MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40a4f84e519d5f19e8dcdd291c0044d0f260cfec720e065bee9644b8ed2e2491. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BumbleBee

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	40a4f84e519d5f19e8dcdd291c0044d0f260cfec720e065bee9644b8ed2e2491
SHA3-384 hash:	f35a161ad4509ffe39ac3a8f1876f427c458712c058844d234912efb9bf8c2d15a02a569b9f7c4385b6d35432fb75aaf
SHA1 hash:	89cd5c59709000d79663a742e3f3dca1fa4edc96
MD5 hash:	4c67974b8fdcd18c874b191ac7bfd43d
humanhash:	table-fix-mockingbird-west
File name:	program.dll
Download:	download sample
Signature	BumbleBee Create hunting rule
File size:	1'257'472 bytes
First seen:	2022-06-06 19:02:34 UTC
Last seen:	2022-06-06 19:41:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	6503543def26934e055460e7a46a6ee9 (3 x BumbleBee)
ssdeep	24576:ir25rMo7tVpHXdTADx6RnKT8YQy0RKd/RKJFRcXwMzCsFR6Z7lJFWrmf:ir2VMo7tPu6KT8YQyXd/ygu0RGpQm
Threatray	2'230 similar samples on MalwareBazaar
TLSH	T135451255E6A850B9E2C795B18D2395B6C737B012A760347F1F186380AF273B0937AF36
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	k3dg3___
Tags:	6aa BUMBLEBEE exe TransferXL

k3dg3

entrypoint:ticLLghPXa

via Smash/transferXL urls

C2: 104.168.164.153:443
C2: 193.27.14.242:443
C2: 146.70.53.183:443
C2: 51.68.146.200:443
C2: 146.70.78.21:443
C2: 185.62.56.12:443
C2: 146.19.253.15:443
C2: 160.20.147.191:443
C2: 79.110.52.236:443
C2: 37.72.174.23:443
C2: 64.44.135.230:443
C2: 103.175.16.108:443
C2: 146.70.106.83:443
C2: 185.62.56.224:443
C2: 103.175.16.106:443
C2: 154.56.0.223:443
C2: 103.175.16.38:443
C2: 104.168.204.123:443
C2: 103.144.139.18:443
C2: 51.68.147.233:443
C2: 185.62.56.128:443
C2: 146.70.95.244:443
C2: 185.62.57.19:443
C2: 45.153.240.139:443
C2: 45.153.240.155:443
C2: 142.11.196.174:443
C2: 54.37.130.166:443

Intelligence

File Origin

# of uploads :

# of downloads :

382

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

program.dll

Verdict:

No threats detected

Analysis date:

2022-06-06 19:06:10 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/1fec0a59-a4d7-4a55-ae93-48ce26e64399

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

BumbleBee

Link:

https://www.capesandbox.com/analysis/277126/

Detection(s):

SecuriteInfo.com.Artemis4C67974B8FDC.3324.12480.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/629e4f708e867832d9df67f7/reports/2fad60d9-aa74-42d9-be2d-5d206762b65a/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/113d1276-93b8-4f31-9d53-f5d36bea3ebf

Result

Threat name:

BumbleBee

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1007627

Signature

Contain functionality to detect virtual machines

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Searches for specific processes (likely to inject)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected BumbleBee

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/40a4f84e519d5f19e8dcdd291c0044d0f260cfec720e065bee9644b8ed2e2491/

Threat name:

Win64.Trojan.Bumbleloader

Status:

Malicious

First seen:

2022-06-06 19:03:10 UTC

File Type:

PE+ (Dll)

Extracted files:

AV detection:

6 of 26 (23.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=icspqtsrtvprt2g43uuryace2dzgbt7moihamw7oszclr3joesiq._file

Verdict:

malicious

BumbleBee

47fa907c50a09bc2fc41cf50afac4e178f7ce51c9592f18335db53976e87e92e

BumbleBee

538d9548d4b197611a07d436feb27beff04e6cd53fba88b1cfdee626eff89db2

BumbleBee

a27dfea07887442cd18f7f52d3f28994e9b93631a998fe254a8bc654fad94b4e

BumbleBee

e9b974d8bef3bbad04eb70f84f2102ca39faee208aea618fac76730f7d5d75bf

BumbleBee

ea52c881008e458daee5570c03b89726a0b3a652c26a3ec63002c82ba461e48c

BumbleBee

+ 2'220 additional samples on MalwareBazaar

Result

Malware family:

bumblebee

Score:

10/10

Tags:

family:bumblebee botnet:6aa evasion trojan

Link:

https://tria.ge/reports/220606-xqbvdaahe7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Checks BIOS information in registry

Identifies Wine through registry keys

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

BumbleBee

Malware Config

C2 Extraction:

104.168.164.153:443
193.27.14.242:443
146.70.53.183:443
51.68.146.200:443
146.70.78.21:443
185.62.56.12:443
146.19.253.15:443
160.20.147.191:443
79.110.52.236:443
37.72.174.23:443
64.44.135.230:443
103.175.16.108:443
146.70.106.83:443
185.62.56.224:443
103.175.16.106:443
154.56.0.223:443
103.175.16.38:443
104.168.204.123:443
103.144.139.18:443
51.68.147.233:443
185.62.56.128:443
146.70.95.244:443
185.62.57.19:443
45.153.240.139:443
45.153.240.155:443
142.11.196.174:443
54.37.130.166:443

Unpacked files

SH256 hash:

40a4f84e519d5f19e8dcdd291c0044d0f260cfec720e065bee9644b8ed2e2491

MD5 hash:

4c67974b8fdcd18c874b191ac7bfd43d

SHA1 hash:

89cd5c59709000d79663a742e3f3dca1fa4edc96

Link:

https://www.unpac.me/results/4374e8f4-1e07-43f2-a398-5ba652300b1c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/40a4f84e519d5f19e8dcdd291c0044d0f260cfec720e065bee9644b8ed2e2491

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BumbleBeeLoader Create hunting rule
Author:	enzo & kevoreilly
Description:	BumbleBee Loader

Rule name:	crime_win64_bumbleebee_loader_packed Create hunting rule
Author:	Rony (@r0ny_123)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

22C25334AA0DE5E3A275D68F4A31E77345B0C9EB9A60560772C7AE4B57F03440

BumbleBee

exe 40a4f84e519d5f19e8dcdd291c0044d0f260cfec720e065bee9644b8ed2e2491

(this sample)

Dropped by

SHA256 22C25334AA0DE5E3A275D68F4A31E77345B0C9EB9A60560772C7AE4B57F03440

Cape

https://www.capesandbox.com/analysis/277126/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample