bumblebee

General

Target

0ef183757b866da6fb4f743d84db9b4c83b18a12fac3bca9ff2a8367edbf7fe7
Size

1.2MB
Sample

250311-yjkpdasns8
MD5

f3a7823ff8a7ba474309b7df86e878e0
SHA1

186fdb86f86c003816af88cfc5fa2f05db62e7e6
SHA256

0ef183757b866da6fb4f743d84db9b4c83b18a12fac3bca9ff2a8367edbf7fe7
SHA512

8719e878358bc49b41fa9a975145cea234eb0e328873ff1fd2bd8c0871f32c051ae30b4271af1eb0e1469f17d5cac9a66212876ed76079034e656e3a10518897
SSDEEP

24576:rdJ8126w6qin6t4WbGr69UH1RHL0j+OQ/2rHiMoPj+Dr2gUfv7Q5BhRR3vrB+ncu:r426w6qi6OWKrsw1JL0jI/2rHiMor+DG

Score

10^/10

Malware Config

Extracted

Family

bumblebee

Botnet

1306r

C2

185.62.57.182:443

185.250.148.136:443

158.69.98.105:443

193.233.203.156:443

145.239.135.155:443

146.70.125.82:443

146.70.104.250:443

103.175.16.108:443

185.62.58.133:443

194.135.33.148:443

194.135.33.149:443

154.56.0.241:443

23.254.201.97:443

45.147.229.101:443

185.62.58.169:443

192.236.249.68:443

193.239.84.254:443

37.120.198.248:443

146.19.173.139:443

rc4.plain

Targets

- Target
  
  0ef183757b866da6fb4f743d84db9b4c83b18a12fac3bca9ff2a8367edbf7fe7
- Size
  
  1.2MB
- MD5
  
  f3a7823ff8a7ba474309b7df86e878e0
- SHA1
  
  186fdb86f86c003816af88cfc5fa2f05db62e7e6
- SHA256
  
  0ef183757b866da6fb4f743d84db9b4c83b18a12fac3bca9ff2a8367edbf7fe7
- SHA512
  
  8719e878358bc49b41fa9a975145cea234eb0e328873ff1fd2bd8c0871f32c051ae30b4271af1eb0e1469f17d5cac9a66212876ed76079034e656e3a10518897
- SSDEEP
  
  24576:rdJ8126w6qin6t4WbGr69UH1RHL0j+OQ/2rHiMoPj+Dr2gUfv7Q5BhRR3vrB+ncu:r426w6qi6OWKrsw1JL0jI/2rHiMor+DG
Score

10^/10

bumblebee 1306r defense_evasion loader
- BumbleBee
  BumbleBee is a loader malware written in C++.
  loader bumblebee
- Bumblebee family
  bumblebee
- Enumerates VirtualBox registry keys
  defense_evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Looks for VirtualBox Guest Additions in registry
  defense_evasion
- Blocklisted process makes network request
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  defense_evasion
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

4

T1497

Credential Access

Discovery

Query Registry

5

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

4

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Bumblebee family

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Blocklisted process makes network request

Checks BIOS information in registry

Identifies Wine through registry keys

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2