MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 281a1cfaebf968012e9596721d14b1bd6429744617e73f96558cb68bcc0db8f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BumbleBee

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	281a1cfaebf968012e9596721d14b1bd6429744617e73f96558cb68bcc0db8f8
SHA3-384 hash:	44dcbddb2510f278b7bde3ffbd846e46207388d53f9b98bd6892f6f517b1bacd50a6a6dabf74221627a2304b9f0c9248
SHA1 hash:	24614b49e47bbdc30263cc86cea8aceb2781f1ed
MD5 hash:	38ea4397f1c9dfe79e9accaebe7487ec
humanhash:	pip-harry-chicken-ink
File name:	oblot.dll
Download:	download sample
Signature	BumbleBee Create hunting rule
File size:	1'390'592 bytes
First seen:	2022-05-09 23:30:18 UTC
Last seen:	2022-05-10 00:38:03 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	66356a654249c4824378b1a70e7cc1e5 (4 x BumbleBee)
ssdeep	24576:Qz868Rnacmr8Oojv03br/YXYugvutZooFS7i2xyyIRfbi8mskmWcJc3mm7tnAgHi:Y86twnv/Y
Threatray	2'165 similar samples on MalwareBazaar
TLSH	T196556DF85F99284CD83BD8199497BD7E9B8834535B1EAFD03717E8122276308A92D1CF
TrID	45.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.3% (.EXE) OS/2 Executable (generic) (2029/13) 18.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.0% (.EXE) DOS Executable Generic (2000/1)
Reporter	phage_nz
Tags:	BUMBLEBEE exe

Intelligence

File Origin

# of uploads :

# of downloads :

317

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

oblot.dll

Verdict:

No threats detected

Analysis date:

2022-05-09 23:33:04 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/0c0ea6a7-cea1-4f1b-b0e3-64a9ae44e3ff

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Artemis38EA4397F1C9.25284.27355.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a custom TCP request

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/16860/overview

Behaviour

MalwareBazaar

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/6279a438bd5c76586e26ea4d/reports/c055c719-9d76-42e8-9a1f-316d8f965ce9/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/b0d993e8-afae-4265-a743-ad69cae84935

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/990593

Signature

Antivirus / Scanner detection for submitted sample

Contain functionality to detect virtual machines

Found potential dummy code loops (likely to delay analysis)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Searches for specific processes (likely to inject)

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/281a1cfaebf968012e9596721d14b1bd6429744617e73f96558cb68bcc0db8f8/

Threat name:

Win64.Trojan.Khalesi

Status:

Malicious

First seen:

2022-05-09 23:31:08 UTC

File Type:

PE+ (Dll)

Extracted files:

AV detection:

16 of 26 (61.54%)

Threat level:

5/5

Verdict:

malicious

BumbleBee

0659390fe57012c9d29bacb0e85b61f7de968a6008f91d9c729e18c784b2cca1

BumbleBee

13aa6bed5b3a656b9c86cc2d397f765779f4a7dff49f73d58bd97e11423e0635

BumbleBee

2421c5815103b12aefee6faecb1ebbe910c6a17c7ed68f0d7bb2064ec4e97291

BumbleBee

2457a1b0008c7059b5d58fffadad4e71f8332e9c09ac55f34b0a078363c29c87

BumbleBee

4c9ffef418385fdd0aa0e6ea1c0e29f3a7a4af51fbcfd011d0797d6e62c8ccfe

BumbleBee

596b8d2ea9be082c0eea726b7217597fe293eef85069a8dd03a6024b48c7a199

BumbleBee

c65c51ed60f91a92789c4b056821ef51252baa2a1679a6513ab008acf0464ccb

BumbleBee

d19fdf53603310203c8bc83e1d27e14b60cac0a65932fe3824dedca50ff5c0a9

BumbleBee

e8b1a240c6fad4dd2e7bd0b08a0681131f2804d64d58869e60ad333cddc58cb0

BumbleBee

+ 2'155 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

evasion

Link:

https://tria.ge/reports/220509-3hpddshcel/

Behaviour

Suspicious behavior: EnumeratesProcesses

Checks BIOS information in registry

Identifies Wine through registry keys

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Unpacked files

SH256 hash:

281a1cfaebf968012e9596721d14b1bd6429744617e73f96558cb68bcc0db8f8

MD5 hash:

38ea4397f1c9dfe79e9accaebe7487ec

SHA1 hash:

24614b49e47bbdc30263cc86cea8aceb2781f1ed

Link:

https://www.unpac.me/results/2169b59d-ddb8-4177-b27e-985756a09689/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/281a1cfaebf968012e9596721d14b1bd6429744617e73f96558cb68bcc0db8f8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.