb54957a8c9b
- SHA1
  
  2fe2e1366bfcb30249188043d14f6cb749292989
- SHA256
  
  7e4816c16bd3766ccb4dba5e4dff725f3936233f8aff9cddb904347f17118cd7
- SHA512
  
  88a8c007d791c7dccf500762a587dd4438da4c53253cb43588e7ac216cd77ba97d5f6d59559a671ebcc120b8f2ae2befc6e03d5f3b8024c8d529f5805058db4e
Score

10^/10

bumblebee 1710 evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral1 behavioral2
- Target
  
  HcDTvUxhMvlLtX.dll
- Size
  
  2.3MB
- MD5
  
  bc1835f0440c14366ec2f9938e4f3179
- SHA1
  
  8baed6529536aec22a320248b3dc80d02d6e3219
- SHA256
  
  c78290da99475f965ce54f737e0927a9855e03c9a27f2ee7a797562533779305
- SHA512
  
  b303957bce012e38ddfb78c9dd0237647623dcfff7919feadceef1f0f52185ead5dcab94f65597abc97d979d8b0735086f83b575f3117324e70f2871f8398134
- SSDEEP
  
  49152:if3/T7IEjqQK7GmsMKyNFyHbL8A0B1cJPr:K3//3mn7G0vy7QA0B1cJPr
Score

3^/10
behavioral3 behavioral4
- Target
  
  lZrFnyxCjMmiEL.bat
- Size
  
  1KB
- MD5
  
  51e6d846c536f09bb850653ae80658ba
- SHA1
  
  00d1f6aeb5eb543ea5dbcbabd1ecf150d835e252
- SHA256
  
  88da40b5d0a5d9b1adeda161d460ea7598211ab52bc2eac03a098eb665994a16
- SHA512
  
  1f1043cd472355f5532eb18678b3ebfd1b805910c8b3f9faa6430a4d84434eeab6d5f561cfa1dc568371e82d7d6fdb49d3e98865dfc858c318d038ca9fcaafbc
Score

10^/10

bumblebee 1710 evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral5 behavioral6

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bumblebee1710evasiontrojan

behavioral2

bumblebee1710evasiontrojan

behavioral3

behavioral4

behavioral5

bumblebee1710evasiontrojan

behavioral6

bumblebee1710evasiontrojan