Overview

overview

10

Static

static

1

NDA.lnk

windows7-x64

10

NDA.lnk

windows10-2004-x64

10

creator.dll

windows7-x64

1

creator.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    04621ea2f8b1a93081659767f57cf14e86483eedc34f1a140387663dd50aeccf.zip

  • Size

    1.5MB

  • Sample

    241129-p973xs1pan

  • MD5

    66c4a15285c8c569c25cd66ac1631076

  • SHA1

    4b69b6dbe587d6d91320d7844cd85d54a8fdc118

  • SHA256

    e7b4f762acf0e397919f1e1dfd96322efff2f5e97e79b7cd5456bf63808c2e53

  • SHA512

    31501af4c92e6fa3980d53c8df04328d925548d1b71972e8507328adeeb08754193288587f425e8d45fd5b47ea7362d0d739f7d76bdb35bb23190e49f6d2c10f

  • SSDEEP

    24576:NcBA5eojmieFxFl8df9GpCKgVdohnzhrDILElcGRF60P/oXfD1cU2S:NcB2/beDFlo9GpCKgVd0lIO5A0P/oXfT

Score
10/10
bumblebee0310evasionloader

Malware Config

Extracted

Family

bumblebee

Botnet

0310

C2

146.59.117.200:443

192.255.188.11:443

149.3.170.62:443
rc4.plain

Targets

    • Target

      NDA.lnk

    • Size

      1KB

    • MD5

      170c160e42b966a5dc3fcc2862f1d1ff

    • SHA1

      91999b5272786b7a5bd88367de6df86cc38d40d5

    • SHA256

      7f84ee428f5e21ed476eaf218a7ea7ce67ea3985bf4b04a8b2dbd8ce9cbb8d8d

    • SHA512

      eff6b8a4db6d97f84aeced9a1a29e79d9432ffb6e0523fe9566c074710986ddd710793254c8eb9973bf2dc08299cea508bf526aec403c6bb18a083c51a3633a2

    Score
    10/10
    bumblebee0310evasionloader

    • BumbleBee

      BumbleBee is a loader malware written in C++.

      loaderbumblebee

    • Bumblebee family

      bumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Suspicious use of NtCreateThreadExHideFromDebugger

    behavioral1behavioral2

    • Target

      creator.dll

    • Size

      2.8MB

    • MD5

      f7e264d654ad023794222f1e2fa866e6

    • SHA1

      0f5a405879ce713986b4940a51158bd2ee99e750

    • SHA256

      177a9689065b14408eb7af71432ec9a621d56fba5182cd74f3690e989a95d023

    • SHA512

      82bd12740934ff7608419770fd205f0ddd57bd418ecee827834866414cda9265e9600ad7931097942838df4dddcc751c0e31b1e5736c4e3f52e054c5e7bf2f6b

    • SSDEEP

      49152:kGUV3vj01GJoAgFGeKAtvS7bhPa5bM01n4HR9slof2uzfl2UPOrjs8qcBYeknSzL:kl00JRgFGY+pa5Abx0

    Score
    1/10
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks