General

  • Target

    8212767132.zip

  • Size

    177KB

  • Sample

    221024-lz5y2afha2

  • MD5

    05000ae2e2d604cd7f0d953e5a39be04

  • SHA1

    d7dd17dc14fbf6a33f604c6ebaf71e6499a1dff1

  • SHA256

    7b16d288c77688f617ac39cda69d397f7fe6e87172514f76d3ac1e2623dc41bd

  • SHA512

    f9fb2d3d086e4d9a5f362aa07bda9be10e3cdb8f36b38c9e64a5d27e8f2c582d82dc4f990e240b71d0610d0964228489151c87d5132f642e268850ede373139b

  • SSDEEP

    3072:H9Rot88R4UXB+OPJMuBGYhdMCzM+b5honjC9O04JsBrKGtpr9azncF1:HG88WW5PlYxCgYajsMstTDr9azE

Malware Config

Extracted

Language
xlm4.0
Source

Extracted

Family

bumblebee

Botnet

2010m

C2

23.106.160.112:443

146.59.116.146:443

172.93.193.220:443

rc4.plain

Targets

    • Target

      a1ec21eda64e0a6edc5f16978c6b752c66f4338a9d750fa246c7344a8c76ad90

    • Size

      208KB

    • MD5

      b8c86fdc6fc2479498b92d474021d8c5

    • SHA1

      8256aed96aa28b8d80956d5022bf5ada15218927

    • SHA256

      a1ec21eda64e0a6edc5f16978c6b752c66f4338a9d750fa246c7344a8c76ad90

    • SHA512

      2e4f21d5675bf7ee2b1edc3af51afff3d48ba2288f863e5c5ab3412494495eeafbb4c8e5fa53688c784fdd9ae110d445158b56dc831f9128012dd99f9b5e1f8f

    • SSDEEP

      6144:CehHpGTRt0hgI/qm1Uz/SyQI9dTbmeo70uWoeJJggmA8:CehHYRt0Wax1ASrWfJaZA8

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Enumerates VirtualBox registry keys

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Looks for VirtualBox Guest Additions in registry

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Suspicious use of NtCreateThreadExHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks