MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 132c6ff567a9f519d80e17e018bf56c21585e12265099e70413008dc7dd15093. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BumbleBee

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	132c6ff567a9f519d80e17e018bf56c21585e12265099e70413008dc7dd15093
SHA3-384 hash:	9f844e8693d1a888e87002a72968a52a438fb4e84a8e0cd3caa5e82c2b41d2a7d101d236f53e600f514e7a8408791b79
SHA1 hash:	66b9d83bcf88728bf3936647b9f948debc4c8543
MD5 hash:	b9b61da4d2c630f2d77d656415ed15d3
humanhash:	may-batman-speaker-skylark
File name:	regina.dll
Download:	download sample
Signature	BumbleBee Create hunting rule
File size:	2'904'576 bytes
First seen:	2022-05-06 04:08:10 UTC
Last seen:	2022-05-06 04:40:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	455fea1ee9cae7e2bc27ef637b3572a8 (1 x BumbleBee)
ssdeep	49152:/+Cqt+xaUdUpobuzNM0aGi69/GYdUl/tY7dcnCObEk4UN3P9hPkWzMOzcMatf9c:/+CqgxaUdUpobWM0JvYl4cnpbEk4wYc2
Threatray	2'153 similar samples on MalwareBazaar
TLSH	T124D501CBD94F86A4CCA529F10DAFB8C73474AA3195206D37B12D6648DE0067C6AD7F2C
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	phage_nz
Tags:	BUMBLEBEE exe

Intelligence

File Origin

# of uploads :

# of downloads :

330

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

regina.dll

Verdict:

No threats detected

Analysis date:

2022-05-06 04:09:48 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/03254cf4-b88b-4390-92d1-b1f3b0d2d218

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/268970/

Detection(s):

SecuriteInfo.com.Variant.Lazy.178372.20156.300.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a custom TCP request

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/16463/overview

Behaviour

MalwareBazaar

MeasuringTime

CPUID_Instruction

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/62749f6ebd5c76586e151747/reports/e8205bfe-114c-482e-afd4-0c1ccf5f3d18/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Gathering data

Result

Threat name:

BumbleBee

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/988852

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Found potential dummy code loops (likely to delay analysis)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Searches for specific processes (likely to inject)

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected BumbleBee

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/132c6ff567a9f519d80e17e018bf56c21585e12265099e70413008dc7dd15093/

Threat name:

Win64.Trojan.Khalesi

Status:

Malicious

First seen:

2022-05-06 04:09:16 UTC

File Type:

PE+ (Dll)

AV detection:

5 of 42 (11.90%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cmwg75lhvh2rtwaoc7qbrp2wyikylyjcmuez44cbgaeny7orkcjq._file

Verdict:

malicious

BumbleBee

5be0c2df3f2dbca7bfbe77a8eb96abc472bfc6a566aa26cccd8e9937f446dad3

BumbleBee

6168d9f1cb0bc329fe76a0ebb8a782617de9bb0da2372e1f2728db856daf5007

BumbleBee

7c4953b9bdb0f239ffa46c9104258eaba8a36b6156f3a9890e08d81bc2cacacc

BumbleBee

e1e1c27b8ee68f00ab3094b45a55f81c9e5a13f7adaded1119cb52301c468025

BumbleBee

+ 2'143 additional samples on MalwareBazaar

Result

Malware family:

bumblebee

Score:

10/10

Tags:

family:bumblebee evasion trojan

Link:

https://tria.ge/reports/220506-eqrxgsbher/

Behaviour

Suspicious behavior: EnumeratesProcesses

Checks BIOS information in registry

Identifies Wine through registry keys

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

BumbleBee

Malware Config

C2 Extraction:

78.140.136.58:443
193.233.202.237:443
64.44.141.177:443

Unpacked files

SH256 hash:

132c6ff567a9f519d80e17e018bf56c21585e12265099e70413008dc7dd15093

MD5 hash:

b9b61da4d2c630f2d77d656415ed15d3

SHA1 hash:

66b9d83bcf88728bf3936647b9f948debc4c8543

Link:

https://www.unpac.me/results/c9975108-37a8-48df-a530-25f508dfd119/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/132c6ff567a9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/132c6ff567a9f519d80e17e018bf56c21585e12265099e70413008dc7dd15093

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_win64_bumbleebee_loader_packed Create hunting rule
Author:	Rony (@r0ny_123)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Distributed via e-mail link

Cape

https://www.capesandbox.com/analysis/268970/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample