MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d5c9b33ed298f5fb67ce869c74b2f2ec9179a924780da65fcbc1a0e0463c5d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BumbleBee

Vendor detections: 14

Intelligence 14 IOCs YARA 9 File information Comments

SHA256 hash:	2d5c9b33ed298f5fb67ce869c74b2f2ec9179a924780da65fcbc1a0e0463c5d0
SHA3-384 hash:	2b4b9c8c3785162f6b6a906c902e83b5a58eb7c05aad740d49fcddee58690137158a45e13dc874d0f5ee63519bffd0b1
SHA1 hash:	81557fb9c53bae28c27ef6120c94c30012b408fa
MD5 hash:	deea9419fa5187f9f454609d4d173c19
humanhash:	sodium-single-pennsylvania-chicken
File name:	LoaderDLL.bin
Download:	download sample
Signature	BumbleBee Create hunting rule
File size:	1'504'256 bytes
First seen:	2023-03-04 09:09:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	83f847006bcd9e79aedb74fc499583c6 (1 x BumbleBee)
ssdeep	24576:GJAx41SXU4LG5Vlcz8PBhNbJgwm9CEl9DAvOBddLfl93pb3:g0bG5Vyz8B9gwm95AAdhfD3
Threatray	131 similar samples on MalwareBazaar
TLSH	T1C0656B19ABA880B5D077C138C5A3898BF7F274544F31ABDB1699561D2F33BE0563E322
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	0xToxin
Tags:	202lg BUMBLEBEE exe

Intelligence

File Origin

# of uploads :

# of downloads :

306

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

LoaderDLL.bin

Verdict:

No threats detected

Analysis date:

2023-03-04 09:10:16 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/31dd26f6-82a6-44d8-b202-71b989d23575

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

BumbleBee

Link:

https://www.capesandbox.com/analysis/371616/

Detection(s):

Win.Malware.Tedy-9952524-0

Result

Verdict:

Malware

Maliciousness:

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

anti-vm cmd.exe evasive fingerprint greyware schtasks.exe shell32.dll

Link:

https://www.filescan.io/uploads/64030aee37719e06f50dd254/reports/e6c141e9-d8aa-4503-8739-78bef8743662/overview

Verdict:

Malicious

Labled as:

DeepScan:Generic.Ursnif.3.1

Link:

https://www.hybrid-analysis.com/sample/2d5c9b33ed298f5fb67ce869c74b2f2ec9179a924780da65fcbc1a0e0463c5d0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Ramnit

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b5c8df6e-55bd-4fde-b0a8-76372d20a326

Result

Threat name:

BumbleBee

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1187076

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sets debug register (to hijack the execution of another thread)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected BumbleBee

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2d5c9b33ed298f5fb67ce869c74b2f2ec9179a924780da65fcbc1a0e0463c5d0/

Threat name:

Win64.Trojan.BumbleBee

Status:

Malicious

First seen:

2023-03-04 09:11:01 UTC

File Type:

PE+ (Dll)

Extracted files:

AV detection:

22 of 39 (56.41%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fvojwm7nfghv7nt45bu4oszpf3erpgusi6anuzp4xqna4bddyxia._file

Verdict:

malicious

BumbleBee

083842534185758ad03c0a124d2a0a629225d97f3e3c4776c1ff727adeaae4c6

BumbleBee

193351df6e24e833b30dcfc1dc3be94882c33a79e5bf8a6d76f51256d4b090d5

BumbleBee

296e195f7896d20af579930d9bc481bc9d651e79480399c071531417bfede4a7

BumbleBee

3838e7c40562f66dd304227e311eeb51dd9c2981a4e5c54da4789e6fcbb06f5d

BumbleBee

7e481ee40af6227bc65f7334cffa28ef661ab49cb800ce383aed1cec82515ae5

BumbleBee

97df47266aba1d8e7c70c88c8bf0851a53579dfac7d2bb6545ca85e809bbf1c6

BumbleBee

c4aad61b17ef29e12e9ad04c985db3bc6b3fa3f79cfb472eb8e1d197bff4f606

BumbleBee

ca0c0ca69ece78e8d1dcb7b1064a8d76a95a50025b2ea82d907dd9e27b532b8d

BumbleBee

e3b0a6b1e8aa4cc6407d49b2bc8607549fc5b25cd2b11fc66a41127266c3ca47

BumbleBee

+ 121 additional samples on MalwareBazaar

Result

Malware family:

bumblebee

Score:

10/10

Tags:

family:bumblebee botnet:202lg trojan

Link:

https://tria.ge/reports/230304-k42azach21/

Behaviour

Suspicious use of NtCreateThreadExHideFromDebugger

BumbleBee

Malware Config

C2 Extraction:

104.168.157.253:443
209.141.40.19:443
107.189.5.17:443
23.254.167.63:443
91.206.178.234:443
146.19.173.86:443
103.175.16.104:443
194.135.33.85:443
173.234.155.246:443
51.68.144.43:443
172.86.120.111:443
160.20.147.242:443
51.75.62.204:443
205.185.113.34:443
194.135.33.184:443
23.82.140.155:443
185.173.34.35:443

Unpacked files

SH256 hash:

2d5c9b33ed298f5fb67ce869c74b2f2ec9179a924780da65fcbc1a0e0463c5d0

MD5 hash:

deea9419fa5187f9f454609d4d173c19

SHA1 hash:

81557fb9c53bae28c27ef6120c94c30012b408fa

Detections:

win_bumblebee_auto

win_bumblebee_a0

Link:

https://www.unpac.me/results/880d1124-1001-47cf-b8d6-094c1fadca34/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2d5c9b33ed298f5fb67ce869c74b2f2ec9179a924780da65fcbc1a0e0463c5d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Bumblebee_mem Create hunting rule
Author:	James_inthe_box
Description:	Bumblebee loader
Reference:	7a2ac6664ef13971ce464676012092befde8f14b0013b2f0f3e21c9051cb45a0

Rule name:	INDICATOR_SUSPICIOUS_VM_Evasion_MACAddrComb Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing virtualization MAC addresses

Rule name:	INDICATOR_SUSPICIOUS_VM_Evasion_VirtDrvComb Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing combination of virtualization drivers

Rule name:	SUSP_OneNote Create hunting rule
Author:	spatronn
Description:	Hard-Detect One

Rule name:	Windows_Trojan_Bumblebee_35f50bea Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Bumblebee_70bed4f3 Create hunting rule
Author:	Elastic Security

Rule name:	win_bumblebee Create hunting rule

Rule name:	win_bumblebee_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.bumblebee.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/371616/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample