MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b721c0639b89437de7bedaba753502d04acdebaa4f80f96f7b0c32289854d9c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BumbleBee

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	b721c0639b89437de7bedaba753502d04acdebaa4f80f96f7b0c32289854d9c2
SHA3-384 hash:	533826ab65bd63cc292d8962f39d10ac414248c81d511c4ffaa2c43cd3df9047b639086cfc12e14d1c54de3e8e621230
SHA1 hash:	ee527e5bd777b200199039f06a38fde6e74ae1da
MD5 hash:	302a1af6b3c050783ffe33cdf321627b
humanhash:	bluebird-papa-november-robert
File name:	astra.dll
Download:	download sample
Signature	BumbleBee Create hunting rule
File size:	1'082'880 bytes
First seen:	2022-05-12 03:34:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1c7b6c7274dd9098212ba0c39c34e95b (1 x BumbleBee)
ssdeep	12288:diA7AudUwpc4ia1+vM5Yv1vZ/1ySKbpZV9P3ELifhF9SCIiT2:diA7djy0AjYt1lTfhF8iT2
Threatray	2'171 similar samples on MalwareBazaar
TLSH	T18C35C077F7A56B44AC0198F6CB0EC3A3E886F29D0F015291E5ECCF75B2248678A5D252
TrID	45.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.3% (.EXE) OS/2 Executable (generic) (2029/13) 18.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.0% (.EXE) DOS Executable Generic (2000/1)
Reporter	Rony
Tags:	BUMBLEBEE dll exe

Intelligence

File Origin

# of uploads :

# of downloads :

307

Origin country :

n/a

Vendor Threat Intelligence

Detection:

BumbleBee

Link:

https://www.capesandbox.com/analysis/269804/

Result

Verdict:

Clean

Maliciousness:

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/17212/overview

Behaviour

MalwareBazaar

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/627c806a89dc6403e77677e9/reports/d27dabef-afd9-4efa-bd9a-6010d2cbc66b/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/54d71ba2-5dc1-4b11-8eaf-e56e9b116a4e

Result

Threat name:

BumbleBee

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/992333

Signature

Antivirus / Scanner detection for submitted sample

Contain functionality to detect virtual machines

Found potential dummy code loops (likely to delay analysis)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Searches for specific processes (likely to inject)

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected BumbleBee

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b721c0639b89437de7bedaba753502d04acdebaa4f80f96f7b0c32289854d9c2/

Threat name:

Win64.Dropper.BumbleBee

Status:

Malicious

First seen:

2022-05-12 03:35:06 UTC

File Type:

PE+ (Dll)

Extracted files:

AV detection:

15 of 26 (57.69%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=w4q4ay43rfbx3z563k5hknic2bfm325kj6aps333bqzcrgcu3hba._file

Verdict:

malicious

BumbleBee

2457a1b0008c7059b5d58fffadad4e71f8332e9c09ac55f34b0a078363c29c87

BumbleBee

25ccf19af5dac51ec76ce6da1d2958d5dee34e50e78938b187b627f8771317d1

BumbleBee

281a1cfaebf968012e9596721d14b1bd6429744617e73f96558cb68bcc0db8f8

BumbleBee

4c9ffef418385fdd0aa0e6ea1c0e29f3a7a4af51fbcfd011d0797d6e62c8ccfe

BumbleBee

596b8d2ea9be082c0eea726b7217597fe293eef85069a8dd03a6024b48c7a199

BumbleBee

c65c51ed60f91a92789c4b056821ef51252baa2a1679a6513ab008acf0464ccb

BumbleBee

d19fdf53603310203c8bc83e1d27e14b60cac0a65932fe3824dedca50ff5c0a9

BumbleBee

e8b1a240c6fad4dd2e7bd0b08a0681131f2804d64d58869e60ad333cddc58cb0

BumbleBee

+ 2'161 additional samples on MalwareBazaar

Result

Malware family:

bumblebee

Score:

10/10

Tags:

family:bumblebee evasion trojan

Link:

https://tria.ge/reports/220512-d5by5scfep/

Behaviour

Suspicious behavior: EnumeratesProcesses

Checks BIOS information in registry

Identifies Wine through registry keys

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

BumbleBee

Unpacked files

SH256 hash:

b721c0639b89437de7bedaba753502d04acdebaa4f80f96f7b0c32289854d9c2

MD5 hash:

302a1af6b3c050783ffe33cdf321627b

SHA1 hash:

ee527e5bd777b200199039f06a38fde6e74ae1da

Link:

https://www.unpac.me/results/06a3d7ff-99f0-482e-b8f2-767d53914952/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/b721c0639b89437de7bedaba753502d04acdebaa4f80f96f7b0c32289854d9c2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_win64_bumbleebee_loader_packed Create hunting rule
Author:	Rony (@r0ny_123)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/269804/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample