MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c26344bfd07b871dd9f6bd7c71275216e18be265e91e5d0800348e8aa06543f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BumbleBee


Vendor detections: 11


Intelligence 11 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c26344bfd07b871dd9f6bd7c71275216e18be265e91e5d0800348e8aa06543f9
SHA3-384 hash: 5edc65f830671be9e45a55bd28ad0bf2f6e220abe43792807289869215fdd1ab2fa4692ad73b822837a869d5269d988c
SHA1 hash: 8527e1ab0068df818d5bc991bca0e12c442912c1
MD5 hash: c962d866683ba35349a00a70e9c759b4
humanhash: johnny-yankee-freddie-freddie
File name:Midjourney.msi
Download: download sample
Signature BumbleBee
Create hunting rule
File size:2'694'144 bytes
First seen:2024-10-03 09:19:25 UTC
Last seen:2024-10-04 06:59:27 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:qrE0kuqES58NtvUBJrM6WZrws4neyy/MikYHBoHOUGx:MkufFh6W5wvneyyUPgBi
Threatray 291 similar samples on MalwareBazaar
TLSH T1C1C5E027B39BC222D26D027BF529FE0E193DBE67077041E776E4394E6870CC16679A12
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter NDA0E
Tags:193-242-145-138 BUMBLEBEE msi

Intelligence

File Origin
# of uploads :
3
# of downloads :
116
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66fe62c40fdf88870979cdef
Tags:
Shellcode Backdoor Exploit
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint lolbin remote shell32 wix
Link:
https://www.filescan.io/uploads/66fe61c6161fc470c717b9ef/reports/7db627d2-e6f3-4141-9375-6d92cfe6439a/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/c26344bfd07b871dd9f6bd7c71275216e18be265e91e5d0800348e8aa06543f9
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/c26344bfd07b871dd9f6bd7c71275216e18be265e91e5d0800348e8aa06543f9
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1524880
Signature
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Queries random domain names (often used to prevent blacklisting and sinkholes)
Tries to resolve many domain names, but no domain seems valid
Behaviour
Behavior Graph:
Download SVG
Score:
26%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/c26344bfd07b871dd9f6bd7c71275216e18be265e91e5d0800348e8aa06543f9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c26344bfd07b871dd9f6bd7c71275216e18be265e91e5d0800348e8aa06543f9/
Threat name:
Win64.Trojan.BumbleBee
Create hunting rule
Status:
Malicious
First seen:
2024-10-03 07:04:48 UTC
File Type:
Binary (Archive)
Extracted files:
43
AV detection:
10 of 38 (26.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yjrujp6qpodr3wpwxv6hcj2sc3qyxytf5epf2caagshividfip4q._file
Verdict:
malicious
Label(s):
bumblebee
Create hunting rule
Similar samples:
106c81f547cfe8332110520c968062004ca58bcfd2dbb0accd51616dd694721f
BumbleBee
aca54f9f5398342566e02470854aff48c53659be0c0cb83d3ce1fd05430375f8
BumbleBee
c26344bfd07b871dd9f6bd7c71275216e18be265e91e5d0800348e8aa06543f9
BumbleBee
e8a5b808ec57fa33d43f8ca7cc74a7c7e00166dc9307fe1e82fc1e099f0cf5e6
BumbleBee
e9cd2429628e3955dd1f7c714fbaa3e3b85bfaac0bc31582cf9c5232cb8fc352
BumbleBee
ef3673c6ad613b1b14d2f7e72c43977008534d8e085aafe22a7c8cfcb3b83b6c
BumbleBee
error
BumbleBee
+ 281 additional samples on MalwareBazaar
Result
Malware family:
bumblebee
Create hunting rule
Score:
  10/10
Tags:
family:bumblebee botnet:msi discovery evasion loader persistence privilege_escalation
Link:
https://tria.ge/reports/241003-larp4syhmb/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Loads dropped DLL
Blocklisted process makes network request
Enumerates connected drives
Looks up external IP address via web service
Checks BIOS information in registry
Identifies Wine through registry keys
Looks for VMWare Tools registry key
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
BumbleBee
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/648c627d-bee4-4db1-ba82-734662662650
Malware family:
BumbleBee
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c26344bfd07b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c26344bfd07b871dd9f6bd7c71275216e18be265e91e5d0800348e8aa06543f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_LATAM_MSI_Banker
Create hunting rule
Rule name:Detect_Malicious_VBScript_Base64
Create hunting rule
Author:daniyyell
Description:Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BumbleBee

Microsoft Software Installer (MSI) msi c26344bfd07b871dd9f6bd7c71275216e18be265e91e5d0800348e8aa06543f9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3206552/
  
Delivery method
Distributed via web download

Comments