MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8794c9251e2c6fbb96c458a5e1821ddd029335933dfbb03efa7db63673562e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BumbleBee


Vendor detections: 11


Intelligence 11 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8794c9251e2c6fbb96c458a5e1821ddd029335933dfbb03efa7db63673562e8
SHA3-384 hash: 632a85b379aa266ce465038cfff52ce915eadfad0c7de2195e74bd41dd817e06ffedd7ca80f6bc8370f02c067a68e222
SHA1 hash: c3f5bd1aca61bd086f1aea3e4b86419a836888ce
MD5 hash: e63911bf851f892bab6d3933349a987e
humanhash: monkey-nuts-sink-cola
File name:e63911bf851f892bab6d3933349a987e.msi
Download: download sample
Signature BumbleBee
Create hunting rule
File size:4'881'408 bytes
First seen:2024-12-04 08:55:01 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:37Vh102T9dhkuqES58NtvUoBV0Sccd2b5+pnQ2fP1r8+/J4OV7AEqj7D4Uv6ZCOX:37VTVkufFN0ScaruSmHR9vaXZTUa3vg
Threatray 5 similar samples on MalwareBazaar
TLSH T18E36CF2233EAC036E27F0676B93EDD665539BD360B61C0DB66D8392D18B0DC256B1723
TrID 65.3% (.MSI) Microsoft Windows Installer (454500/1/170)
16.2% (.MSM) Windows Installer Merge Module (113019/2/34)
8.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
6.3% (.MSP) Windows Installer Patch (44509/10/5)
2.0% (.DB) Windows thumbnail Data Base (14519/2/1)
Magika msi
Reporter abuse_ch
Tags:BUMBLEBEE msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
TwinWave.EvilDoc.DOCXRSTRGOOD.POWERSHELL.201125.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67501a7412e85e185e759c05
Tags:
autorun gumen
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
cmd fingerprint lolbin msiexec obfuscated packed packed remote runonce
Link:
https://www.filescan.io/uploads/675018e81b2b810869e1c357/reports/4f92858f-a2a3-4e42-bdc9-459e64ae9820/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/b8794c9251e2c6fbb96c458a5e1821ddd029335933dfbb03efa7db63673562e8
Result
Threat name:
n/a
Detection:
suspicious
Classification:
n/a
Score:
28 / 100
Link:
https://www.joesandbox.com/analysis/1568089
Signature
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Suricata IDS alerts for network traffic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1568089 Sample: 7CbMUbcAJM.msi Startdate: 04/12/2024 Architecture: WINDOWS Score: 28 56 zv46ga4ntybq.live 2->56 58 vivh2xlt9i6q.live 2->58 60 41 other IPs or domains 2->60 72 Suricata IDS alerts for network traffic 2->72 8 msiexec.exe 14 28 2->8         started        11 msiexec.exe 15 2->11         started        13 msiexec.exe 14 2->13         started        15 2 other processes 2->15 signatures3 process4 file5 38 C:\Windows\Installer\MSI7FD5.tmp, PE32 8->38 dropped 40 C:\Windows\Installer\MSI7F86.tmp, PE32 8->40 dropped 42 C:\Windows\Installer\MSI7F56.tmp, PE32 8->42 dropped 48 3 other files (none is malicious) 8->48 dropped 17 msiexec.exe 1 1 8->17         started        20 msiexec.exe 8->20         started        23 msiexec.exe 10 8->23         started        26 3 other processes 8->26 50 11 other files (none is malicious) 11->50 dropped 52 11 other files (none is malicious) 13->52 dropped 44 C:\Users\user\AppData\Local\...\MSIF5B7.tmp, PE32 15->44 dropped 46 C:\Users\user\AppData\Local\...\MSIF587.tmp, PE32 15->46 dropped 54 20 other files (none is malicious) 15->54 dropped process6 dnsIp7 68 Creates autostart registry keys with suspicious names 17->68 70 Creates an autostart registry key pointing to binary in C:\Windows 17->70 28 AnyConnect Installer.exe 17 17->28         started        62 mfwnbxvt9qme.live 188.166.15.250, 443, 49760, 49770 DIGITALOCEAN-ASNUS Netherlands 20->62 64 gx6xly9rp6vl.live 45.155.37.158, 443, 49748 SHOCK-1US Netherlands 20->64 66 2 other IPs or domains 20->66 36 C:\Users\user\...\AnyConnect Installer.exe, PE32 23->36 dropped 30 AnyConnect Installer.exe 16 18 23->30         started        32 AnyConnect Installer.exe 26->32         started        34 AnyConnect Installer.exe 26->34         started        file8 signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/b8794c9251e2c6fbb96c458a5e1821ddd029335933dfbb03efa7db63673562e8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b8794c9251e2c6fbb96c458a5e1821ddd029335933dfbb03efa7db63673562e8/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xb4uzesr4ldpxolmiwff4gbb3xicsm2zgpp3wa7pu7nwgzzvmlua._file
Verdict:
malicious
Label(s):
bumblebee
Create hunting rule
Similar samples:
2195871624173911ea530d6551b3e65d76ca1268e5876150ad9a9389566b1ffc
BumbleBee
b8794c9251e2c6fbb96c458a5e1821ddd029335933dfbb03efa7db63673562e8
BumbleBee
bd479d266d399cc82669857aef8bf8b108cb5fd42730da6565dd563df022f0a5
BumbleBee
error
BumbleBee
Result
Malware family:
bumblebee
Create hunting rule
Score:
  10/10
Tags:
family:bumblebee botnet:1 discovery loader persistence privilege_escalation
Link:
https://tria.ge/reports/241204-kvfmxawjdj/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Blocklisted process makes network request
Enumerates connected drives
Looks up external IP address via web service
BumbleBee
Bumblebee family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/74060204-610f-4c58-ad90-85b474a09736
Malware family:
BumbleBee
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b8794c9251e2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Bumblebee
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b8794c9251e2c6fbb96c458a5e1821ddd029335933dfbb03efa7db63673562e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_LATAM_MSI_Banker
Create hunting rule
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BumbleBee

Microsoft Software Installer (MSI) msi b8794c9251e2c6fbb96c458a5e1821ddd029335933dfbb03efa7db63673562e8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3319458/
  
Delivery method
Distributed via web download

Comments