MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31b72e1c246b4f38e70f9c8c556a626b15736589860f3231001bb4ebae749239. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BumbleBee


Vendor detections: 8


Intelligence 8 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31b72e1c246b4f38e70f9c8c556a626b15736589860f3231001bb4ebae749239
SHA3-384 hash: 793afaad8c10041ec5cdb6ee67a377a310dba811ace71ee8160598af1179095bc8ac4fb80bcf805ea79e56ba09869286
SHA1 hash: ed61db573ef82b42d519aefff15ee157054ed158
MD5 hash: 2df80283a8c95b24b9c057bc8274c14b
humanhash: mirror-solar-ack-double
File name:DeepSeekSetup.msi
Download: download sample
Signature BumbleBee
Create hunting rule
File size:8'615'424 bytes
First seen:2025-02-04 13:13:17 UTC
Last seen:2025-02-04 13:13:30 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:qYArVsCUdqt33xvKkkar0JxzvoMjsLrYu7KDxn:qYgVsCb3VbozvmYsKV
TLSH T1EA96F12276CBC036E56D0172A63EEE7B903DBE230B7140D763D47D2E69748C26A35A17
TrID 64.8% (.MSI) Microsoft Windows Installer (454500/1/170)
16.1% (.MSM) Windows Installer Merge Module (113019/2/34)
8.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
6.3% (.MSP) Windows Installer Patch (44509/10/5)
2.7% (.WPS) Kingsoft WPS Office document (alt.) (19502/3/2)
Magika msi
Reporter JAMESWT_WT
Tags:5-45-94-186 5-61-50-177 5-61-58-167 botnet-9090 BUMBLEBEE msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
89
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67a213a32dcee78dd819507c
Tags:
shellcode dropper virus
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-vm cmd fingerprint lolbin msiexec obfuscated remote runonce wix
Link:
https://www.filescan.io/uploads/67a212a5990173aed93571af/reports/1fe096d8-7065-4eb2-b5ba-4f81e24a511a/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/31b72e1c246b4f38e70f9c8c556a626b15736589860f3231001bb4ebae749239
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/31b72e1c246b4f38e70f9c8c556a626b15736589860f3231001bb4ebae749239
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
n/a
Detection:
suspicious
Classification:
n/a
Score:
36 / 100
Link:
https://www.joesandbox.com/analysis/1606487
Signature
Contains functionality to infect the boot sector
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Drops large PE files
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1606487 Sample: DeepSeekSetup.msi Startdate: 04/02/2025 Architecture: WINDOWS Score: 36 90 Multi AV Scanner detection for dropped file 2->90 92 Multi AV Scanner detection for submitted file 2->92 7 msiexec.exe 14 28 2->7         started        10 msiexec.exe 14 2->10         started        12 msiexec.exe 15 2->12         started        14 2 other processes 2->14 process3 file4 46 C:\Windows\Installer\MSI554C.tmp, PE32 7->46 dropped 48 C:\Windows\Installer\MSI54EE.tmp, PE32 7->48 dropped 50 C:\Windows\Installer\MSI54AE.tmp, PE32 7->50 dropped 56 3 other malicious files 7->56 dropped 16 msiexec.exe 10 7->16         started        19 msiexec.exe 1 1 7->19         started        22 msiexec.exe 1 7->22         started        24 3 other processes 7->24 52 C:\Users\user\AppData\Local\...\MSIE84D.tmp, PE32 10->52 dropped 54 C:\Users\user\AppData\Local\...\MSIE81D.tmp, PE32 10->54 dropped 58 9 other files (none is malicious) 10->58 dropped 60 11 other files (none is malicious) 12->60 dropped 62 22 other files (none is malicious) 14->62 dropped process5 dnsIp6 44 CapCut_7419153831717552145_installer.exe, PE32 16->44 dropped 27 CapCut_7419153831717552145_installer.exe 36 16->27         started        94 Creates autostart registry keys with suspicious names 19->94 96 Creates an autostart registry key pointing to binary in C:\Windows 19->96 32 CapCut_7419153831717552145_installer.exe 12 19->32         started        34 CapCut_7419153831717552145_installer.exe 19->34         started        36 CapCut_7419153831717552145_installer.exe 12 22->36         started        38 CapCut_7419153831717552145_installer.exe 22->38         started        78 15.197.130.221 TANDEMUS United States 24->78 80 176.118.193.128 ORGTECH-ASRU Russian Federation 24->80 82 4 other IPs or domains 24->82 40 CapCut_7419153831717552145_installer.exe 24->40         started        42 CapCut_7419153831717552145_installer.exe 24->42         started        file7 signatures8 process9 dnsIp10 84 2.19.11.9 ELISA-ASHelsinkiFinlandEU European Union 27->84 86 2.18.64.4 AdministracionNacionaldeTelecomunicacionesUY European Union 27->86 88 6 other IPs or domains 27->88 64 C:\Users\user\...\app_package_6a3e547b88.exe, PE32 27->64 dropped 66 C:\Users\user\...\shell_downloader.dll, PE32 27->66 dropped 68 C:\Users\user\...\downloader_nsis_plugin.dll, PE32 27->68 dropped 76 3 other files (none is malicious) 27->76 dropped 98 Contains functionality to infect the boot sector 27->98 100 Drops large PE files 27->100 70 C:\Users\user\AppData\Local\...\System.dll, PE32 32->70 dropped 72 C:\Users\user\AppData\Local\...\System.dll, PE32 36->72 dropped 74 C:\Users\user\AppData\Local\...\System.dll, PE32 40->74 dropped file11 signatures12
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/31b72e1c246b4f38e70f9c8c556a626b15736589860f3231001bb4ebae749239
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/31b72e1c246b4f38e70f9c8c556a626b15736589860f3231001bb4ebae749239/
Threat name:
Win32.Trojan.Bumbleloader
Create hunting rule
Status:
Malicious
First seen:
2025-02-03 15:56:09 UTC
File Type:
Binary (Archive)
Extracted files:
48
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gg3s4hbennhtrzyptsgfk2tcnmkxgzmjqyhtemiado2oxltusi4q._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
defense_evasion discovery persistence privilege_escalation trojan
Link:
https://tria.ge/reports/250204-qgp73swrh1/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Checks whether UAC is enabled
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Executes dropped EXE
Loads dropped DLL
Enumerates connected drives
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/209a2a86-8844-4d99-82c5-a4fbf20d37c0
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/31b72e1c246b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_LATAM_MSI_Banker
Create hunting rule
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:Suspicious_Latam_MSI_and_ZIP_Files
Create hunting rule
Author:eremit4, P4nd3m1cb0y
Description:Detects suspicious .msi and .zip files used in Latam banking trojan campaigns.
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments