MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9eb997b9af05af641a3708b006e34e6a9a4e7755fca72205cd187110375e7ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BumbleBee


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9eb997b9af05af641a3708b006e34e6a9a4e7755fca72205cd187110375e7ac
SHA3-384 hash: 31b3250abde3f7067d427550aa7b9a7a0d1ce9953bfd9a515388d90cb81bc448227874f52699a4729b7ec08e9554f41f
SHA1 hash: 6af19eb260bae0f01d13e6d618d93d63eb82d7c5
MD5 hash: 0754f0df91f71d2e36f234c3852b157b
humanhash: apart-orange-hamper-chicken
File name:features.dll
Download: download sample
Signature BumbleBee
Create hunting rule
File size:1'111'040 bytes
First seen:2023-02-14 10:28:59 UTC
Last seen:2023-02-14 12:36:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5eaa46aab0db618bcb9acae699436c9c (1 x BumbleBee)
ssdeep 24576:UxhinDzFYOcJpi16vsYSPN93IlZn3oCwg8LKMYL31IQNV:6iDnYc16vJO9QoC1M2N
Threatray 3'122 similar samples on MalwareBazaar
TLSH T13635F10EE3660A6EE1728A39C8E32113D77D31A2571257AF0144A31B3DB73519FA7B39
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter Rony
Tags:102lg BUMBLEBEE dll exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
224
Origin country :
IN IN
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
features.dll
Verdict:
No threats detected
Analysis date:
2023-02-14 10:31:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6a675477-172a-437b-8418-11836419d6ae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/365601/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65451592.25619.9328.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c9eb997b9af05af641a3708b006e34e6a9a4e7755fca72205cd187110375e7ac
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6845584d-7bc7-4d59-9ad5-38fde2b08c1e
Result
Threat name:
BumbleBee
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1174334
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Searches for specific processes (likely to inject)
Sets debug register (to hijack the execution of another thread)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected BumbleBee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 807134 Sample: features.dll.exe Startdate: 14/02/2023 Architecture: WINDOWS Score: 100 42 Snort IDS alert for network traffic 2->42 44 Multi AV Scanner detection for domain / URL 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 5 other signatures 2->48 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        14 rundll32.exe 8->14         started        16 cmd.exe 1 8->16         started        18 3 other processes 8->18 dnsIp5 36 41.11.211.222, 370 VODACOM-ZA South Africa 10->36 38 146.70.29.237, 443, 49734 TENET-1ZA United Kingdom 10->38 40 12 other IPs or domains 10->40 50 System process connects to network (likely due to code injection or exploit) 10->50 52 Sets debug register (to hijack the execution of another thread) 10->52 54 Contain functionality to detect virtual machines 14->54 56 Searches for specific processes (likely to inject) 14->56 20 WerFault.exe 9 14->20         started        23 rundll32.exe 16->23         started        25 WerFault.exe 9 18->25         started        signatures6 process7 file8 30 C:\ProgramData\Microsoft\...\Report.wer, Unicode 20->30 dropped 27 WerFault.exe 20 9 23->27         started        32 C:\ProgramData\Microsoft\...\Report.wer, Unicode 25->32 dropped process9 file10 34 C:\ProgramData\Microsoft\...\Report.wer, Unicode 27->34 dropped
Detection:
bumblebee
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c9eb997b9af05af641a3708b006e34e6a9a4e7755fca72205cd187110375e7ac/
Threat name:
Win64.Trojan.BumbleBee
Create hunting rule
Status:
Malicious
First seen:
2023-02-11 01:11:31 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zhvzs6426bnpmqndocfqa3ru42u2jz3vl7fheic42gdrca3v46wa._file
Verdict:
malicious
Similar samples:
51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656
BumbleBee
9938cd36c4ba702ce2b134f842c69b71cb56e11bb2dcbfd479074cda88403994
BumbleBee
a0ef27df11265b6574151454bd072b2854b26512fa7be152e3ddd316833408c9
BumbleBee
c78290da99475f965ce54f737e0927a9855e03c9a27f2ee7a797562533779305
BumbleBee
ddb9895f9e74d3e7db4e94aa77338fdc221ed29f29857a9752545cddcf8f45a6
BumbleBee
e78686c842f5497fa096978d9c4e7b4bff76cb4f34bba2a9d4fb64d06e554a2f
BumbleBee
+ 3'112 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230214-mh8h9sca41/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
c9eb997b9af05af641a3708b006e34e6a9a4e7755fca72205cd187110375e7ac
MD5 hash:
0754f0df91f71d2e36f234c3852b157b
SHA1 hash:
6af19eb260bae0f01d13e6d618d93d63eb82d7c5
Link:
https://www.unpac.me/results/eeff72d8-b789-4850-9ea3-4a4241e417fd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c9eb997b9af05af641a3708b006e34e6a9a4e7755fca72205cd187110375e7ac

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/365601/

Comments