MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b28fdff9694a490d1652d95fbca78182482975dcb66f5f3283343df9f8b8547. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BumbleBee


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b28fdff9694a490d1652d95fbca78182482975dcb66f5f3283343df9f8b8547
SHA3-384 hash: 133c598a0b330b1d5dcd920c2f9494cc063a9605453b9123d0deafe932e4299736beae4a753ed0194fedbac972a08a39
SHA1 hash: 71394a0e1a68f5a24299b69393fd40f262fe1cd2
MD5 hash: 5db0fc984f71c7ce584a606918b807b7
humanhash: five-high-sink-fruit
File name:brawl.bin
Download: download sample
Signature BumbleBee
Create hunting rule
File size:3'676'672 bytes
First seen:2022-04-27 22:05:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2a56a658bf2b472acd41a4bf78f0de87 (1 x BumbleBee)
ssdeep 49152:Lp+fmtTzre5v7o7ZR1x+KprcyUJsWBsTFxZpOHSEglsvt2REnwAZM9p5ZD:LXxc8
Threatray 2'069 similar samples on MalwareBazaar
TLSH T173066DB5BC85F267A437F95FE181F493E30E1C39951ADE4963882F5E105F208BE4AE48
TrID 45.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.3% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
Reporter vBqOPdAfm7WloKU
Tags:BUMBLEBEE exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
362
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/267321/
Detection(s):
SecuriteInfo.com.VHO.Trojan.Win32.Khalesi.gen.3377.28680.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6269be1275c6f158e8ff5ed8/reports/48abf6a6-323c-44c1-ab24-ea663b3bfead/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/39c1cc2e-562a-4c58-ad77-e88845ebfa10
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/984382
Signature
Antivirus detection for dropped file
Contain functionality to detect virtual machines
Contains functionality to inject threads in other processes
Creates processes via WMI
Detected unpacking (creates a PE file in dynamic memory)
Found API chain indicative of debugger detection
Found stalling execution ending in API Sleep call
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Searches for specific processes (likely to inject)
Sigma detected: Suspicious Call by Ordinal
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 616878 Sample: brawl.dll Startdate: 28/04/2022 Architecture: WINDOWS Score: 100 33 Malicious sample detected (through community Yara rule) 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->37 39 Sigma detected: Suspicious Call by Ordinal 2->39 7 loaddll64.exe 1 2->7         started        9 wab.exe 12 2->9         started        process3 dnsIp4 13 rundll32.exe 1 7->13         started        18 cmd.exe 1 7->18         started        20 rundll32.exe 7->20         started        27 ec2-54-203-176-144.us-west-2.compute.amazonaws.com 54.203.176.144, 443, 49797, 49806 AMAZON-02US United States 9->27 29 192.168.2.1 unknown unknown 9->29 43 Antivirus detection for dropped file 9->43 45 Detected unpacking (creates a PE file in dynamic memory) 9->45 47 Found API chain indicative of debugger detection 9->47 49 Contains functionality to inject threads in other processes 9->49 signatures5 process6 dnsIp7 31 108.62.118.61, 443, 49740, 49744 LEASEWEB-USA-WDCUS United States 13->31 25 C:\Users\user\AppData\Local\wab.exe, PE32+ 13->25 dropped 51 System process connects to network (likely due to code injection or exploit) 13->51 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->53 55 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 13->55 59 5 other signatures 13->59 22 rundll32.exe 18->22         started        57 Tries to detect sandboxes / dynamic malware analysis system (registry check) 20->57 file8 signatures9 process10 signatures11 41 Tries to detect sandboxes / dynamic malware analysis system (registry check) 22->41
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b28fdff9694a490d1652d95fbca78182482975dcb66f5f3283343df9f8b8547/
Threat name:
Win64.Trojan.Khalesi
Create hunting rule
Status:
Malicious
First seen:
2022-04-27 22:06:21 UTC
File Type:
PE+ (Dll)
AV detection:
11 of 42 (26.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lmup374wsssjbulffwk7xstydasiff25zntpl4zignb57h4lqvdq._file
Verdict:
malicious
Similar samples:
0555b34b40f176362f5b9e070253358d8faec831f9675c03adfdb2929d168ee8
BumbleBee
2421c5815103b12aefee6faecb1ebbe910c6a17c7ed68f0d7bb2064ec4e97291
BumbleBee
596b8d2ea9be082c0eea726b7217597fe293eef85069a8dd03a6024b48c7a199
BumbleBee
5b28fdff9694a490d1652d95fbca78182482975dcb66f5f3283343df9f8b8547
BumbleBee
a54302b0bf056c65deb759122f71e757b11155d82e648f9e206dab91aab44bd4
BumbleBee
c65c51ed60f91a92789c4b056821ef51252baa2a1679a6513ab008acf0464ccb
BumbleBee
d17d26fe698a00cf23683e5df58679d6d1bf18866de4b87edb62a2bc64cb22bc
BumbleBee
d19fdf53603310203c8bc83e1d27e14b60cac0a65932fe3824dedca50ff5c0a9
BumbleBee
e8b1a240c6fad4dd2e7bd0b08a0681131f2804d64d58869e60ad333cddc58cb0
BumbleBee
+ 2'059 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion
Link:
https://tria.ge/reports/220427-1zgzjaafb5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Checks BIOS information in registry
Identifies Wine through registry keys
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
Unpacked files
SH256 hash:
5b28fdff9694a490d1652d95fbca78182482975dcb66f5f3283343df9f8b8547
MD5 hash:
5db0fc984f71c7ce584a606918b807b7
SHA1 hash:
71394a0e1a68f5a24299b69393fd40f262fe1cd2
Link:
https://www.unpac.me/results/b74c662f-d31d-474b-97c5-61c82fa01a6e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/5b28fdff9694a490d1652d95fbca78182482975dcb66f5f3283343df9f8b8547

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win64_bumbleebee_loader_packed
Create hunting rule
Author:Rony (@r0ny_123)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/267321/

Comments