MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a54302b0bf056c65deb759122f71e757b11155d82e648f9e206dab91aab44bd4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BumbleBee


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a54302b0bf056c65deb759122f71e757b11155d82e648f9e206dab91aab44bd4
SHA3-384 hash: 008dfddafce211bff9a206f2321c7840a130b7148be07894d3a0218922d60ef96294ef68a43ccabefaca8433870be64e
SHA1 hash: f449e79493fcf15dc870466e2ea639d2cbcd8e14
MD5 hash: 39fb644929c57fb75aace407f429cb12
humanhash: uniform-social-lamp-winner
File name:svchost.dll
Download: download sample
Signature BumbleBee
Create hunting rule
File size:2'775'552 bytes
First seen:2022-04-27 09:42:57 UTC
Last seen:2022-04-27 10:55:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0c85cc919aa73be02e9d5d942c58302e (7 x BumbleBee)
ssdeep 49152:K61vkm5V04xOerjOXpe6ZZ1S71F1Q6pn2OL4wC548J3Y5kU:K6Nkm5V04xOerjOXpe2Z1S71UgLq5JJ
Threatray 2'068 similar samples on MalwareBazaar
TLSH T10CD5F1060A180597E67C1FE828DB3E4D41147717DC686D0E5EB7A4EC1BBEEE7382291E
TrID 45.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.3% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
Reporter JoulK
Tags:BUMBLEBEE dll exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
299
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/267199/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Convagent.4c.19715.26664.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a service
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dcea3b1d-cd2d-4128-9bcf-51bf1b7bde31
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/983958
Signature
Antivirus / Scanner detection for submitted sample
Contain functionality to detect virtual machines
Found stalling execution ending in API Sleep call
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Searches for specific processes (likely to inject)
Sigma detected: Suspicious Call by Ordinal
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a54302b0bf056c65deb759122f71e757b11155d82e648f9e206dab91aab44bd4/
Threat name:
Win64.Trojan.Khalesi
Create hunting rule
Status:
Malicious
First seen:
2022-04-27 09:09:57 UTC
File Type:
PE+ (Dll)
AV detection:
17 of 42 (40.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uvbqfmf7avwglxvxlejc64phk6yrcvoyfzsi7hranwvzdkvujpka._file
Verdict:
malicious
Similar samples:
0555b34b40f176362f5b9e070253358d8faec831f9675c03adfdb2929d168ee8
BumbleBee
2421c5815103b12aefee6faecb1ebbe910c6a17c7ed68f0d7bb2064ec4e97291
BumbleBee
596b8d2ea9be082c0eea726b7217597fe293eef85069a8dd03a6024b48c7a199
BumbleBee
b7087d25fb4bbe998f0eafc49d58bb04dc9c50d3b9ca55c1e52d2ba8dd1b9fbc
BumbleBee
c65c51ed60f91a92789c4b056821ef51252baa2a1679a6513ab008acf0464ccb
BumbleBee
d17d26fe698a00cf23683e5df58679d6d1bf18866de4b87edb62a2bc64cb22bc
BumbleBee
d19fdf53603310203c8bc83e1d27e14b60cac0a65932fe3824dedca50ff5c0a9
BumbleBee
e8b1a240c6fad4dd2e7bd0b08a0681131f2804d64d58869e60ad333cddc58cb0
BumbleBee
edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f
BumbleBee
+ 2'058 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion
Link:
https://tria.ge/reports/220427-lpw85sbac4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Checks BIOS information in registry
Identifies Wine through registry keys
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
Unpacked files
SH256 hash:
a54302b0bf056c65deb759122f71e757b11155d82e648f9e206dab91aab44bd4
MD5 hash:
39fb644929c57fb75aace407f429cb12
SHA1 hash:
f449e79493fcf15dc870466e2ea639d2cbcd8e14
Link:
https://www.unpac.me/results/8d5cfb37-b41f-48c5-8d88-10e69505e978/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a54302b0bf05/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/a54302b0bf056c65deb759122f71e757b11155d82e648f9e206dab91aab44bd4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win64_bumbleebee_loader_packed
Create hunting rule
Author:Rony (@r0ny_123)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/267199/

Comments