bumblebee

General

Target

acb4007ac2eb34445394cbe66bd45782ff77119e05e5aa2b58567ef3a07b7755
Size

3.8MB
Sample

240923-vq7kyatgrj
MD5

bbe0958c3bea6bf0717eb82223188729
SHA1

7ee625bb04b387273e09627c9971327de246e3aa
SHA256

acb4007ac2eb34445394cbe66bd45782ff77119e05e5aa2b58567ef3a07b7755
SHA512

3db00952d531ec81e3ec345e444a4a08ff578fcc175ca4e091de83ce71da4777b9dea863f3700027dc93dc63a25f5473c0e98ef2cdf56d2d03543b56e86363e3
SSDEEP

98304:YJ6uGObJRXJ/ygZOrclKYuAqInRJQaimEEiuJO/aGpg:lUbJagZOrclbRqIRMRu0/aUg

Score

10^/10

Malware Config

Extracted

Family

bumblebee

Botnet

2504r

C2

104.168.236.99:443

23.82.141.184:443

172.241.29.169:443

rc4.plain

Targets

- Target
  
  9hloq0.dll
- Size
  
  2.6MB
- MD5
  
  2719b9bc4e8a2f3f033b9ebf75ba05cb
- SHA1
  
  9bfdeae0f5dd641c5d9b945dc91e64321f21587b
- SHA256
  
  78beecc828a622f7cde900a68e5653438b60f9bdaf5d733996c499241c6d7130
- SHA512
  
  e137ed1116e571df3c3beaaf451f026e3d2b7669dd59f1ac2d15c3d6c2669404b6ab2651ce374704f29120ccddba040cce1067ae2ec350b907426b184885f871
- SSDEEP
  
  49152:7J6uk7ObJRXJ/tcgZOrclKg3uAqI6nwopOwmJQai7SfsEP5YnWPAIO/aGqvxK+nt:7J6uGObJRXJ/ygZOrclKYuAqInRJQaiS
Score

10^/10

bumblebee 2504r evasion loader
- BumbleBee
  BumbleBee is a loader malware written in C++.
  loader bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Blocklisted process makes network request
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral1 behavioral2
- Target
  
  documents.lnk
- Size
  
  1KB
- MD5
  
  3cdae338d436fa208f373fe79abc6263
- SHA1
  
  1922c3c625c8d7bbc7c6e5cc0adcea69b7b14722
- SHA256
  
  d96eeee2860e53d004977c823980b5ecc619e4d875ea545723ff1d8e6c526e6c
- SHA512
  
  d951b3be527a0b4034fff01a6a75246c416660279163785e7b4d4462a6fbdf9177158862c7ad958e1861b0a9212265df081647b2ac4182b59fce8535ab3b28b2
Score

10^/10

bumblebee 2504r evasion loader
- BumbleBee
  BumbleBee is a loader malware written in C++.
  loader bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Blocklisted process makes network request
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

4

T1497

Credential Access

Discovery

Query Registry

6

T1012

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

4

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Blocklisted process makes network request

Checks BIOS information in registry

Identifies Wine through registry keys

BumbleBee

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Blocklisted process makes network request

Checks BIOS information in registry

Checks computer location settings

Identifies Wine through registry keys

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4