MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32d3c8a61ba7a61d1f7466a4a60f7b52bb9bb0e6d000418da5cce79831f55a8c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BumbleBee


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 32d3c8a61ba7a61d1f7466a4a60f7b52bb9bb0e6d000418da5cce79831f55a8c
SHA3-384 hash: 8cc2383373d96950d1df8f09696493c556d49af8470b7457ddc396ce9874e4ab421fa51fb01de9b205b1d5b44a9c7ab7
SHA1 hash: 5b0c15e551f989d1702478a50da3fac5bd3dff87
MD5 hash: 14da4c2df839237771865372ce4eee25
humanhash: mexico-cold-jig-alpha
File name:GfsFepFIKsNGpt.dll
Download: download sample
Signature BumbleBee
Create hunting rule
File size:1'820'672 bytes
First seen:2022-09-01 11:00:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 870d5612f32c9405cb8b46c8aa36cb42 (1 x BumbleBee)
ssdeep 49152:7mWxtD5wWHxLrApxq7pMKEngsfyJllGVeTQKP7:7vxtD66xLrsxIpMKEngsfyJllGVeTQKD
TLSH T13B85D0831CE88288DC2598FC6FF1F173857F6250CAFD2A50A5225D6E59E5D23B23B718
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter abuse_ch
Tags:BUMBLEBEE dll exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
GfsFepFIKsNGpt.dll
Verdict:
No threats detected
Analysis date:
2022-09-01 11:01:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/96732b8a-2cac-4883-9e93-14f910dbaaad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/307221/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Detecting VM
Using the Windows Management Instrumentation requests
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/63109133e87b88e71beaea7f/reports/cc5e81bc-152e-4146-b91f-6940dd4f0c73/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2c844dc7-d161-4adb-a6af-66030446b994
Result
Threat name:
BumbleBee
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1062711
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Searches for specific processes (likely to inject)
Sets debug register (to hijack the execution of another thread)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected BumbleBee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 695238 Sample: GfsFepFIKsNGpt.dll.exe Startdate: 01/09/2022 Architecture: WINDOWS Score: 100 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus / Scanner detection for submitted sample 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 3 other signatures 2->44 8 loaddll64.exe 1 2->8         started        process3 signatures4 52 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->52 54 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 8->54 56 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->56 58 4 other signatures 8->58 11 regsvr32.exe 8->11         started        14 cmd.exe 1 8->14         started        16 rundll32.exe 8->16         started        18 2 other processes 8->18 process5 signatures6 60 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->60 62 Contain functionality to detect virtual machines 11->62 64 Searches for specific processes (likely to inject) 11->64 20 rundll32.exe 14->20         started        66 Tries to detect sandboxes / dynamic malware analysis system (registry check) 16->66 23 WerFault.exe 3 9 18->23         started        26 WerFault.exe 9 18->26         started        28 WerFault.exe 18->28         started        30 WerFault.exe 18->30         started        process7 dnsIp8 46 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 20->46 48 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 20->48 50 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 20->50 32 WerFault.exe 17 9 20->32         started        34 WerFault.exe 20->34         started        36 192.168.2.1 unknown unknown 23->36 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/32d3c8a61ba7a61d1f7466a4a60f7b52bb9bb0e6d000418da5cce79831f55a8c/
Threat name:
Win64.Trojan.BumbleBee
Create hunting rule
Status:
Malicious
First seen:
2022-08-31 21:43:55 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=glj4rjq3u6tb2h3um2skmd33kk5zxmhg2aaeddnfzttzqmpvlkga._file
Result
Malware family:
bumblebee
Create hunting rule
Score:
  10/10
Tags:
family:bumblebee botnet:3108 evasion trojan
Link:
https://tria.ge/reports/220901-m4kdkacfcm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtCreateThreadExHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
BumbleBee
Malware Config
C2 Extraction:
54.203.130.81:428
103.160.22.125:439
100.194.5.156:279
138.10.128.167:465
16.68.199.17:119
49.58.238.45:318
158.121.21.147:265
76.179.109.138:320
219.114.206.84:318
242.123.229.45:306
247.142.48.124:278
137.128.84.3:389
178.18.89.43:472
68.72.230.54:206
253.1.172.156:320
88.12.127.219:297
113.50.222.178:284
135.21.140.60:404
64.44.102.36:443
247.232.101.39:263
25.164.199.235:483
229.34.16.142:331
161.192.84.102:421
92.50.58.134:268
150.69.136.89:264
117.250.45.148:196
193.19.186.178:227
80.161.122.170:210
51.83.249.204:443
244.56.215.21:367
146.70.106.163:443
22.226.202.236:160
5.98.161.45:407
169.173.118.1:482
241.97.45.244:361
25.22.207.178:454
33.152.14.249:176
225.69.64.137:234
66.123.133.120:125
233.57.245.52:193
175.88.206.214:229
12.171.4.209:360
203.176.214.111:334
22.233.59.206:201
81.135.6.89:355
151.147.0.228:393
129.92.194.112:238
249.69.235.102:423
131.243.196.86:251
135.47.154.49:225
225.22.137.126:322
18.153.76.23:229
189.3.235.110:232
Unpacked files
SH256 hash:
32d3c8a61ba7a61d1f7466a4a60f7b52bb9bb0e6d000418da5cce79831f55a8c
MD5 hash:
14da4c2df839237771865372ce4eee25
SHA1 hash:
5b0c15e551f989d1702478a50da3fac5bd3dff87
Link:
https://www.unpac.me/results/3c33aef2-4020-4862-aabf-d3f18da49da9/
Malware family:
BumbleBee
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/32d3c8a61ba7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/32d3c8a61ba7a61d1f7466a4a60f7b52bb9bb0e6d000418da5cce79831f55a8c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BumbleBee
Create hunting rule
Author:enzo & kevoreilly
Description:BumbleBee Payload
Rule name:Bumblebee_mem
Create hunting rule
Author:James_inthe_box
Description:Bumblebee loader
Reference:7a2ac6664ef13971ce464676012092befde8f14b0013b2f0f3e21c9051cb45a0
Rule name:crime_win64_bumbleebee_loader_packed
Create hunting rule
Author:Rony (@r0ny_123)
Rule name:INDICATOR_SUSPICIOUS_References_SecTools
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many IR and analysis tools
Rule name:win_bumblebee
Create hunting rule
Rule name:win_bumblebee_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.bumblebee.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BumbleBee

8ce84fae3e55520c041d70bdb90900060eff61c6f9c4282cb48a899e15db0f50

BumbleBee

Executable exe 32d3c8a61ba7a61d1f7466a4a60f7b52bb9bb0e6d000418da5cce79831f55a8c

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/307221/
  
Dropped by
SHA256 8ce84fae3e55520c041d70bdb90900060eff61c6f9c4282cb48a899e15db0f50
  
Dropped by
MD5 b93dc51a8e8fd9a2823568d16e647050

Comments