Overview

overview

10

Static

static

1

Quote.lnk

windows7-x64

10

Quote.lnk

windows10-2004-x64

10

quotefile.ps1

windows7-x64

10

quotefile.ps1

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    91d29cfe549d8c7ade35f681ea60ce73a48e00c2f6d55a608f86b6f17f494d0d.zip

  • Size

    890KB

  • Sample

    230306-gk1zbaad5w

  • MD5

    611591e83d7cf5229c324b93393db49a

  • SHA1

    1827f19859af0586ac16e44f6942e86b58ba12d7

  • SHA256

    9086c173ad998545a39547935579ab6ee7a8db5e13d04643a8ca558fd67805dc

  • SHA512

    4e3fffaacb5612ca58f339fd818aa79cf4d18094405caf210ddbf4443e97b221e3ba8de68448cc72c33315768d7a9c25346c40113573504d615a4847f695fc0a

  • SSDEEP

    24576:Gsi/k6u08c2BN9Wg9sScExi+AWjTtCbjGxX0IH:8fUZ9sS9xipWVUjGt06

Score
10/10
bumblebee1508evasiontrojan

Malware Config

Extracted

Family

bumblebee

rc4.plain

Extracted

Family

bumblebee

Botnet

1508

C2

172.93.201.138:443

116.142.140.251:443
rc4.plain

Targets

    • Target

      Quote.lnk

    • Size

      1KB

    • MD5

      4166dc23c9ffb1fe465288801da97ca9

    • SHA1

      0e7319378d7cb33f123cd804630c7644384e8931

    • SHA256

      940182dd2eaf42327457d249f781274b07e7978b62dca0ae4077b438a8e13937

    • SHA512

      60d65cd412938bb55cd268ac81ba05e90790a12755b1d2bcdc351339dac88339b6851e1272716cb3dc3652900226b098b2c3b9b137bcc820510b65f36cb03aff

    Score
    10/10
    bumblebee1508evasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Blocklisted process makes network request

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtCreateThreadExHideFromDebugger

    behavioral1behavioral2

    • Target

      quotefile.ps1

    • Size

      1.9MB

    • MD5

      739eaf406607fa3efddb9c6c97cdba76

    • SHA1

      bdb0575775a3447391b9d719e6d69c0e44549fd2

    • SHA256

      d6cc3ac995484b99ed790b6f8ceb145492794eb5d01ec4a71123b9975e9bfd20

    • SHA512

      80ccebc7f4ff3597031899973817acdb4c1638788aa37b536fcafb6cd03b2f6113d40527b2e7a7f49d4794f021c815f8dc85ac4fd372d40cde59da6db2769384

    • SSDEEP

      24576:AzrIw+80AssR3D6UN6hzwbSVsi5MW94d5upIAMoIKAdqQb16:AwwahXsvWK1dj6

    Score
    10/10
    bumblebee1508evasiontrojan

    • BumbleBee

      BumbleBee is a webshell malware written in C++.

      trojanbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Blocklisted process makes network request

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtCreateThreadExHideFromDebugger

    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks