Overview

overview

10

Static

static

Mutual.pdf

windows7-x64

1

Mutual.pdf

windows10-2004-x64

1

Mutual_67.pdf.exe

windows7-x64

3

Mutual_67.pdf.exe

windows10-2004-x64

10

name.js

windows7-x64

3

name.js

windows10-2004-x64

10

Resubmissions

31-10-2022 11:02

221031-m5mkbaagb9 10

27-10-2022 17:41

221027-v9ez2adagn 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Mutual NDA.iso

  • Size

    3.3MB

  • Sample

    221031-m5mkbaagb9

  • MD5

    a67536d6f5ac9795ee10c3f47264da8e

  • SHA1

    9084276d044011f1729813108fc228e8496f6205

  • SHA256

    6581212a5a17193ec0a33c6df595b5d3718ffd2cf139f9e6d6200496511d4c99

  • SHA512

    12f5dcf01e8c5439a90dd64db2277af8625bcf81d915a128d24db76b1d9467b23f5f466f1f59cd355b71349dce2cea2ad709fdf2a8bf569e867870f1307c6e82

  • SSDEEP

    49152:LWsNTrbjaWSNgrJ33PjAgEhI5rxK0uEuiY0YtZMK23:LW

Score
10/10
bumblebee2510evasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

2510

C2

69.46.15.158:443

135.125.241.35:443

172.86.120.141:443
rc4.plain

Targets

    • Target

      Mutual.pdf

    • Size

      70KB

    • MD5

      9672b8df2bfb3d9435b85e477dfead51

    • SHA1

      be76ec9e0b5f903afea0943e9bbc7ffd6ef2766f

    • SHA256

      73c818b60eea60e6c1a1e5688a373c6b8376ca4ea2ff269695fe6eeef134b3c8

    • SHA512

      d3709875302560b329c6588c33a0fb7bf0083992298e9e26cd8282537f1224f720153df95af7fbc46b53531ba9fe8ff8af5370e9b7dc120a783e0fa44f4501b0

    • SSDEEP

      1536:BSi4NgDe46MMtD1sVt+NQmz9VuyfoMN5WzzJxXkC02b3YnM0i:giBe46xD1sX+C2syAMNYxXNDbIu

    Score
    1/10
    behavioral1behavioral2

    • Target

      Mutual_67.pdf.exe

    • Size

      316KB

    • MD5

      982bf5b99b3ca20cfc0d93444ca1c40d

    • SHA1

      77a6d8b1b01863ffd68bd0030b3b6122c4f6e1da

    • SHA256

      7b83d9b8592def23e8ca5075c4d13e8c008bdb5f8a04763c57a5d56e14e3c1e1

    • SHA512

      d1a0ffe634f4fff5427e5efd399146d7acb02ba582425e3b69ed5dd796e77caa29c37f50cfa544ad57e0f926f768336ee24a8132c1ea4ab5f3d27dd3c6edd508

    • SSDEEP

      6144:4t5hBPi0BW69hd1MMdxPe9N9uA069TBBGFrnn:4tzww69TTI

    Score
    10/10
    bumblebee2510evasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtCreateThreadExHideFromDebugger

    behavioral3behavioral4

    • Target

      name.js

    • Size

      2.9MB

    • MD5

      a9f348be577f108d379aad0028581b62

    • SHA1

      1b40e0080a659f9be8bc5f7d6ca55f455a8878d2

    • SHA256

      9738196ea440301b0666fb6553b69e79ca60a563b6577d77d40aa871ed25c366

    • SHA512

      6cb731f4f822de8a27738c1613e3633cc5c090f801dfb696f1c0eea6d389836be99c591e30886cceb895cf538b908ffa958c3ecebe7990032a9b265ed0b55274

    • SSDEEP

      49152:kbjaWSNgrJ33PjAgEhI5rxK0uEuiY0YtZMK23Y:f

    Score
    10/10
    bumblebee2510evasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtCreateThreadExHideFromDebugger

    behavioral5behavioral6

MITRE ATT&CK Enterprise v6

Tasks