bumblebee | 790695bf25129b28c2f7c1de1428bdf5db8acb34b3a1d38e41c72a80d7278069 | Triage

Sharing

General

Target

files.zip
Size

1.9MB
Sample

221020-2wyzbaabbn
MD5

508fb2c6759fc1683e4e6cf905626ed9
SHA1

eb448d6101da2a319c46d2e14d760cb4e6213c58
SHA256

790695bf25129b28c2f7c1de1428bdf5db8acb34b3a1d38e41c72a80d7278069
SHA512

61419b56afbbcb71eee2396d2f02a1c1b2257e7b2a1dc394cd235682673ee30a9a4c2317087e1ca8cad391f748244ed9c7b4a21e7fc0abfca23c58a27fd187b2
SSDEEP

49152:LNhMDekg347Wejua+2wnXyfA30DvxkqGfgW8ouLw9:LNhChVbjuiwnXyfXjxkqupuE9

Score

10^/10

bumblebee 1810 evasion trojan

Malware Config

Extracted

Family

bumblebee

Botnet

1810

C2

198.98.59.245:443

45.61.185.227:443

45.153.242.242:443

146.19.173.148:443

rc4.plain

Targets

- Target
  
  NaTfRzldqphjNX.bat
- Size
  
  1KB
- MD5
  
  6a7f2ccbd058d6f6809cc23b70ea3a58
- SHA1
  
  17ac1fa51fe4c6970dd40d238a7b20e6380da69b
- SHA256
  
  1a41b969b6533f8429dc8c252963e04ac3b1c911147ff750ea6f357f6ff18434
- SHA512
  
  bafeee1d0e3017faa5634acac856cb6bd29a834aa153b64f756360c8675e1f3a4bf06197b929da0bd9dea1da613b7d973b4025fe547861c4529990a34659efc8
Score

10^/10

bumblebee 1810 evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral1 behavioral2
- Target
  
  kcftZUmITYgNCj.dll
- Size
  
  3.6MB
- MD5
  
  59e784a067345a37edb515c36f561c19
- SHA1
  
  102d63cb15a2b2a09408f6c9f216fb897b80d625
- SHA256
  
  501bd028925f20d7ebaca6b0ef50a90f0716579920df0b7aa2a44da862a06c68
- SHA512
  
  9b8778e40d100cbb76248b410eebe5fce9b07faee0d87f49c481ef70774be8a7a69847378f8f90a1ca0a5efaaef8cba9a1bdd96ca415f1276b22b8beef797faa
- SSDEEP
  
  49152:4DKZOp4/wXojetiGde8wzcVZWKOhGV1WqRqiW:UKZOp4/wttjE8NZWKOhGV1WqRqiW
Score

3^/10
behavioral3 behavioral4
- Target
  
  project details.lnk
- Size
  
  995B
- MD5
  
  9495ea4d16857eedd24f80dd980f1c12
- SHA1
  
  4a4743cbdcaa59cde9bd00dee81fe1c74c1a0538
- SHA256
  
  c6ec33118502a7d05057a3e9d203ae569f664d9899a5a5e955c0cdf23cf6be00
- SHA512
  
  8f4054bf35854ae2411fa8561fdd024051ec6ddb1ad9af017ad5dd31ebbebe998f2eb4bf8c2af815fbc7519f7876235cd460db9ce986d821eeaea4056fa67c94
Score

10^/10

bumblebee 1810 evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral5 behavioral6

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bumblebee1810evasiontrojan

behavioral2

bumblebee1810evasiontrojan

behavioral3

behavioral4

behavioral5

bumblebee1810evasiontrojan

behavioral6

bumblebee1810evasiontrojan