MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 281e07af77e1ff21140a7102c3cf8802dff96e670c8c3c73b8250d487a5196ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BumbleBee

Vendor detections: 10

Intelligence 10 IOCs YARA 44 File information Comments

SHA256 hash:	281e07af77e1ff21140a7102c3cf8802dff96e670c8c3c73b8250d487a5196ed
SHA3-384 hash:	e4c81699fee2f41e4999a38193d7700a9b92f4a65a88b5c85a462cce814f92b5b2af83b826d2faa84ff173e65d35ddc3
SHA1 hash:	516ebe3a16f9b9ddbbd1f6306ecefacc0d6ba488
MD5 hash:	6206e94aea5da8aac4508dcf83118f32
humanhash:	summer-venus-timing-mexico
File name:	281e07af77e1ff21140a7102c3cf8802dff96e670c8c3c73b8250d487a5196ed
Download:	download sample
Signature	BumbleBee Create hunting rule
File size:	3'866'624 bytes
First seen:	2025-05-08 13:29:52 UTC
Last seen:	2025-05-08 17:51:52 UTC
File type:	msi
MIME type:	application/x-msi
ssdeep	98304:cU8uEL5s14GrPV1g3tQsulgknQUdXehXkbeOr/8tl8:cU8w391Ie/lgkQHcY8
Threatray	28 similar samples on MalwareBazaar
TLSH	T111063347F1C8DE33DA5B983787829900427CEC14D6779A87946772CC2C387B639EA6E1
TrID	88.4% (.MST) Windows SDK Setup Transform script (61000/1/5) 11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika	msi
Reporter	JAMESWT_WT
Tags:	BUMBLEBEE CanDllerWhale-Electronic-Studios-Technology-Co-Ltd msi signed

Code Signing Certificate

Organisation:	CanDllerWhale Electronic Studios Technology Co., Ltd.
Issuer:	GlobalSign GCC R45 EV CodeSigning CA 2020
Algorithm:	sha256WithRSAEncryption
Valid from:	2025-03-27T07:28:02Z
Valid to:	2026-03-28T07:28:02Z
Serial number:	669f5c8918d3b19e81282765
Cert Graveyard Blocklist:	This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:	SHA256
Thumbprint:	41cf587437de12852d4369409996b57eeaab72ce5d7e0f9cff9bfe0e75b5b0c3
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.W64.Kryptik.FBY.tr.14918.27667.UNOFFICIAL

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=681cb29e91991ead82b63699

Tags:

shellcode backdoor virus

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Tags:

installer invalid-signature signed

Link:

https://www.filescan.io/uploads/681cb1e8bab2591d0654ea34/reports/63bc3ead-c5d5-4f65-b1ce-753c61fb25b8/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/281e07af77e1ff21140a7102c3cf8802dff96e670c8c3c73b8250d487a5196ed

Result

Verdict:

UNKNOWN

Link:

https://labs.inquest.net/dfi/sha256/281e07af77e1ff21140a7102c3cf8802dff96e670c8c3c73b8250d487a5196ed

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

BumbleBee

Detection:

malicious

Classification:

spre.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1684423

Signature

C2 URLs / IPs found in malware configuration

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to prevent local Windows debugging

Found direct / indirect Syscall (likely to bypass EDR)

Found malware configuration

Found WinMTR tool (often used for host & network discovery)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries BIOS fan information (via WMI, Win32_Fan, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Suricata IDS alerts for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses ipconfig to lookup or modify the Windows network settings

Yara detected BumbleBee

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/281e07af77e1ff21140a7102c3cf8802dff96e670c8c3c73b8250d487a5196ed/

Threat name:

Win64.Trojan.Bumbleloader

Status:

Suspicious

First seen:

2025-05-08 06:22:55 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

14 of 37 (37.84%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fapapl3x4h7scfakoebmht4ialp7s3thbsgdy45yeuguq6srs3wq._file

Result

Malware family:

bumblebee

Score:

10/10

Tags:

family:bumblebee botnet:err111 defense_evasion loader persistence privilege_escalation

Link:

https://tria.ge/reports/250508-qrwgvatqs5/

Behaviour

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Event Triggered Execution: Installer Packages

Checks for VirtualBox DLLs, possible anti-VM trick

Checks system information in the registry

Drops file in Windows directory

Executes dropped EXE

Loads dropped DLL

Blocklisted process makes network request

Enumerates connected drives

Looks up external IP address via web service

Checks BIOS information in registry

Identifies Wine through registry keys

Looks for VMWare Tools registry key

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

BumbleBee

Bumblebee family

Verdict:

Malicious

Tags:

external_ip_lookup

YARA:

n/a

Link:

https://app.threat.zone/submission/8aa478b8-aa96-43f8-bdfd-7f3d069b5da8

Malware family:

BumbleBee

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/281e07af77e1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/281e07af77e1ff21140a7102c3cf8802dff96e670c8c3c73b8250d487a5196ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BumbleBee2024 Create hunting rule
Author:	enzok
Description:	BumbleBee 2024

Rule name:	Bumblebee_mem Create hunting rule
Author:	James_inthe_box
Description:	Bumblebee loader
Reference:	7a2ac6664ef13971ce464676012092befde8f14b0013b2f0f3e21c9051cb45a0

Rule name:	bumblebee_v2 Create hunting rule
Author:	Nikolaos 'n0t' Totosis
Description:	BumbleBee Payload v2

Rule name:	Check_Qemu_Description Create hunting rule

Rule name:	Check_Qemu_DeviceMap Create hunting rule

Rule name:	Check_VBox_Description Create hunting rule

Rule name:	Check_VBox_DeviceMap Create hunting rule

Rule name:	Check_VBox_Guest_Additions Create hunting rule

Rule name:	Check_VBox_VideoDrivers Create hunting rule

Rule name:	Check_VmTools Create hunting rule

Rule name:	Check_VMWare_DeviceMap Create hunting rule

Rule name:	Check_Wine Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	detect_powershell Create hunting rule
Author:	daniyyell
Description:	Detects suspicious PowerShell activity related to malware execution

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_VM_Evasion_MACAddrComb Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing virtualization MAC addresses

Rule name:	INDICATOR_SUSPICIOUS_VM_Evasion_VirtDrvComb Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing combination of virtualization drivers

Rule name:	kleptoparasite Create hunting rule
Author:	jarcher

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	Windows_Trojan_Bumblebee_35f50bea Create hunting rule
Author:	Elastic Security

Rule name:	win_bumblebee Create hunting rule

Rule name:	win_bumblebee_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.bumblebee.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample