MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5afe56d224c629d7b7b3c496665ecf373323c4afa44f6701d1924e44448d08c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BumbleBee


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5afe56d224c629d7b7b3c496665ecf373323c4afa44f6701d1924e44448d08c1
SHA3-384 hash: e568b24fd7dafee7b81ffd466b19179c16920ba9f2dceb22f4f15574c949a7beeb6742f1799045bdc533091b5aa2ec30
SHA1 hash: ab87d8589768163b4d8b1418983eee49028afbf8
MD5 hash: 9d8421bd13d5056280ddb749f00611a1
humanhash: eighteen-music-winner-floor
File name:zenmap-7.97.msi
Download: download sample
Signature BumbleBee
Create hunting rule
File size:36'507'648 bytes
First seen:2025-05-20 10:24:53 UTC
Last seen:2025-05-20 20:10:29 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 786432:ldXBf4jWnEPxzIITlZqnJeWVmJq8JGjIyPdB2:lFZ4SEJzIITwLWxwdB
Threatray 38 similar samples on MalwareBazaar
TLSH T1FE87337A6A8DAB37CE0500346D231C5D9461BC19BBE14522E3ACFC12DEFB99316BDC94
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter JAMESWT_WT
Tags:BUMBLEBEE LLC-Best-Consult msi signed

Code Signing Certificate

Organisation:LLC Best Consult
Issuer:GlobalSign GCC R45 EV CodeSigning CA 2020
Algorithm:sha256WithRSAEncryption
Valid from:2025-05-14T15:23:53Z
Valid to:2026-05-15T15:23:53Z
Serial number: 1044dc08d7a1cead020b97ec
Intelligence: 7 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 5ce814f2c915eb20b8f72ac54b7d0a3a4756e80cf6d60a7525268ed8df4965ec
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
5
# of downloads :
108
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682c5937c28c67d66642454b
Tags:
backdoor spawn virus
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer invalid-signature revoked-cert signed
Link:
https://www.filescan.io/uploads/682c58dbc609634bd7cb35bf/reports/4788276c-d9f2-43c7-9243-094d4c44a93c/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/5afe56d224c629d7b7b3c496665ecf373323c4afa44f6701d1924e44448d08c1
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/5afe56d224c629d7b7b3c496665ecf373323c4afa44f6701d1924e44448d08c1
Result
Threat name:
BumbleBee
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
62 / 100
Link:
https://www.joesandbox.com/analysis/1694841
Signature
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to prevent local Windows debugging
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Queries BIOS fan information (via WMI, Win32_Fan, often done to detect virtual machines)
Queries random domain names (often used to prevent blacklisting and sinkholes)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ipconfig to lookup or modify the Windows network settings
Yara detected BumbleBee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1694841 Sample: zenmap-7.97.msi Startdate: 20/05/2025 Architecture: WINDOWS Score: 62 33 xwn7sukhzhbqv.life 2->33 35 u8karkeeu2qtj.life 2->35 37 15 other IPs or domains 2->37 45 Suricata IDS alerts for network traffic 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 4 other signatures 2->51 9 msiexec.exe 74 31 2->9         started        12 msiexec.exe 5 2->12         started        signatures3 process4 file5 27 C:\Users\user\AppData\Local\...\icardagt.exe, PE32+ 9->27 dropped 29 C:\Users\user\AppData\Local\...\version.dll, PE32+ 9->29 dropped 31 C:\Users\user\AppData\...\nmap-7.95-setup.exe, PE32 9->31 dropped 14 icardagt.exe 58 9->14         started        18 nmap-7.95-setup.exe 15 9->18         started        process6 dnsIp7 39 rdg0u5n7237r5.life 23.227.193.23, 443, 49700 HVC-ASUS United States 14->39 41 evzftxl2qjfj4.life 188.40.187.139, 443, 49686, 49692 HETZNER-ASDE Germany 14->41 43 20 other IPs or domains 14->43 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->53 55 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 14->55 57 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->57 59 6 other signatures 14->59 21 ipconfig.exe 1 14->21         started        25 C:\Users\user\AppData\...\InstallOptions.dll, PE32 18->25 dropped file8 signatures9 process10 process11 23 conhost.exe 21->23         started       
Score:
44%
Verdict:
Susipicious
File Type:
ARCHIVE
Link:
https://malprob.io/report/5afe56d224c629d7b7b3c496665ecf373323c4afa44f6701d1924e44448d08c1
Gathering data
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/5afe56d224c629d7b7b3c496665ecf373323c4afa44f6701d1924e44448d08c1
Threat name:
Win64.Trojan.Bumblebee
Create hunting rule
Status:
Malicious
First seen:
2025-05-20 10:22:27 UTC
File Type:
Binary (Archive)
Extracted files:
44746
AV detection:
14 of 23 (60.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ll7fnureyyu5pn5tyslgmxwpg4zshrfpurhwoaorsjheirenbdaq._file
Verdict:
malicious
Label(s):
bumblebee
Create hunting rule
Similar samples:
02197c23af1f99c3fa41d52f7f925e47ae5bfb5e604314d19382b1bb7112463f
BumbleBee
281e07af77e1ff21140a7102c3cf8802dff96e670c8c3c73b8250d487a5196ed
BumbleBee
5afe56d224c629d7b7b3c496665ecf373323c4afa44f6701d1924e44448d08c1
BumbleBee
783a4034e44f58427a248454ade7ab09c4099414bb0a385ca32d8b263cd21ae4
BumbleBee
a67bae3dd73789e892b5114a157d992424d367aae11c5fbaa80be639d6dec798
BumbleBee
error
BumbleBee
f82d15eed385a7a913b98a28bce9b27a7e3611e1c0c4d9fa65741d3fdd76d23c
BumbleBee
+ 28 additional samples on MalwareBazaar
Result
Malware family:
bumblebee
Create hunting rule
Score:
  10/10
Tags:
family:bumblebee botnet:grp0004 discovery loader persistence privilege_escalation
Link:
https://tria.ge/reports/250520-mgdbqsxrw3/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Checks installed software on the system
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Enumerates connected drives
Looks up external IP address via web service
BumbleBee
Bumblebee family
Malware family:
BumbleBee
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5afe56d224c6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5afe56d224c629d7b7b3c496665ecf373323c4afa44f6701d1924e44448d08c1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BumbleBee

Microsoft Software Installer (MSI) msi 5afe56d224c629d7b7b3c496665ecf373323c4afa44f6701d1924e44448d08c1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3548052/
  
Delivery method
Distributed via web download

Comments