MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a27dfea07887442cd18f7f52d3f28994e9b93631a998fe254a8bc654fad94b4e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BumbleBee

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	a27dfea07887442cd18f7f52d3f28994e9b93631a998fe254a8bc654fad94b4e
SHA3-384 hash:	0109a803a52f94cf6c45a1a40486e24fbaa3eea03c2f08be2e107fee9228bac20a7e79ca23583aebbfceee3850ee0a48
SHA1 hash:	bdf97115951474a45eadf2c54003ef36dd1cf123
MD5 hash:	612d454fd024cee33892c3b7e0df89e7
humanhash:	black-freddie-rugby-lake
File name:	lipes.dll
Download:	download sample
Signature	BumbleBee Create hunting rule
File size:	1'588'736 bytes
First seen:	2022-06-01 16:34:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	15bba266c2637d472ba4f6412cc30f5b (3 x BumbleBee)
ssdeep	24576:S9J1n7sku6tQ9FZHRRsoX7c3hs72XBL7/rIVd1hWsmXIlPo2Ut3bR:S9JB4kJtMZHRRLU82BCWF6Po223l
Threatray	2'223 similar samples on MalwareBazaar
TLSH	T1D375F1437B85BD8FF40AEC3F0A57D7E8C0D1FDA51B66C1090B7257AA0A156084F3AE69
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	pr0xylife
Tags:	BUMBLEBEE exe

Intelligence

File Origin

# of uploads :

# of downloads :

341

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

lipes.dll

Verdict:

No threats detected

Analysis date:

2022-06-01 16:54:27 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/329ccf24-e9b3-45db-8154-4e8d7d05b55a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

BumbleBeeLoader

Link:

https://www.capesandbox.com/analysis/276146/

Detection(s):

SecuriteInfo.com.UDS.Trojan-Dropper.Win64.BumbleBee.bmg.11889.9014.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/27c22f33-e30c-4576-9428-685c1d48c63e

Result

Threat name:

BumbleBee

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1005226

Signature

Contain functionality to detect virtual machines

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Searches for specific processes (likely to inject)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected BumbleBee

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a27dfea07887442cd18f7f52d3f28994e9b93631a998fe254a8bc654fad94b4e/

Threat name:

Win64.Trojan.Bumbleloader

Status:

Malicious

First seen:

2022-06-01 16:35:14 UTC

File Type:

PE+ (Dll)

Extracted files:

AV detection:

12 of 26 (46.15%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uj675idyq5cczumpp5jnh4ujstu3snrrvgmp4jkkrpdfj6wzjnha._file

Verdict:

malicious

BumbleBee

2229a110ce64fed2119603f6cbc6a20a62e518f9153eebd9760210cdd48a1a5a

BumbleBee

98ce00be3d133849c7b74497e8f681235863069df7bbbba55189196ee8037beb

BumbleBee

a27dfea07887442cd18f7f52d3f28994e9b93631a998fe254a8bc654fad94b4e

BumbleBee

e9b974d8bef3bbad04eb70f84f2102ca39faee208aea618fac76730f7d5d75bf

BumbleBee

ea52c881008e458daee5570c03b89726a0b3a652c26a3ec63002c82ba461e48c

BumbleBee

+ 2'213 additional samples on MalwareBazaar

Result

Malware family:

bumblebee

Score:

10/10

Tags:

family:bumblebee botnet:106r evasion trojan

Link:

https://tria.ge/reports/220601-t3ng6aebck/

Behaviour

Suspicious behavior: EnumeratesProcesses

Checks BIOS information in registry

Identifies Wine through registry keys

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

BumbleBee

Malware Config

C2 Extraction:

144.19.20.11:443
150.27.81.2:443
46.21.153.145:443
109.45.29.202:443
6.30.139.246:443
236.110.58.103:443
36.110.58.103:443
149.255.35.134:443
9.63.15.101:443
45.147.229.50:443
184.23.74.168:443
139.24.56.111:443
243.45.135.100:443
21.246.85.34:443
79.44.167.23:443
30.17.4.146:443
56.134.87.45:443
16.46.4.333:443
224.145.6.33:443

Unpacked files

SH256 hash:

a27dfea07887442cd18f7f52d3f28994e9b93631a998fe254a8bc654fad94b4e

MD5 hash:

612d454fd024cee33892c3b7e0df89e7

SHA1 hash:

bdf97115951474a45eadf2c54003ef36dd1cf123

Link:

https://www.unpac.me/results/47cac695-9518-42d0-938a-3b40823adc63/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a27dfea07887442cd18f7f52d3f28994e9b93631a998fe254a8bc654fad94b4e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_win64_bumbleebee_loader_packed Create hunting rule
Author:	Rony (@r0ny_123)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/276146/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample