MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd4a1d110e65697620272aa573ed4e49eb9c236ce4b90a039bcde5a9f222cb35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BumbleBee


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd4a1d110e65697620272aa573ed4e49eb9c236ce4b90a039bcde5a9f222cb35
SHA3-384 hash: 80191639839858a43192cc8342a0243b275fa23cf67b942bfe5ec29ef864517f831e71ef048f7ef7f9593406b96e29e4
SHA1 hash: 882f4680d6059e9165665436c413f4b6baeaa1a4
MD5 hash: 1e222a0471fa55766e2026ab33232c74
humanhash: mobile-bakerloo-juliet-don
File name:Wireless_Network_Watcher.msi
Download: download sample
Signature BumbleBee
Create hunting rule
File size:2'445'312 bytes
First seen:2025-05-29 00:30:07 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:AJrROW2qZ+HfUc1Nj9Ch0Am1FjnATpdL82Hn6ve:AJrROWf+HfUi9Am6m2Hn6v
Threatray 47 similar samples on MalwareBazaar
TLSH T1E7B5337129330596F073523D29520231A73BFCF4952B9231E9A3FFECA836709A4EE595
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter 1ZRR4H
Tags:BUMBLEBEE msi signed

Code Signing Certificate

Organisation:LLC Vector
Issuer:GlobalSign GCC R45 EV CodeSigning CA 2020
Algorithm:sha256WithRSAEncryption
Valid from:2025-05-16T13:15:54Z
Valid to:2026-05-17T13:15:54Z
Serial number: 21cb6632dcf06d4f01cea430
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: ad238adf58fea2741df0b51ebaaad91a799cd3b49c8ddd8e2116306804d3c326
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6121/
Verdict:
Clean
Score:
89.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6837ac99668438e362e7e5a6
Tags:
n/a
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
installer signed
Link:
https://www.filescan.io/uploads/6837aaafe336a33801dfd308/reports/d579bd7f-46f5-4272-bbe0-cd0a2ec16fd0/overview
Verdict:
Suspicious
Labled as:
Trojan.MSI.Agent
Link:
https://www.hybrid-analysis.com/sample/bd4a1d110e65697620272aa573ed4e49eb9c236ce4b90a039bcde5a9f222cb35
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/bd4a1d110e65697620272aa573ed4e49eb9c236ce4b90a039bcde5a9f222cb35
Result
Threat name:
BumbleBee
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1701185
Signature
C2 URLs / IPs found in malware configuration
Drops PE files with benign system names
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected BumbleBee
Behaviour
Behavior Graph:
Download SVG
Score:
97%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/bd4a1d110e65697620272aa573ed4e49eb9c236ce4b90a039bcde5a9f222cb35
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd4a1d110e65697620272aa573ed4e49eb9c236ce4b90a039bcde5a9f222cb35/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/bd4a1d110e65697620272aa573ed4e49eb9c236ce4b90a039bcde5a9f222cb35
Threat name:
Win32.Trojan.Bumblebee
Create hunting rule
Status:
Malicious
First seen:
2025-05-29 00:30:41 UTC
File Type:
Binary (Archive)
Extracted files:
58
AV detection:
14 of 23 (60.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xvfb2eiomvuxmibhfksxh3kojhvzyi3m4s4qua43zxs2t4rczm2q._file
Verdict:
malicious
Label(s):
bumblebee
Create hunting rule
admintool_bulletpassview
Create hunting rule
Similar samples:
02197c23af1f99c3fa41d52f7f925e47ae5bfb5e604314d19382b1bb7112463f
BumbleBee
5afe56d224c629d7b7b3c496665ecf373323c4afa44f6701d1924e44448d08c1
BumbleBee
8f424f4d327cb1032a0d6679d6d42ac44614131ecabd544244d03808c8b32e30
BumbleBee
a67bae3dd73789e892b5114a157d992424d367aae11c5fbaa80be639d6dec798
BumbleBee
bd4a1d110e65697620272aa573ed4e49eb9c236ce4b90a039bcde5a9f222cb35
BumbleBee
error
BumbleBee
+ 37 additional samples on MalwareBazaar
Result
Malware family:
bumblebee
Create hunting rule
Score:
  10/10
Tags:
family:bumblebee botnet:grp0005 loader persistence privilege_escalation
Link:
https://tria.ge/reports/250529-atrzfadp5v/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Enumerates connected drives
Detected Nirsoft tools
BumbleBee
Bumblebee family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c93510c0-925c-4191-8165-dd75028e8a90
Malware family:
BumbleBee
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bd4a1d110e65/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bd4a1d110e65697620272aa573ed4e49eb9c236ce4b90a039bcde5a9f222cb35

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/6121/

Comments