bumblebee | 2b379f9fd440fb0e6d5e6dc6f65c4fbf17d31840add7f182ceec78514cedd94a | Triage

Sharing

General

Target

required documents.iso
Size

2.0MB
Sample

221027-ta6s2acfd2
MD5

2de09409720aebd957c2d92316da123c
SHA1

7d0d1ee7c6a4d6e38f8165ee9c0b15fc66a5d73c
SHA256

2b379f9fd440fb0e6d5e6dc6f65c4fbf17d31840add7f182ceec78514cedd94a
SHA512

19bc30965bcd9e29918b8bb2f6f97c2e6c734a3105322615fc8f099f24d0ef2ade97a211ebd023115c930b65c922c6648cc17d6685ada3147381a5d25beb3a7e
SSDEEP

49152:iWMIqdgaiFBRzI9sXUd9BqiIirDxLCll+HaVD7RNPb:2IqdiOwQjIiIH+HaVRND

Score

10^/10

bumblebee 2510 evasion trojan

Malware Config

Extracted

Family

bumblebee

Botnet

2510

C2

69.46.15.158:443

135.125.241.35:443

172.86.120.141:443

rc4.plain

Targets

- Target
  
  required documents.iso
- Size
  
  2.0MB
- MD5
  
  2de09409720aebd957c2d92316da123c
- SHA1
  
  7d0d1ee7c6a4d6e38f8165ee9c0b15fc66a5d73c
- SHA256
  
  2b379f9fd440fb0e6d5e6dc6f65c4fbf17d31840add7f182ceec78514cedd94a
- SHA512
  
  19bc30965bcd9e29918b8bb2f6f97c2e6c734a3105322615fc8f099f24d0ef2ade97a211ebd023115c930b65c922c6648cc17d6685ada3147381a5d25beb3a7e
- SSDEEP
  
  49152:iWMIqdgaiFBRzI9sXUd9BqiIirDxLCll+HaVD7RNPb:2IqdiOwQjIiIH+HaVRND
Score

3^/10
behavioral1 behavioral2
- Target
  
  OUBcVbISpNCsLG.bat
- Size
  
  1KB
- MD5
  
  242b45ffc92adbcc688bbba8e9fb4c89
- SHA1
  
  a4edae5f16f1788ff43c7dfc328753308738af58
- SHA256
  
  8daa11b913b572783934fde9e047bd2a3112dc5a7a35720ca1e3cb3cd74ce84a
- SHA512
  
  2771f636e046302bdf18e568901b52ed61d5cd9db3b226cc6bd900999cd10236e17c9c5cfb874e1e3a001cb5f5c1f4a84b445480018ff4e38433f77da4f3f5e3
Score

10^/10

bumblebee 2510 evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral3 behavioral4
- Target
  
  documents.lnk
- Size
  
  995B
- MD5
  
  657e82d44e6e48dc6cb9822bc074e37b
- SHA1
  
  2a8f2a505b1fe7dec3550cc5b2d1969a7aec91a2
- SHA256
  
  9d3b6e8b7bd58f0ff72fb9188e4aefdd988fa86d81043f2850f335bea004b182
- SHA512
  
  16759c899c1c08688885ba4c9b5d8b3a43583b5d2bd8ce3824a0de422cc34dfe5385241e058d7f1862b4a4de0f5ed1727b1a41e0d0e00b87fd7b444d6924ce9a
Score

10^/10

bumblebee 2510 evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral5 behavioral6
- Target
  
  lXNqexIxTwBWAS.dll
- Size
  
  1.9MB
- MD5
  
  9defcff2b09c7d842d70c5dbf1614c4b
- SHA1
  
  07725122a95bd5ea5b9136b9a6363ecdff4a8a49
- SHA256
  
  1df0e65db9d41ebd6941aacbadeb935933b3e5ee2805eb89d340d097ac83285c
- SHA512
  
  fd679395efc4030cdff339526355c3c962e0fd21b37f9f5d1ac29be29970c564b9b28105c1437ee67d0f508f0b557eb7c4b471c9a63d6149a330d5b9ab8794a1
- SSDEEP
  
  49152:0WMIqdgaiFBRzI9sXUd9BqiIirDxLCll+HaVD7RNPb:YIqdiOwQjIiIH+HaVRND
Score

3^/10
behavioral7 behavioral8

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

bumblebee2510evasiontrojan

behavioral4

bumblebee2510evasiontrojan

behavioral5

bumblebee2510evasiontrojan

behavioral6

bumblebee2510evasiontrojan

behavioral7

behavioral8