Overview

overview

10

Static

static

3

documents.lnk

windows7-x64

10

documents.lnk

windows10-2004-x64

10

hqwco.dll

windows7-x64

10

hqwco.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c3148c6c4b0ecce9c7d07ba57dea96e35acf5f2ef47396c48339bb9a3a07e390

  • Size

    4.8MB

  • Sample

    240410-rb33esac49

  • MD5

    b64a0fbbfad013c85d14579b3fe091a8

  • SHA1

    759034746e83882b614b7d47934db30fae9d6d96

  • SHA256

    c3148c6c4b0ecce9c7d07ba57dea96e35acf5f2ef47396c48339bb9a3a07e390

  • SHA512

    29fe507ca0ee44d5003a82b7ba04d2b0616a1552e0fe2631cc840bd9bacb106dd2ff7c07ba3e467cd10768fbf4390cd320a9964a9e9ba4bd100eec9f85766672

  • SSDEEP

    49152:+wJ6bUFSuLjWTrbfQlrd088iG1oO9BDA80xZ8MT+:+wCPc088iG1oO9BDA80xZ8MT+

Score
10/10
bumblebee2104revasionloader

Malware Config

Extracted

Family

bumblebee

Botnet

2104r

C2

28.11.143.222:443

71.1.188.122:443

49.12.241.35:443

89.222.221.14:443

185.33.87.53:443

108.62.118.56:443
rc4.plain

Targets

    • Target

      documents.lnk

    • Size

      1KB

    • MD5

      189af415c774eff91c5368360a5d9119

    • SHA1

      08834c5f7e31c2fb16ef5debe68bfc5e28f30ae5

    • SHA256

      ddacc92ca1120b76f8adae0480761b41e24361ac1667b13a7342e665189d627b

    • SHA512

      1238e91256f7818bc014469e72292a59703479ba9600b943e02044653497a5691f37204538c9c10d46e9ce0b1776b813acc8fe68448898d9d8870d36ad7b268c

    Score
    10/10
    bumblebee2104revasionloader

    • BumbleBee

      BumbleBee is a loader malware written in C++.

      loaderbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Blocklisted process makes network request

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion
    behavioral1behavioral2

    • Target

      hqwco.dll

    • Size

      3.7MB

    • MD5

      4820f3c0c2b85d9e8ebb121fd35cb3bc

    • SHA1

      e645cb78d7e100c4a3f13eb5f88e09cd31377b26

    • SHA256

      3463f026ce1c325931e285b587b82f7f690db2e75929c7edd154df1e14f38c93

    • SHA512

      35f8b12982b229be8a96aa867050c0ecb1807e58cbf6acef0d214cf049f933e8e240a4d1022429d6a99a0315b4af47af37c01b1decb28a7b5fe621354673d7f2

    • SSDEEP

      49152:VwJ6bUFSuLjWTrbfQlrd088iG1oO9BDA80xZ8MT+:VwCPc088iG1oO9BDA80xZ8MT+

    Score
    10/10
    bumblebee2104revasionloader

    • BumbleBee

      BumbleBee is a loader malware written in C++.

      loaderbumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Blocklisted process makes network request

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion
    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

8
T1497

Credential Access

Discovery

Query Registry

11
T1012

Virtualization/Sandbox Evasion

8
T1497

System Information Discovery

6
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks