bumblebee | 49d75cf572dab6bd113256b22298d0ca908d5324d6f7906395ffaa596b4b4ed4

Analysis

max time kernel
130s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2022 09:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.dll
Size

1.4MB
MD5

064cd8a6423bbbf29c3dcfd9776ad824
SHA1

37725d7a9013c7d8febcc23e1da27131491cc033
SHA256

49d75cf572dab6bd113256b22298d0ca908d5324d6f7906395ffaa596b4b4ed4
SHA512

073be275fa19811e2d62bcce332176be30053dfac6dafc9008668f0220261891f34298f966379af17158e9df26b12bfdb3ab0de9f6fc2019ff649b77d75e12c3
SSDEEP

24576:/nFeaeHGgwm2TYJMPS1uXmP80EOYArV7SHvtDTbFJD1c+55D+R6Mm955wo:/nFea9q2TYJMq12rOYArV7SHn11c40

Score

10^/10

bumblebee 9rr evasion trojan

Malware Config

Extracted

Family

bumblebee

Botnet

9rr

103.175.16.107:443

194.135.33.149:443

154.56.0.241:443

23.254.201.97:443

45.147.229.101:443

185.62.58.169:443

192.236.249.68:443

193.239.84.254:443

37.120.198.248:443

146.19.173.139:443

46.21.153.145:443

149.255.35.134:443

45.147.229.50:443

212.114.52.46:443

103.175.16.122:443

146.19.253.49:443

68.233.238.105:443

64.44.135.250:443

103.175.16.121:443

64.44.102.6:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Enumerates VirtualBox registry keys 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService	rundll32.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__	rundll32.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	rundll32.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Wine	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1476	1296	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4772	powershell.exe
4772	powershell.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4772	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 3104	4772	powershell.exe	99
PID 4772 wrote to memory of 3104	4772	powershell.exe	99
PID 4772 wrote to memory of 384	4772	powershell.exe	101
PID 4772 wrote to memory of 384	4772	powershell.exe	101

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\test.dll,#1
1⤵
PID:4708

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1892

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 1296 -ip 1296
1⤵
PID:2276

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1296 -s 1764
1⤵
- Program crash
PID:1476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" .\test.dll,ajwGwRKhLi
  2⤵
  - Enumerates VirtualBox registry keys
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Looks for VirtualBox Guest Additions in registry
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Suspicious behavior: EnumeratesProcesses
  PID:3104
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" .\test.dll,ajwGwRKhLi
  2⤵
  PID:384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3104-139-0x000002429F460000-0x000002429F577000-memory.dmp

Filesize
1.1MB

Download
memory/3104-140-0x00007FFCB9420000-0x00007FFCB9430000-memory.dmp

Filesize
64KB

Download
memory/4772-132-0x00000177036A0000-0x00000177036C2000-memory.dmp

Filesize
136KB

Download
memory/4772-133-0x000001771D280000-0x000001771D2C4000-memory.dmp

Filesize
272KB

Download
memory/4772-134-0x000001771D350000-0x000001771D3C6000-memory.dmp

Filesize
472KB

Download
memory/4772-135-0x00007FFC97860000-0x00007FFC98321000-memory.dmp

Filesize
10.8MB

Download
memory/4772-136-0x00007FFC97860000-0x00007FFC98321000-memory.dmp

Filesize
10.8MB

Download
memory/4772-137-0x000001771D2D0000-0x000001771D2EE000-memory.dmp

Filesize
120KB

Download
memory/4772-142-0x00007FFC97860000-0x00007FFC98321000-memory.dmp

Filesize
10.8MB

Download