bumblebee | 6581212a5a17193ec0a33c6df595b5d3718ffd2cf139f9e6d6200496511d4c99 | Triage

Resubmissions

31-10-2022 11:02

221031-m5mkbaagb9 10

27-10-2022 17:41

221027-v9ez2adagn 10

Sharing

General

Target

Mutual NDA.iso
Size

3.3MB
Sample

221027-v9ez2adagn
MD5

a67536d6f5ac9795ee10c3f47264da8e
SHA1

9084276d044011f1729813108fc228e8496f6205
SHA256

6581212a5a17193ec0a33c6df595b5d3718ffd2cf139f9e6d6200496511d4c99
SHA512

12f5dcf01e8c5439a90dd64db2277af8625bcf81d915a128d24db76b1d9467b23f5f466f1f59cd355b71349dce2cea2ad709fdf2a8bf569e867870f1307c6e82
SSDEEP

49152:LWsNTrbjaWSNgrJ33PjAgEhI5rxK0uEuiY0YtZMK23:LW

Score

10^/10

bumblebee 2510 evasion trojan

Malware Config

Extracted

Family

bumblebee

Botnet

2510

C2

69.46.15.158:443

135.125.241.35:443

172.86.120.141:443

rc4.plain

Targets

- Target
  
  Mutual.pdf
- Size
  
  70KB
- MD5
  
  9672b8df2bfb3d9435b85e477dfead51
- SHA1
  
  be76ec9e0b5f903afea0943e9bbc7ffd6ef2766f
- SHA256
  
  73c818b60eea60e6c1a1e5688a373c6b8376ca4ea2ff269695fe6eeef134b3c8
- SHA512
  
  d3709875302560b329c6588c33a0fb7bf0083992298e9e26cd8282537f1224f720153df95af7fbc46b53531ba9fe8ff8af5370e9b7dc120a783e0fa44f4501b0
- SSDEEP
  
  1536:BSi4NgDe46MMtD1sVt+NQmz9VuyfoMN5WzzJxXkC02b3YnM0i:giBe46xD1sX+C2syAMNYxXNDbIu
Score

1^/10
behavioral1 behavioral2
- Target
  
  Mutual_67.pdf.exe
- Size
  
  316KB
- MD5
  
  982bf5b99b3ca20cfc0d93444ca1c40d
- SHA1
  
  77a6d8b1b01863ffd68bd0030b3b6122c4f6e1da
- SHA256
  
  7b83d9b8592def23e8ca5075c4d13e8c008bdb5f8a04763c57a5d56e14e3c1e1
- SHA512
  
  d1a0ffe634f4fff5427e5efd399146d7acb02ba582425e3b69ed5dd796e77caa29c37f50cfa544ad57e0f926f768336ee24a8132c1ea4ab5f3d27dd3c6edd508
- SSDEEP
  
  6144:4t5hBPi0BW69hd1MMdxPe9N9uA069TBBGFrnn:4tzww69TTI
Score

10^/10

bumblebee 2510 evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral3 behavioral4
- Target
  
  name.js
- Size
  
  2.9MB
- MD5
  
  a9f348be577f108d379aad0028581b62
- SHA1
  
  1b40e0080a659f9be8bc5f7d6ca55f455a8878d2
- SHA256
  
  9738196ea440301b0666fb6553b69e79ca60a563b6577d77d40aa871ed25c366
- SHA512
  
  6cb731f4f822de8a27738c1613e3633cc5c090f801dfb696f1c0eea6d389836be99c591e30886cceb895cf538b908ffa958c3ecebe7990032a9b265ed0b55274
- SSDEEP
  
  49152:kbjaWSNgrJ33PjAgEhI5rxK0uEuiY0YtZMK23Y:f
Score

10^/10

bumblebee 2510 evasion trojan
- BumbleBee
  BumbleBee is a webshell malware written in C++.
  trojan bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral5 behavioral6

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

bumblebee2510evasiontrojan

behavioral5

behavioral6

bumblebee2510evasiontrojan