MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c65c51ed60f91a92789c4b056821ef51252baa2a1679a6513ab008acf0464ccb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BumbleBee

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	c65c51ed60f91a92789c4b056821ef51252baa2a1679a6513ab008acf0464ccb
SHA3-384 hash:	9002d83ebcdfb06f5dc96d91cdd29fbbc598988628186770f65eb1e5b6e72846d579e5c0e7422bc49b396ef6868f96c5
SHA1 hash:	4ea1f1d8a01f251fa5db350f72b04a1d11028fb0
MD5 hash:	8e7115ea580f39c152e4d4bc4472c402
humanhash:	earth-high-black-carbon
File name:	mount.dll
Download:	download sample
Signature	BumbleBee Create hunting rule
File size:	3'846'656 bytes
First seen:	2022-04-22 19:12:16 UTC
Last seen:	2022-04-22 19:39:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a5d156f0c03955fd5c90a10345646746 (3 x BumbleBee)
ssdeep	98304:XZo5q0spyUTJkqVnIY0z7ceiVNhPvpx3:XZwqlp51krrz4vp
Threatray	2'063 similar samples on MalwareBazaar
TLSH	T1DD066CF69CC8A15BBC54ECCDF736C570409BAD09F9DFC80789A4162B5888139E79F688
TrID	45.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.3% (.EXE) OS/2 Executable (generic) (2029/13) 18.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.0% (.EXE) DOS Executable Generic (2000/1)
Reporter	Rony
Tags:	BUMBLEBEE dll exe X64

Intelligence

File Origin

# of uploads :

# of downloads :

334

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/265926/

Detection(s):

SecuriteInfo.com.Variant.Lazy.171724.22496.13014.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

khalesi

Link:

https://www.filescan.io/uploads/6262fe3f14dc6ebc1c83a445/reports/95cb751f-e07b-47fd-8d77-bc9834e6f45d/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/9ecd2898-efb5-4f97-8734-08711cd7399f

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/981645

Signature

Contain functionality to detect virtual machines

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Searches for specific processes (likely to inject)

Sigma detected: Suspicious Call by Ordinal

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c65c51ed60f91a92789c4b056821ef51252baa2a1679a6513ab008acf0464ccb/

Threat name:

Win64.Trojan.Khalesi

Status:

Malicious

First seen:

2022-04-22 13:17:46 UTC

File Type:

PE+ (Dll)

AV detection:

14 of 42 (33.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yzofd3la7enje6e4jmcwqippkessxkrkcz42muj2waekz4cgjtfq._file

Verdict:

malicious

BumbleBee

2421c5815103b12aefee6faecb1ebbe910c6a17c7ed68f0d7bb2064ec4e97291

BumbleBee

596b8d2ea9be082c0eea726b7217597fe293eef85069a8dd03a6024b48c7a199

BumbleBee

b7087d25fb4bbe998f0eafc49d58bb04dc9c50d3b9ca55c1e52d2ba8dd1b9fbc

BumbleBee

d17d26fe698a00cf23683e5df58679d6d1bf18866de4b87edb62a2bc64cb22bc

BumbleBee

d19fdf53603310203c8bc83e1d27e14b60cac0a65932fe3824dedca50ff5c0a9

BumbleBee

e8b1a240c6fad4dd2e7bd0b08a0681131f2804d64d58869e60ad333cddc58cb0

BumbleBee

edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f

BumbleBee

+ 2'053 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

evasion

Link:

https://tria.ge/reports/220422-xw2yrabegr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Checks BIOS information in registry

Identifies Wine through registry keys

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Unpacked files

SH256 hash:

c65c51ed60f91a92789c4b056821ef51252baa2a1679a6513ab008acf0464ccb

MD5 hash:

8e7115ea580f39c152e4d4bc4472c402

SHA1 hash:

4ea1f1d8a01f251fa5db350f72b04a1d11028fb0

Link:

https://www.unpac.me/results/668d81c3-4091-4682-b6c7-ff1fc92e68e9/

Malware family:

BumbleBee

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c65c51ed60f9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/c65c51ed60f91a92789c4b056821ef51252baa2a1679a6513ab008acf0464ccb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_References_SecTools Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many IR and analysis tools

Rule name:	sig_6eedf45cb91f6762de4e35e36bcb03e5ad60ce9ac5a08caeb7eda035cd74762b Create hunting rule
Author:	Ian Harte
Description:	CS Payload CVE-2021-40444
Reference:	https://github.com/Neo23x0/yarGen