MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69d3cf7d850bd05b3a901bc923f3c48392cedc1f863e6fe2b44e07096a180905. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BumbleBee


Vendor detections: 11


Intelligence 11 IOCs YARA 31 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69d3cf7d850bd05b3a901bc923f3c48392cedc1f863e6fe2b44e07096a180905
SHA3-384 hash: 05fe65173a3e239805efeebdbe0f4890d37ee5a8376db43381b05205dba7801048a9b008ab02c519111c219302c9aff3
SHA1 hash: fadccd0e05ef4d121da7dee9b957a42667ebe062
MD5 hash: fd990d3d2706f16151404f9e4cdc26b7
humanhash: august-violet-oxygen-mike
File name:Advanced-IP-Scanner.msi
Download: download sample
Signature BumbleBee
Create hunting rule
File size:22'761'472 bytes
First seen:2025-07-09 11:17:29 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 393216:1FbgvkXDSlnAH4LnIg2xWzQ6jwqOfvo7FZJeWLIYX45sVzMwObRb9q7+jklofNoi:zsvJnK4KxqmvaXJeWLs2VKkzGiSqws
Threatray 7 similar samples on MalwareBazaar
TLSH T1FA3733AFB16D8F39EC5A607CC4D937CA66006D9C32058533F219F1F727B62B742A9690
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter SquiblydooBlog
Tags:BUMBLEBEE msi signed

Code Signing Certificate

Organisation:LLC Invest Center
Issuer:GlobalSign GCC R45 EV CodeSigning CA 2020
Algorithm:sha256WithRSAEncryption
Valid from:2025-05-22T15:39:53Z
Valid to:2026-05-23T15:39:53Z
Serial number: 073b9b32fe16b00a4268f97b
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 1d10a2301bdc935caa3a4968508eb968045f0f7f36f3a5427993e59fd2e785ce
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
34
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/13669/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=686e4ffdc9eb97473767dd79
Tags:
shellcode spawn blic
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
installer signed
Link:
https://www.filescan.io/uploads/686e500490b9181d715ec2b7/reports/54e566b1-56c8-40eb-9144-14a9d8cc6045/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/69d3cf7d850bd05b3a901bc923f3c48392cedc1f863e6fe2b44e07096a180905
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/69d3cf7d850bd05b3a901bc923f3c48392cedc1f863e6fe2b44e07096a180905
Score:
57%
Verdict:
Susipicious
File Type:
ARCHIVE
Link:
https://malprob.io/report/69d3cf7d850bd05b3a901bc923f3c48392cedc1f863e6fe2b44e07096a180905
Gathering data
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/69d3cf7d850bd05b3a901bc923f3c48392cedc1f863e6fe2b44e07096a180905
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-07-09 10:31:14 UTC
File Type:
Binary (Archive)
Extracted files:
2938
AV detection:
11 of 38 (28.95%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nhj467mfbpifwouqdpesh46eqojm5xa7qy7g7yvujydqs2qybecq._file
Verdict:
malicious
Label(s):
bumblebee
Create hunting rule
admintool_radmin
Create hunting rule
admintool_advancedipscanner
Create hunting rule
Similar samples:
26d5748ffe6bd95e3fee6ce184d388a1a681006dc23a0f08d53c083c593c193b
BumbleBee
353c619c6fb8befb3b55f068bef4f265b74a03d762e99912803201443e1bb295
BumbleBee
3994569ccb24b135bae81c41fa2ec7cfd0a17d98fd7e98ca9ccdc288059eb736
BumbleBee
6e5887670a74b010bff1c5bc11e936b392a12ed48a6afd796bd712c2594d423b
BumbleBee
78a5198705475406e3e397f3242416353b155fd843dadd7f3065f7d08e39c481
BumbleBee
error
BumbleBee
Result
Malware family:
bumblebee
Create hunting rule
Score:
  10/10
Tags:
family:bumblebee botnet:grp0002 defense_evasion discovery loader persistence privilege_escalation ransomware
Link:
https://tria.ge/reports/250709-ned1xsxvgw/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Checks for VirtualBox DLLs, possible anti-VM trick
Checks system information in the registry
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Enumerates connected drives
Looks up external IP address via web service
Checks BIOS information in registry
Identifies Wine through registry keys
Looks for VMWare Tools registry key
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
BumbleBee
Bumblebee family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5e8c0038-2633-4309-956d-24dfcb1e339e
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/69d3cf7d850bd05b3a901bc923f3c48392cedc1f863e6fe2b44e07096a180905

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BumbleBee2024
Create hunting rule
Author:enzok
Description:BumbleBee 2024
Rule name:Bumblebee_mem
Create hunting rule
Author:James_inthe_box
Description:Bumblebee loader
Reference:7a2ac6664ef13971ce464676012092befde8f14b0013b2f0f3e21c9051cb45a0
Rule name:bumblebee_v2
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:BumbleBee Payload v2
Rule name:Check_Qemu_Description
Create hunting rule
Rule name:Check_Qemu_DeviceMap
Create hunting rule
Rule name:Check_VBox_Description
Create hunting rule
Rule name:Check_VBox_DeviceMap
Create hunting rule
Rule name:Check_VBox_Guest_Additions
Create hunting rule
Rule name:Check_VBox_VideoDrivers
Create hunting rule
Rule name:Check_VmTools
Create hunting rule
Rule name:Check_VMWare_DeviceMap
Create hunting rule
Rule name:Check_Wine
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:dgaagas
Create hunting rule
Author:Harshit
Description:Uses certutil.exe to download a file named test.txt
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_VM_Evasion_MACAddrComb
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing virtualization MAC addresses
Rule name:INDICATOR_SUSPICIOUS_VM_Evasion_VirtDrvComb
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing combination of virtualization drivers
Rule name:kleptoparasite
Create hunting rule
Author:jarcher
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Trojan_Bumblebee_35f50bea
Create hunting rule
Author:Elastic Security
Rule name:win_bumblebee
Create hunting rule
Rule name:win_bumblebee_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.bumblebee.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/13669/

Comments