MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a5d5e6537044cdbf8de9960d79c85b15997784ba1b74659dbfcb248ccc94f59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BumbleBee


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a5d5e6537044cdbf8de9960d79c85b15997784ba1b74659dbfcb248ccc94f59
SHA3-384 hash: 209f0e4635ceec0c507dd8606871529f47a73cd2843c15a58249e67fcb18dde94a310b26b888307615f604371fc84ba9
SHA1 hash: 458057cfa84c793a18f436b38d996c8e766516d2
MD5 hash: d5917b4035dabf4e1df81fd79c4d2313
humanhash: mexico-nuts-white-solar
File name:BumbleBeeLoader.bin
Download: download sample
Signature BumbleBee
Create hunting rule
File size:1'479'696 bytes
First seen:2023-03-04 09:09:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 431e6e792a56b1691f9196798083e783 (1 x BumbleBee)
ssdeep 24576:UJAx41SXU4LG5Vlcz8PBhNbJgwm9CEl9DAvOBddLfl93pb3:20bG5Vyz8B9gwm95AAdhfD3
Threatray 35 similar samples on MalwareBazaar
TLSH T120656B19AAACC0B5D077C138C5A38987E7F274544F31ABDB16A9561D2F33BE0563E322
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter 0xToxin
Tags:202lg BUMBLEBEE exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
251
Origin country :
IL IL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BumbleBeeLoader.bin
Verdict:
No threats detected
Analysis date:
2023-03-04 09:10:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/976773e2-50f3-4a2a-a8e8-734bf625c8e2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BumbleBee
Create hunting rule
Link:
https://www.capesandbox.com/analysis/371615/
Detection(s):
Win.Malware.Tedy-9952524-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm anti-vm cmd.exe coinminer evasive fingerprint greyware overlay schtasks.exe shell32.dll ursnif windows
Link:
https://www.filescan.io/uploads/64030aec93921fa042365fbc/reports/5de85a14-9839-4bad-91ca-a68becd64557/overview
Verdict:
Malicious
Labled as:
DeepScan:Generic.Ursnif.3.1
Link:
https://www.hybrid-analysis.com/sample/4a5d5e6537044cdbf8de9960d79c85b15997784ba1b74659dbfcb248ccc94f59
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ramnit
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f7cdfd2e-69a6-478f-8182-92d214631c54
Result
Threat name:
BumbleBee
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1187077
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Searches for specific processes (likely to inject)
Sets debug register (to hijack the execution of another thread)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected BumbleBee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 819953 Sample: BumbleBeeLoader.bin.exe Startdate: 04/03/2023 Architecture: WINDOWS Score: 96 30 Malicious sample detected (through community Yara rule) 2->30 32 Antivirus detection for URL or domain 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 4 other signatures 2->36 7 loaddll64.exe 1 2->7         started        process3 signatures4 38 Sets debug register (to hijack the execution of another thread) 7->38 10 rundll32.exe 7->10         started        13 rundll32.exe 7->13         started        15 rundll32.exe 7->15         started        17 3 other processes 7->17 process5 signatures6 40 Contain functionality to detect virtual machines 10->40 42 Searches for specific processes (likely to inject) 10->42 19 WerFault.exe 21 9 13->19         started        22 WerFault.exe 9 15->22         started        24 rundll32.exe 17->24         started        process7 file8 26 C:\ProgramData\Microsoft\...\Report.wer, Unicode 19->26 dropped 28 C:\ProgramData\Microsoft\...\Report.wer, Unicode 22->28 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a5d5e6537044cdbf8de9960d79c85b15997784ba1b74659dbfcb248ccc94f59/
Threat name:
Win64.Trojan.Bumbleloader
Create hunting rule
Status:
Malicious
First seen:
2023-02-22 04:02:50 UTC
File Type:
PE+ (Dll)
Extracted files:
3
AV detection:
22 of 39 (56.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jjov4zjxargnx6g6tfqnphefwfmzo6clug3umwo37szertgjj5mq._file
Verdict:
malicious
Similar samples:
0a1f783975c84eb09e79a4c0c984ec8a9aa4de8deeb3b03bec3877bf4629bae5
BumbleBee
287055194e83ab2a8d91ef4d187de57345c19018cf3a85024c4fd20c64ad689e
BumbleBee
32d3c8a61ba7a61d1f7466a4a60f7b52bb9bb0e6d000418da5cce79831f55a8c
BumbleBee
6b3a8f1b3ee2f33912815aa18ed89184ffcc0ddf8619b7551aba216e20e1fe88
BumbleBee
f0fdc0b64b747f348a87a382ff5dfe016107f95ab5953318cc8d9548a983efd1
BumbleBee
+ 25 additional samples on MalwareBazaar
Result
Malware family:
bumblebee
Create hunting rule
Score:
  10/10
Tags:
family:bumblebee botnet:202lg
Link:
https://tria.ge/reports/230304-k41z7sch2z/
Behaviour
Suspicious use of NtCreateThreadExHideFromDebugger
Malware Config
C2 Extraction:
104.168.157.253:443
209.141.40.19:443
107.189.5.17:443
23.254.167.63:443
91.206.178.234:443
146.19.173.86:443
103.175.16.104:443
194.135.33.85:443
173.234.155.246:443
51.68.144.43:443
172.86.120.111:443
160.20.147.242:443
51.75.62.204:443
205.185.113.34:443
194.135.33.184:443
23.82.140.155:443
185.173.34.35:443
Unpacked files
SH256 hash:
4a5d5e6537044cdbf8de9960d79c85b15997784ba1b74659dbfcb248ccc94f59
MD5 hash:
d5917b4035dabf4e1df81fd79c4d2313
SHA1 hash:
458057cfa84c793a18f436b38d996c8e766516d2
Detections:
win_bumblebee_auto
Create hunting rule
win_bumblebee_a0
Create hunting rule
Link:
https://www.unpac.me/results/479e0f4f-cbce-40a4-895e-24411e2fe169/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a5d5e6537044cdbf8de9960d79c85b15997784ba1b74659dbfcb248ccc94f59

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Bumblebee_mem
Create hunting rule
Author:James_inthe_box
Description:Bumblebee loader
Reference:7a2ac6664ef13971ce464676012092befde8f14b0013b2f0f3e21c9051cb45a0
Rule name:INDICATOR_SUSPICIOUS_VM_Evasion_MACAddrComb
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing virtualization MAC addresses
Rule name:INDICATOR_SUSPICIOUS_VM_Evasion_VirtDrvComb
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing combination of virtualization drivers
Rule name:SUSP_OneNote
Create hunting rule
Author:spatronn
Description:Hard-Detect One
Rule name:Windows_Trojan_Bumblebee_35f50bea
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Bumblebee_70bed4f3
Create hunting rule
Author:Elastic Security
Rule name:win_bumblebee
Create hunting rule
Rule name:win_bumblebee_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.bumblebee.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/371615/

Comments