MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 670781d0d35582d3094cf375a43c59cfba157e0a99fe919e462ad06045f0843c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BumbleBee

Vendor detections: 9

Intelligence 9 IOCs YARA 4 File information Comments

SHA256 hash:	670781d0d35582d3094cf375a43c59cfba157e0a99fe919e462ad06045f0843c
SHA3-384 hash:	a59c2366e0e7f7013368017db8c9d6e4eb27637afa07e40ddb8ccd35e4debf464262a6d1a8af6fae42f128f68c193451
SHA1 hash:	82fd2f5e0d45780f53ea424fe935cfc1bc4cfaac
MD5 hash:	a2c54c9b26b8e4f99809ed2045b53d52
humanhash:	undress-sodium-princess-speaker
File name:	670781d0d35582d3094cf375a43c59cfba157e0a99fe919e462ad06045f0843c
Download:	download sample
Signature	BumbleBee Create hunting rule
File size:	1'852'656 bytes
First seen:	2026-04-01 12:41:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	81b5a68eca3e2b0177f7939b4a1781a2 (1 x BumbleBee)
ssdeep	49152:D8Q1LptohcpwEWUtnKCofGxa8ZHGnuIKwVMN8U:wQ1Lc0wjUtjxrGnnKwVS8U
TLSH	T1C68533A47E0E90C9EA8AC8FA34D15F0E95FDFB5EF6BC81031150833D5A635178E8A91D
TrID	37.0% (.EXE) Win64 Executable (generic) (6522/11/2) 28.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 11.5% (.EXE) OS/2 Executable (generic) (2029/13) 11.3% (.EXE) Generic Win/DOS Executable (2002/3) 11.3% (.EXE) DOS Executable (generic) (2000/1)
Magika	pebin
Reporter	JAMESWT_WT
Tags:	BUMBLEBEE exe signed Xiamen-Duohanbeiwei-Network-Co-Ltd

Code Signing Certificate

Organisation:	Xiamen Duohanbeiwei Network Co., Ltd
Issuer:	Sectigo Public Code Signing CA EV R36
Algorithm:	sha256WithRSAEncryption
Valid from:	2026-02-04T00:00:00Z
Valid to:	2027-02-04T23:59:59Z
Serial number:	3cf1cf07647c6052688e66d3b2e179df
Intelligence:	2 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:	This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:	SHA256
Thumbprint:	a291548f5236e4b82427d766488e5a193f7b78b8468ea01b8a86ce91856bc95b
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

142

Origin country :

Vendor Threat Intelligence

Gathering data

Malware family:

n/a

ID:

File name:

_670781d0d35582d3094cf375a43c59cfba157e0a99fe919e462ad06045f0843c.dll

Verdict:

No threats detected

Analysis date:

2026-04-01 12:42:44 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f088e64d-43fc-4171-89c5-11f8743227fd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/60068/

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69cd12a96363ca5d27f09055

Tags:

n/a

Result

Verdict:

Clean

Maliciousness:

Behaviour

DNS request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug microsoft_visual_cc packed revoked-cert signed virus

Link:

https://www.filescan.io/uploads/69cd12a7972c219c8d74f9a5/reports/98636fbd-e582-4179-99f9-12abc3dec9e0/overview

Verdict:

Malicious

Labled as:

Lazy.Generic

Link:

https://www.hybrid-analysis.com/sample/670781d0d35582d3094cf375a43c59cfba157e0a99fe919e462ad06045f0843c

Verdict:

Clean

File Type:

dll x64

First seen:

2026-04-01T07:57:00Z UTC

Last seen:

2026-04-01T10:01:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/670781d0d35582d3094cf375a43c59cfba157e0a99fe919e462ad06045f0843c/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/d73bcca4-765a-479d-a564-18644f409c29

Result

Threat name:

BumbleBee

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1892251

Signature

C2 URLs / IPs found in malware configuration

Contain functionality to detect virtual machines

Contains functionality to determine the online IP of the system

Found malware configuration

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Queries random domain names (often used to prevent blacklisting and sinkholes)

Searches for specific processes (likely to inject)

Suricata IDS alerts for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected BumbleBee

Behaviour

Behavior Graph:

Download SVG

Score:

94%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/670781d0d35582d3094cf375a43c59cfba157e0a99fe919e462ad06045f0843c

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/a2c54c9b26b8e4f99809ed2045b53d52

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/670781d0d35582d3094cf375a43c59cfba157e0a99fe919e462ad06045f0843c/

Verdict:

Malicious

Threat:

Family.BUMBLEBEE

Link:

https://tip.neiki.dev/file/670781d0d35582d3094cf375a43c59cfba157e0a99fe919e462ad06045f0843c

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=m4dydugtkwbngckm6n22ipczz65bk7qkth7jdhsgfligarpqqq6a._file

Result

Malware family:

bumblebee

Score:

10/10

Tags:

family:bumblebee botnet:1000 loader revoked_codesign

Link:

https://tria.ge/reports/260401-pxfsxafx3y/

Behaviour

BumbleBee

Bumblebee family

Unpacked files

SH256 hash:

670781d0d35582d3094cf375a43c59cfba157e0a99fe919e462ad06045f0843c

MD5 hash:

a2c54c9b26b8e4f99809ed2045b53d52

SHA1 hash:

82fd2f5e0d45780f53ea424fe935cfc1bc4cfaac

Link:

https://www.unpac.me/results/b98ea6c2-6415-4e26-bb39-235e91731723/

Malware family:

BumbleBee

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/670781d0d355/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/670781d0d35582d3094cf375a43c59cfba157e0a99fe919e462ad06045f0843c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/60068/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample