Extracted

• • Target

    grasbly.dll.exe

  • Size

    3.6MB

  • MD5

    1e97fac877fd16aa937bdc35714cc058

  • SHA1

    ef7687fd12df2a102e443a9cfa6c09a1f16b0035

  • SHA256

    ddb9895f9e74d3e7db4e94aa77338fdc221ed29f29857a9752545cddcf8f45a6

  • SHA512

    3d62557bfa3903b59275a0d9ff910e4382a4d574d7d27d1c23d9755368b735ac3be2f49f7021816051cf85a92e913cb5b7d4b3cafe8aded0e602900875caba90

  • SSDEEP

    24576:E3RgLkXy4o8Bhf1d9I25Xroti/mb8RqrU9dveOgTRXfXAffHjonc64PZmwfzbpSc:EBgLOM8bfVI25lm6n9klBfGt6AZbZSq

  Score

  10^/10

  bumblebee2010mevasiontrojan

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

    trojanbumblebee

  • Enumerates VirtualBox registry keys

    evasion

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Looks for VirtualBox Guest Additions in registry

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Suspicious use of NtCreateThreadExHideFromDebugger

  behavioral1behavioral2