MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0659390fe57012c9d29bacb0e85b61f7de968a6008f91d9c729e18c784b2cca1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BumbleBee


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0659390fe57012c9d29bacb0e85b61f7de968a6008f91d9c729e18c784b2cca1
SHA3-384 hash: 0cfe4ce3095527bc6853738e975330ab38e56feae36890d12b3a329e356cf31977740ab8825c3401bdf5a05dd5ca77bf
SHA1 hash: 275b62e912a00ba3de3e6b336e0e1b9a893d69f8
MD5 hash: d912338e3c59b18464610cc56e1f653f
humanhash: coffee-kentucky-spring-item
File name:vil.dll
Download: download sample
Signature BumbleBee
Create hunting rule
File size:2'188'288 bytes
First seen:2022-04-12 18:16:16 UTC
Last seen:2022-04-12 18:37:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7203ec25856268deba275d3c50808a4c (1 x BumbleBee)
ssdeep 49152:tbhl087l5fJeS/DrSoUtP9qqyD8e3+DSP9yJoZ:tLTfJtylPyD8e5MJoZ
Threatray 2'061 similar samples on MalwareBazaar
TLSH T1E5A52383F2BE8EC7C193B4BE2112C112E9C63C5E0A35A73763468C1EA79592518F977D
Reporter Rony
Tags:BUMBLEBEE dll exe X64


Avatar
r0ny_123
https://threatfox.abuse.ch/browse/malware/win.bumblebee

Intelligence

File Origin
# of uploads :
2
# of downloads :
384
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
docs_pdf_43.iso
Verdict:
Suspicious activity
Analysis date:
2022-04-11 19:10:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/724cb0ec-c307-4fab-a6be-e26f92f1bf92

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/263208/
Detection(s):
SecuriteInfo.com.Variant.Lazy.161788.19902.17140.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  0/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/13664/overview
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6255c221eab80a7a6c02a82d/reports/f58bc8da-62d9-48aa-bf97-25128b9ba70f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/432e3ec3-f4e3-40d0-9dfd-e7808aa11c70
Result
Threat name:
BumbleBee
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/975681
Signature
Changes memory attributes in foreign processes to executable or writable
Contain functionality to detect virtual machines
Creates processes via WMI
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Searches for specific processes (likely to inject)
Sigma detected: Suspicious Call by Ordinal
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected BumbleBee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 608166 Sample: vil.dll Startdate: 12/04/2022 Architecture: WINDOWS Score: 100 27 Multi AV Scanner detection for submitted file 2->27 29 Yara detected BumbleBee 2->29 31 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->31 33 Sigma detected: Suspicious Call by Ordinal 2->33 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 2 other processes 8->17 signatures5 43 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->43 45 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 10->45 47 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->47 51 3 other signatures 10->51 19 rundll32.exe 13->19         started        49 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->49 process6 dnsIp7 25 142.91.3.109, 443, 49724, 49725 LEASEWEB-USA-LAX-11US United States 19->25 35 System process connects to network (likely due to code injection or exploit) 19->35 37 Changes memory attributes in foreign processes to executable or writable 19->37 39 Writes to foreign memory regions 19->39 41 2 other signatures 19->41 23 wab.exe 19->23         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0659390fe57012c9d29bacb0e85b61f7de968a6008f91d9c729e18c784b2cca1/
Threat name:
Win64.Trojan.Bumbleloader
Create hunting rule
Status:
Malicious
First seen:
2022-04-12 06:11:14 UTC
File Type:
PE+ (Dll)
AV detection:
17 of 41 (41.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=azmtsd7foajmtuu3vsyoqw3b67pjnctabd4r3hdstymmpbfszsqq._file
Verdict:
malicious
Similar samples:
5be0c2df3f2dbca7bfbe77a8eb96abc472bfc6a566aa26cccd8e9937f446dad3
BumbleBee
60ffd58d499a7b7325e63596fc8f14b570f60112bff2e8c69632002ea0cff7ef
BumbleBee
6168d9f1cb0bc329fe76a0ebb8a782617de9bb0da2372e1f2728db856daf5007
BumbleBee
88851c425fbc7879abe5838f3e072d18e350b21ca9fe367e6d9fb7bd27585753
BumbleBee
9fd92b2633147d58a5d4a28d1f5f66a11873c4185c44429295cda9956defa6d4
BumbleBee
e8b1a240c6fad4dd2e7bd0b08a0681131f2804d64d58869e60ad333cddc58cb0
BumbleBee
f98898df74fb2b2fad3a2ea2907086397b36ae496ef3f4454bf6b7125fc103b8
BumbleBee
+ 2'051 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion
Link:
https://tria.ge/reports/220412-ww1v1segbm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Checks BIOS information in registry
Identifies Wine through registry keys
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
Unpacked files
SH256 hash:
0659390fe57012c9d29bacb0e85b61f7de968a6008f91d9c729e18c784b2cca1
MD5 hash:
d912338e3c59b18464610cc56e1f653f
SHA1 hash:
275b62e912a00ba3de3e6b336e0e1b9a893d69f8
Link:
https://www.unpac.me/results/182deab0-be44-4738-afd6-3aa161557d20/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/263208/

Comments