bumblebee | c25f5f86ab2aa4928dbc144a55a92ed5be6558787ac0f450d6411d85076547b7 | Triage

Submit
Reports

Overview

overview

Static

static

8

details.xlsb

windows7-x64

1

details.xlsb

windows10-2004-x64

Sharing

General

Target

details.xlsb.xlsx
Size

208KB
Sample

221021-2h8atshea9
MD5

98636e940474f0bebfcc03db617aaf36
SHA1

405dfe612512d6a0a04cb1fa8a9bd3238304edec
SHA256

c25f5f86ab2aa4928dbc144a55a92ed5be6558787ac0f450d6411d85076547b7
SHA512

90601425e5a388b4a188707a9ab72d07b4312092620e75354c144cf1d2a711bd251325d2d13ee72f3432fc1df4bdd0fed5c3a1644223aeea62dd27fa436ba98b
SSDEEP

6144:KehHpGTRt0hgI/qm1Uz/SyQI9dTbmeo70uWoeJJggmA8:KehHYRt0Wax1ASrWfJaZA8

Score

10^/10

bumblebee 2010m evasion macro trojan xlm

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

details.xlsb

Resource

win7-20220812-en

windows7-x64

4 signatures

150 seconds

Behavioral task

behavioral2

Sample

details.xlsb

Resource

win10v2004-20220901-en

bumblebee 2010m evasion trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Language

xlm4.0

Source

Extracted

Family

bumblebee

Botnet

2010m

C2

23.106.160.112:443

146.59.116.146:443

172.93.193.220:443

rc4.plain

Targets

- Target
  
  details.xlsb.xlsx
- Size
  
  208KB
- MD5
  
  98636e940474f0bebfcc03db617aaf36
- SHA1
  
  405dfe612512d6a0a04cb1fa8a9bd3238304edec
- SHA256
  
  c25f5f86ab2aa4928dbc144a55a92ed5be6558787ac0f450d6411d85076547b7
- SHA512
  
  90601425e5a388b4a188707a9ab72d07b4312092620e75354c144cf1d2a711bd251325d2d13ee72f3432fc1df4bdd0fed5c3a1644223aeea62dd27fa436ba98b
- SSDEEP
  
  6144:KehHpGTRt0hgI/qm1Uz/SyQI9dTbmeo70uWoeJJggmA8:KehHYRt0Wax1ASrWfJaZA8
Score

10^/10

bumblebee 2010m evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

bumblebee2010mevasiontrojan

© 2018-2025

Terms | Privacy