MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43bc8eb0987f3ca4eb6b4b626c2ebd55dae07ba19ef124e1e0ea2ebea9cb5db5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BumbleBee


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43bc8eb0987f3ca4eb6b4b626c2ebd55dae07ba19ef124e1e0ea2ebea9cb5db5
SHA3-384 hash: 679494b7cfbc7990b671abb199412626b40a59a340fcfbbd84155d6ff5638f0fa371736098745dc54d944ca12220bd17
SHA1 hash: e0f7136b70eae3468e07fe6cfd589d56519e60dd
MD5 hash: d9711907155c800982d3b3a13b221010
humanhash: sad-alaska-florida-bacon
File name:karol.dll
Download: download sample
Signature BumbleBee
Create hunting rule
File size:1'959'424 bytes
First seen:2022-05-25 17:00:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2196949855afd28354c325d82345d561 (7 x BumbleBee)
ssdeep 24576:RlDLF6LQkxs/k6WLPbdHSxSetSXdHSpqxgQZ9WXyMIoa5h7zKbe9HRLr2yg5brCG:HDLIPAsXiDyeaMa1O/
Threatray 7 similar samples on MalwareBazaar
TLSH T130954B3E46DC46FAE2CFB4F0CC3696DBF97754F85B446214B300B9956C9B6BAC0806A1
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter proxylife
Tags:BUMBLEBEE exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
384
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
karol.dll
Verdict:
No threats detected
Analysis date:
2022-05-25 17:01:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ec48f274-67e8-475c-b30d-ce614b7a58e5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/274594/
Result
Verdict:
Clean
Maliciousness:
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/20362/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/628e610d206e0816183d785e/reports/5525e275-53b6-4838-9584-e1b3fc943ee5/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/5d5bf180-f41d-4380-8a3a-8a484d8279e2
Result
Threat name:
BumbleBee
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1001741
Signature
Contain functionality to detect virtual machines
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Searches for specific processes (likely to inject)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected BumbleBee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 634237 Sample: karol.dll Startdate: 25/05/2022 Architecture: WINDOWS Score: 76 53 Yara detected BumbleBee 2->53 55 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->55 9 loaddll64.exe 1 2->9         started        process3 process4 11 rundll32.exe 9->11         started        14 rundll32.exe 9->14         started        16 rundll32.exe 9->16         started        18 6 other processes 9->18 signatures5 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->57 59 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 11->59 61 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->61 65 2 other signatures 11->65 20 WerFault.exe 20 9 11->20         started        63 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->63 23 WerFault.exe 9 18->23         started        25 rundll32.exe 18->25         started        27 WerFault.exe 9 18->27         started        29 2 other processes 18->29 process6 file7 41 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->41 dropped 43 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 23->43 dropped 31 MpCmdRun.exe 23->31         started        33 WerFault.exe 9 25->33         started        45 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 27->45 dropped 47 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 29->47 dropped 49 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 29->49 dropped process8 dnsIp9 37 conhost.exe 31->37         started        51 192.168.2.1 unknown unknown 33->51 39 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 33->39 dropped file10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/43bc8eb0987f3ca4eb6b4b626c2ebd55dae07ba19ef124e1e0ea2ebea9cb5db5/
Threat name:
Win64.Trojan.Bumbleloader
Create hunting rule
Status:
Malicious
First seen:
2022-05-25 17:09:59 UTC
File Type:
PE+ (Dll)
AV detection:
6 of 26 (23.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=io6i5meyp46kj23ljnrgylv5kxnoa65bt3ysjypa5ixl5kollw2q._file
Verdict:
unknown
Similar samples:
132c6ff567a9f519d80e17e018bf56c21585e12265099e70413008dc7dd15093
BumbleBee
281a1cfaebf968012e9596721d14b1bd6429744617e73f96558cb68bcc0db8f8
BumbleBee
592bca0ed73c7705815562d5dc3716bdfd6558b0e3ced8c90e93acfdf6f03b58
BumbleBee
97ea4c263730c9c8ba2ba14fed2a5fc67482097540421cdc29a78bef4122fa04
BumbleBee
d42f9e26697a4119dbd811b74c10149836115b349517c053a8b9fd753a609f05
BumbleBee
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220525-vjh9rscad9/
Behaviour
Program crash
Unpacked files
SH256 hash:
43bc8eb0987f3ca4eb6b4b626c2ebd55dae07ba19ef124e1e0ea2ebea9cb5db5
MD5 hash:
d9711907155c800982d3b3a13b221010
SHA1 hash:
e0f7136b70eae3468e07fe6cfd589d56519e60dd
Link:
https://www.unpac.me/results/a60b00c8-65e4-4e2e-8823-76847d4b66f8/
Malware family:
BumbleBee
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/43bc8eb0987f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/43bc8eb0987f3ca4eb6b4b626c2ebd55dae07ba19ef124e1e0ea2ebea9cb5db5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win64_bumbleebee_loader_packed
Create hunting rule
Author:Rony (@r0ny_123)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/274594/

Comments