MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ccde5e528a8da994b3cd96a988023acd16a78a9cea4fe5dc1b41d9a72890a995. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BumbleBee


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ccde5e528a8da994b3cd96a988023acd16a78a9cea4fe5dc1b41d9a72890a995
SHA3-384 hash: 2458b6ae253ba19980871fbf138dfa4706e4528d6f069fc3e558a775528b823339ed06e26bdd49ce0111fd872a8f45ab
SHA1 hash: e71645b6a0d82b0c3a1c7326e07140a8333229b3
MD5 hash: ccd45fd7136d6c54e31d1703164fa855
humanhash: ceiling-eighteen-eight-nuts
File name:download.dll
Download: download sample
Signature BumbleBee
Create hunting rule
File size:1'500'160 bytes
First seen:2022-06-10 19:59:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ef82e136b21279e5e60a607f738fdf96 (1 x BumbleBee)
ssdeep 24576:4zML9AWrsduXKKYIRccazwOEe+k8fNLHKZNj2WCoEFj9x:4zM5PrsEXKdwOPP8fN+/j2cEV
Threatray 2'241 similar samples on MalwareBazaar
TLSH T10565B027765FB7A8C45E72F78C1189AF7781E8C0802B945E7C8A67D1F443318AE785E8
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter k3dg3___
Tags:a10 BUMBLEBEE exe Exotic Lily


Avatar
k3dg3
transferXL -> zip -> img -> lnk -> dll

Intelligence

File Origin
# of uploads :
1
# of downloads :
340
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
download.dll
Verdict:
No threats detected
Analysis date:
2022-06-10 19:59:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9c73e793-ef07-4eee-8113-286c35133a56

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BumbleBee
Create hunting rule
Link:
https://www.capesandbox.com/analysis/278764/
Detection(s):
SecuriteInfo.com.VHO.Trojan-Dropper.Win64.BumbleBee.cti.22631.30521.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/20527/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/62a3a2c5aaaafce31fad8cc2/reports/5f600068-0c78-483f-918f-6963248f2de6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/cb0a349f-1793-42db-9ebb-a6c13bc2a39a
Result
Threat name:
BumbleBee
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1011095
Signature
Contain functionality to detect virtual machines
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Searches for specific processes (likely to inject)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected BumbleBee
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ccde5e528a8da994b3cd96a988023acd16a78a9cea4fe5dc1b41d9a72890a995/
Threat name:
Win64.Trojan.Bumbleloader
Create hunting rule
Status:
Malicious
First seen:
2022-06-10 20:00:25 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
3 of 26 (11.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ztpf4uukrwuzjm6ns2uyqar2zulkpcu45jh6lxa3ihm2okeqvgkq._file
Verdict:
malicious
Similar samples:
40a4f84e519d5f19e8dcdd291c0044d0f260cfec720e065bee9644b8ed2e2491
BumbleBee
47fa907c50a09bc2fc41cf50afac4e178f7ce51c9592f18335db53976e87e92e
BumbleBee
538d9548d4b197611a07d436feb27beff04e6cd53fba88b1cfdee626eff89db2
BumbleBee
a27dfea07887442cd18f7f52d3f28994e9b93631a998fe254a8bc654fad94b4e
BumbleBee
e9b974d8bef3bbad04eb70f84f2102ca39faee208aea618fac76730f7d5d75bf
BumbleBee
ea52c881008e458daee5570c03b89726a0b3a652c26a3ec63002c82ba461e48c
BumbleBee
+ 2'231 additional samples on MalwareBazaar
Result
Malware family:
bumblebee
Create hunting rule
Score:
  10/10
Tags:
family:bumblebee botnet:a10 evasion trojan
Link:
https://tria.ge/reports/220610-yqy6caehhr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Checks BIOS information in registry
Identifies Wine through registry keys
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
BumbleBee
Malware Config
C2 Extraction:
45.153.240.155:443
142.11.196.174:443
54.37.130.166:443
146.70.95.244:443
185.62.57.19:443
45.153.240.139:443
103.144.139.18:443
51.68.147.233:443
185.62.56.128:443
51.83.251.245:443
185.62.56.21:443
154.56.0.236:443
104.168.164.153:443
193.27.14.242:443
146.70.53.183:443
146.19.253.15:443
160.20.147.191:443
79.110.52.236:443
37.72.174.23:443
64.44.135.230:443
103.175.16.108:443
146.70.106.83:443
185.62.56.224:443
103.175.16.106:443
154.56.0.223:443
103.175.16.38:443
104.168.204.123:443
198.98.62.156:443
146.19.173.195:443
154.56.0.219:443
154.56.0.214:443
45.153.240.56:443
45.150.67.154:443
154.56.0.215:443
185.62.57.20:443
146.70.104.229:443
45.142.214.167:443
45.147.231.202:443
193.233.203.243:443
51.68.145.54:443
185.62.57.27:443
Unpacked files
SH256 hash:
ccde5e528a8da994b3cd96a988023acd16a78a9cea4fe5dc1b41d9a72890a995
MD5 hash:
ccd45fd7136d6c54e31d1703164fa855
SHA1 hash:
e71645b6a0d82b0c3a1c7326e07140a8333229b3
Link:
https://www.unpac.me/results/a7384e3f-d14a-405e-87e2-7355a28b1758/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ccde5e528a8da994b3cd96a988023acd16a78a9cea4fe5dc1b41d9a72890a995

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win64_bumbleebee_loader_packed
Create hunting rule
Author:Rony (@r0ny_123)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

bad75b388af8cf51643b97bacb9a4be7fbe4fc65852d995ca1a15cfadc836f44

BumbleBee

Executable exe ccde5e528a8da994b3cd96a988023acd16a78a9cea4fe5dc1b41d9a72890a995

(this sample)

  
Dropped by
SHA256 bad75b388af8cf51643b97bacb9a4be7fbe4fc65852d995ca1a15cfadc836f44
Cape
Cape
https://www.capesandbox.com/analysis/278764/

Comments