MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 986dc96c4dbb6c953db7b68a30c9cdc93598d89ca3e9804bd92f53d26a48f5ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BumbleBee


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 986dc96c4dbb6c953db7b68a30c9cdc93598d89ca3e9804bd92f53d26a48f5ba
SHA3-384 hash: 3b76fcf029532ec08979af8a18a42d45b94f199e1dc2b291c0501afd759424a1f6c7e1444d009ea65e1a301636cd1602
SHA1 hash: b39893d501d3f33edfc475cc7ccaa747022001b2
MD5 hash: 332d1f555297d05bb4b3b2dd7e76041d
humanhash: hotel-football-item-bravo
File name:tools.dll
Download: download sample
Signature BumbleBee
Create hunting rule
File size:2'769'408 bytes
First seen:2022-05-03 15:22:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0c85cc919aa73be02e9d5d942c58302e (7 x BumbleBee)
ssdeep 49152:vwBPPokJKVdx1YWV3obuUvpHOxcSCoCH+JljOAEe+hArAJ2m/NxtZ:vwBPwkJKbx1YWV3oSypHOxcSOH+LOAEX
Threatray 2'083 similar samples on MalwareBazaar
TLSH T18ED5F1090E150826DAB40EF42CDF3B8905147B17DCB89D5B4AB694AC27BDEEB346352F
TrID 45.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.3% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
Reporter malwarelabnet
Tags:BUMBLEBEE exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
302
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
61c89c8f66a6513e04f8839061630de548aa177eca8db9395b1a5e7d14f8f67e
Verdict:
Suspicious activity
Analysis date:
2022-05-03 11:27:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/94eabcb6-07ba-42cb-bf6f-0ba644bae459

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/268455/
Detection(s):
SecuriteInfo.com.Variant.Lazy.171724.23530.22870.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/16206/overview
Behaviour
MalwareBazaar
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/627148a037afaeff09c1267a/reports/0a0cbfd5-b4eb-459b-beed-a29e77c660df/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/275f5a62-9d0a-4a90-932c-30f3feedde45
Result
Threat name:
BumbleBee
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/987243
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes memory attributes in foreign processes to executable or writable
Creates processes via WMI
Found malware configuration
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Searches for specific processes (likely to inject)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected BumbleBee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 619735 Sample: tools.dll Startdate: 03/05/2022 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Antivirus detection for URL or domain 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 3 other signatures 2->37 7 loaddll64.exe 1 2->7         started        process3 process4 9 rundll32.exe 7->9         started        13 cmd.exe 1 7->13         started        15 rundll32.exe 7->15         started        dnsIp5 29 23.106.160.40, 443, 49768, 49770 LEASEWEB-USA-SFO-12US United States 9->29 41 System process connects to network (likely due to code injection or exploit) 9->41 43 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 9->43 45 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 9->45 49 6 other signatures 9->49 17 wab.exe 9->17         started        20 wabmig.exe 9->20         started        22 rundll32.exe 13->22         started        47 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->47 signatures6 process7 dnsIp8 25 ec2-34-213-238-129.us-west-2.compute.amazonaws.com 34.213.238.129, 443, 49780, 49782 AMAZON-02US United States 17->25 27 ec2-54-203-176-144.us-west-2.compute.amazonaws.com 54.203.176.144, 443, 49777, 49860 AMAZON-02US United States 20->27 39 Tries to detect sandboxes / dynamic malware analysis system (registry check) 22->39 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/986dc96c4dbb6c953db7b68a30c9cdc93598d89ca3e9804bd92f53d26a48f5ba/
Threat name:
Win64.Trojan.Convagent
Create hunting rule
Status:
Malicious
First seen:
2022-04-27 09:09:31 UTC
File Type:
PE+ (Dll)
AV detection:
14 of 39 (35.90%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tbw4s3cnxnwjkpnxw2fdbsonze2zrwe4upuyas6zf5j5e2si6w5a._file
Verdict:
malicious
Similar samples:
0555b34b40f176362f5b9e070253358d8faec831f9675c03adfdb2929d168ee8
BumbleBee
596b8d2ea9be082c0eea726b7217597fe293eef85069a8dd03a6024b48c7a199
BumbleBee
5b28fdff9694a490d1652d95fbca78182482975dcb66f5f3283343df9f8b8547
BumbleBee
a54302b0bf056c65deb759122f71e757b11155d82e648f9e206dab91aab44bd4
BumbleBee
c65c51ed60f91a92789c4b056821ef51252baa2a1679a6513ab008acf0464ccb
BumbleBee
e8b1a240c6fad4dd2e7bd0b08a0681131f2804d64d58869e60ad333cddc58cb0
BumbleBee
+ 2'073 additional samples on MalwareBazaar
Result
Malware family:
bumblebee
Create hunting rule
Score:
  10/10
Tags:
family:bumblebee evasion trojan
Link:
https://tria.ge/reports/220503-srwhysaaf3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Checks BIOS information in registry
Identifies Wine through registry keys
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
BumbleBee
Unpacked files
SH256 hash:
986dc96c4dbb6c953db7b68a30c9cdc93598d89ca3e9804bd92f53d26a48f5ba
MD5 hash:
332d1f555297d05bb4b3b2dd7e76041d
SHA1 hash:
b39893d501d3f33edfc475cc7ccaa747022001b2
Link:
https://www.unpac.me/results/bd636375-7ef8-42aa-891d-62b211de6bcc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/986dc96c4dbb6c953db7b68a30c9cdc93598d89ca3e9804bd92f53d26a48f5ba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win64_bumbleebee_loader_packed
Create hunting rule
Author:Rony (@r0ny_123)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/268455/

Comments