bumblebee | 8f47c3962a7c418bae71fec42bbca9524b72f8f0fd2dd81d1175138f7d20b2f7

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f47c3962a7c418bae71fec42bbca9524b72f8f0fd2dd81d1175138f7d20b2f7.dll
Size

2.7MB
MD5

8335ad591afdfdd65f90536b9ff15597
SHA1

bfc8b6501dfac4583979f12552535c2923b881bf
SHA256

8f47c3962a7c418bae71fec42bbca9524b72f8f0fd2dd81d1175138f7d20b2f7
SHA512

b438383f722afc65cf5dce113a405f4feec3f275f513f01a7f7a8f6150bbce78a669015b552ed3b7c798f7538444e1a6b751cc7e290445ef1404b9e34ff4a473
SSDEEP

49152:K1GTzcSFGB0tWWYLGPFn7aRmNkk/yCAgQ2MccAnpgSpWaI7+lNOl7AmWzOCI9e:K1G3lExTLGtomNkk/yCAgQ2MccAnpgSR

Score

10^/10

bumblebee all0604 evasion loader

Malware Config

Extracted

Family

bumblebee

Botnet

ALL0604

192.236.198.63:443

Signatures

BumbleBee
BumbleBee is a loader malware written in C++.
loader bumblebee

Enumerates VirtualBox registry keys 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse	rundll32.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__	rundll32.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	rundll32.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rundll32.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\SOFTWARE\Wine	rundll32.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	rundll32.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2976	rundll32.exe
2976	rundll32.exe
2976	rundll32.exe
2976	rundll32.exe
2976	rundll32.exe
2976	rundll32.exe
2976	rundll32.exe
2976	rundll32.exe
2976	rundll32.exe
2976	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8f47c3962a7c418bae71fec42bbca9524b72f8f0fd2dd81d1175138f7d20b2f7.dll,#1
1⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2976-1-0x0000000077000000-0x00000000771A9000-memory.dmp

Filesize
1.7MB

Download
memory/2976-0-0x0000000001D70000-0x0000000001FBB000-memory.dmp

Filesize
2.3MB

Download
memory/2976-3-0x0000000077000000-0x00000000771A9000-memory.dmp

Filesize
1.7MB

Download
memory/2976-2-0x0000000001D70000-0x0000000001FBB000-memory.dmp

Filesize
2.3MB

Download
memory/2976-5-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/2976-4-0x0000000077000000-0x00000000771A9000-memory.dmp

Filesize
1.7MB

Download
memory/2976-6-0x0000000077000000-0x00000000771A9000-memory.dmp

Filesize
1.7MB

Download