MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31dd6d070a65a648b2be9ea2edc9efca26762c3875a8dde2d018eb064bc41e32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BumbleBee


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31dd6d070a65a648b2be9ea2edc9efca26762c3875a8dde2d018eb064bc41e32
SHA3-384 hash: 80978f75640c3d907243ac03bcbc73995dd664e9d030d4e98f5a2dc52540567327343a708a0027641d738c3adaab859e
SHA1 hash: 0e6abeb79a84fc3e7683c5439607c8a17ef6ae77
MD5 hash: 28c0caed1c9c242f60c8e0884ccbf976
humanhash: april-delaware-oranges-massachusetts
File name:31dd6d070a65a648b2be9ea2edc9efca26762c3875a8dde2d018eb064bc41e32
Download: download sample
Signature BumbleBee
Create hunting rule
File size:3'891'200 bytes
First seen:2025-05-20 09:00:24 UTC
Last seen:2025-05-20 15:01:23 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:uU8uEL5HQ++zzvBXzSnmw5KxYXyuDB7KR5:uU87Qt1iCOBA5
Threatray 40 similar samples on MalwareBazaar
TLSH T13706338236458F03D5D7A53B02E56DCA4A2EFC20EF6F910A12A67F4D07317472BB86D9
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter JAMESWT_WT
Tags:BUMBLEBEE LLC-Best-Consult msi signed version-dll

Code Signing Certificate

Organisation:LLC Best Consult
Issuer:GlobalSign GCC R45 EV CodeSigning CA 2020
Algorithm:sha256WithRSAEncryption
Valid from:2025-05-14T15:23:53Z
Valid to:2026-05-15T15:23:53Z
Serial number: 1044dc08d7a1cead020b97ec
Intelligence: 7 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 5ce814f2c915eb20b8f72ac54b7d0a3a4756e80cf6d60a7525268ed8df4965ec
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
46.183.184.146:443 https://threatfox.abuse.ch/ioc/1526015/

Intelligence

File Origin
# of uploads :
4
# of downloads :
90
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682c44e4c28c67d666423fad
Tags:
shellcode backdoor virus
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer invalid-signature revoked-cert signed
Link:
https://www.filescan.io/uploads/682c44e2c609634bd7cb1284/reports/86189d34-cc5b-40bf-9dc2-525148641533/overview
Verdict:
Malicious
Labled as:
Generik.VMXHQA trojan
Link:
https://www.hybrid-analysis.com/sample/31dd6d070a65a648b2be9ea2edc9efca26762c3875a8dde2d018eb064bc41e32
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/31dd6d070a65a648b2be9ea2edc9efca26762c3875a8dde2d018eb064bc41e32
Result
Threat name:
BumbleBee
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1694819
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Found malware configuration
Found WinMTR tool (often used for host & network discovery)
Malicious sample detected (through community Yara rule)
Queries random domain names (often used to prevent blacklisting and sinkholes)
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected BumbleBee
Behaviour
Behavior Graph:
Download SVG
Score:
97%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/31dd6d070a65a648b2be9ea2edc9efca26762c3875a8dde2d018eb064bc41e32
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/31dd6d070a65a648b2be9ea2edc9efca26762c3875a8dde2d018eb064bc41e32/
Threat name:
Win64.Trojan.Bumblebee
Create hunting rule
Status:
Malicious
First seen:
2025-05-20 04:38:26 UTC
File Type:
Binary (Archive)
Extracted files:
45
AV detection:
16 of 37 (43.24%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ghow2bykmwtermv6t2ro3sppzithmlbyowun3ywqddvqms6edyza._file
Verdict:
malicious
Label(s):
bumblebee
Create hunting rule
Similar samples:
02197c23af1f99c3fa41d52f7f925e47ae5bfb5e604314d19382b1bb7112463f
BumbleBee
5afe56d224c629d7b7b3c496665ecf373323c4afa44f6701d1924e44448d08c1
BumbleBee
783a4034e44f58427a248454ade7ab09c4099414bb0a385ca32d8b263cd21ae4
BumbleBee
a67bae3dd73789e892b5114a157d992424d367aae11c5fbaa80be639d6dec798
BumbleBee
error
BumbleBee
+ 30 additional samples on MalwareBazaar
Result
Malware family:
bumblebee
Create hunting rule
Score:
  10/10
Tags:
family:bumblebee botnet:grp0003 loader persistence privilege_escalation
Link:
https://tria.ge/reports/250520-kyqbhser31/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Enumerates connected drives
BumbleBee
Bumblebee family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/31dd6d070a65a648b2be9ea2edc9efca26762c3875a8dde2d018eb064bc41e32

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments