MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c9ffef418385fdd0aa0e6ea1c0e29f3a7a4af51fbcfd011d0797d6e62c8ccfe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BumbleBee

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	4c9ffef418385fdd0aa0e6ea1c0e29f3a7a4af51fbcfd011d0797d6e62c8ccfe
SHA3-384 hash:	c6da690ae4e2fe8c9709f394e6981509cdfee37a3d8a22486fd6a9ca7ee94cdb36b081ae180e93e480aa82c49c1dd1cd
SHA1 hash:	13da23476ed7c8211fa49380176eabb17c1a9408
MD5 hash:	485b65ea3f28d1cd17cd4339662e048a
humanhash:	lithium-jupiter-arizona-carpet
File name:	ramest.dll
Download:	download sample
Signature	BumbleBee Create hunting rule
File size:	1'394'688 bytes
First seen:	2022-05-09 19:45:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	66356a654249c4824378b1a70e7cc1e5 (4 x BumbleBee)
ssdeep	24576:ZdyqGb318EyKM8V/kQe2SvRjRlOeDE20qu03dw21HKE4m6SlT0NxhPivyie9tXLJ:vyqg2x3ih
Threatray	2'165 similar samples on MalwareBazaar
TLSH	T198556DF85F99284CD83BD8199597BC7E9B8834535B1EAFD03717E8122276308A92D1CF
TrID	45.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.3% (.EXE) OS/2 Executable (generic) (2029/13) 18.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.0% (.EXE) DOS Executable Generic (2000/1)
Reporter	k3dg3___
Tags:	BUMBLEBEE dll exe

k3dg3

SjVjlixjPb

Intelligence

File Origin

# of uploads :

# of downloads :

312

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ramest.dll

Verdict:

No threats detected

Analysis date:

2022-05-09 19:49:32 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/65f1b65c-fc6e-46d3-9434-3fbecf19b7e4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/16848/overview

Behaviour

MalwareBazaar

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/62796f89be0219041a89cd49/reports/f1d5f845-a6e9-4aac-a925-a56c6cc4b569/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/2c93c00c-0fbe-47b9-bce0-633c770b423b

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/990496

Signature

Antivirus / Scanner detection for submitted sample

Contain functionality to detect virtual machines

Found potential dummy code loops (likely to delay analysis)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Searches for specific processes (likely to inject)

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4c9ffef418385fdd0aa0e6ea1c0e29f3a7a4af51fbcfd011d0797d6e62c8ccfe/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jsp755ayhbp52cva43vbydrj6ot2jl2r7ph5aeoqpf6w4ywizt7a._file

Verdict:

malicious

BumbleBee

0659390fe57012c9d29bacb0e85b61f7de968a6008f91d9c729e18c784b2cca1

BumbleBee

13aa6bed5b3a656b9c86cc2d397f765779f4a7dff49f73d58bd97e11423e0635

BumbleBee

2421c5815103b12aefee6faecb1ebbe910c6a17c7ed68f0d7bb2064ec4e97291

BumbleBee

2457a1b0008c7059b5d58fffadad4e71f8332e9c09ac55f34b0a078363c29c87

BumbleBee

26af00a279ce082c2bb1db2cb50d2d590623e3f20e6c260d77ca77bf72b51797

BumbleBee

596b8d2ea9be082c0eea726b7217597fe293eef85069a8dd03a6024b48c7a199

BumbleBee

c65c51ed60f91a92789c4b056821ef51252baa2a1679a6513ab008acf0464ccb

BumbleBee

d19fdf53603310203c8bc83e1d27e14b60cac0a65932fe3824dedca50ff5c0a9

BumbleBee

e8b1a240c6fad4dd2e7bd0b08a0681131f2804d64d58869e60ad333cddc58cb0

BumbleBee

+ 2'155 additional samples on MalwareBazaar

Result

Malware family:

bumblebee

Score:

10/10

Tags:

family:bumblebee evasion trojan

Link:

https://tria.ge/reports/220509-ygys8agghn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Checks BIOS information in registry

Identifies Wine through registry keys

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

BumbleBee

Unpacked files

SH256 hash:

4c9ffef418385fdd0aa0e6ea1c0e29f3a7a4af51fbcfd011d0797d6e62c8ccfe

MD5 hash:

485b65ea3f28d1cd17cd4339662e048a

SHA1 hash:

13da23476ed7c8211fa49380176eabb17c1a9408

Link:

https://www.unpac.me/results/a06a0662-473b-4554-8362-9b81592d957b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/4c9ffef418385fdd0aa0e6ea1c0e29f3a7a4af51fbcfd011d0797d6e62c8ccfe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.