bumblebee

General

Target

c3148c6c4b0ecce9c7d07ba57dea96e35acf5f2ef47396c48339bb9a3a07e390
Size

4.8MB
Sample

240410-rb33esac49
MD5

b64a0fbbfad013c85d14579b3fe091a8
SHA1

759034746e83882b614b7d47934db30fae9d6d96
SHA256

c3148c6c4b0ecce9c7d07ba57dea96e35acf5f2ef47396c48339bb9a3a07e390
SHA512

29fe507ca0ee44d5003a82b7ba04d2b0616a1552e0fe2631cc840bd9bacb106dd2ff7c07ba3e467cd10768fbf4390cd320a9964a9e9ba4bd100eec9f85766672
SSDEEP

49152:+wJ6bUFSuLjWTrbfQlrd088iG1oO9BDA80xZ8MT+:+wCPc088iG1oO9BDA80xZ8MT+

Score

10^/10

Malware Config

Extracted

Family

bumblebee

Botnet

2104r

C2

28.11.143.222:443

71.1.188.122:443

49.12.241.35:443

89.222.221.14:443

185.33.87.53:443

108.62.118.56:443

rc4.plain

Targets

- Target
  
  documents.lnk
- Size
  
  1KB
- MD5
  
  189af415c774eff91c5368360a5d9119
- SHA1
  
  08834c5f7e31c2fb16ef5debe68bfc5e28f30ae5
- SHA256
  
  ddacc92ca1120b76f8adae0480761b41e24361ac1667b13a7342e665189d627b
- SHA512
  
  1238e91256f7818bc014469e72292a59703479ba9600b943e02044653497a5691f37204538c9c10d46e9ce0b1776b813acc8fe68448898d9d8870d36ad7b268c
Score

10^/10

bumblebee 2104r evasion loader
- BumbleBee
  BumbleBee is a loader malware written in C++.
  loader bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Blocklisted process makes network request
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral1 behavioral2
- Target
  
  hqwco.dll
- Size
  
  3.7MB
- MD5
  
  4820f3c0c2b85d9e8ebb121fd35cb3bc
- SHA1
  
  e645cb78d7e100c4a3f13eb5f88e09cd31377b26
- SHA256
  
  3463f026ce1c325931e285b587b82f7f690db2e75929c7edd154df1e14f38c93
- SHA512
  
  35f8b12982b229be8a96aa867050c0ecb1807e58cbf6acef0d214cf049f933e8e240a4d1022429d6a99a0315b4af47af37c01b1decb28a7b5fe621354673d7f2
- SSDEEP
  
  49152:VwJ6bUFSuLjWTrbfQlrd088iG1oO9BDA80xZ8MT+:VwCPc088iG1oO9BDA80xZ8MT+
Score

10^/10

bumblebee 2104r evasion loader
- BumbleBee
  BumbleBee is a loader malware written in C++.
  loader bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Blocklisted process makes network request
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

4

T1497

Credential Access

Discovery

Query Registry

6

T1012

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

4

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Blocklisted process makes network request

Checks BIOS information in registry

Checks computer location settings

Identifies Wine through registry keys

BumbleBee

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Blocklisted process makes network request

Checks BIOS information in registry

Identifies Wine through registry keys

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4