MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5e8a24a628b99b2172fee5d53f003ff097739dc5c23b4374d328d72f45813cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BumbleBee


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e5e8a24a628b99b2172fee5d53f003ff097739dc5c23b4374d328d72f45813cd
SHA3-384 hash: 223a9b34359fa42f91d2c4e128b1fa85658a7f807384192f67fc3f989f04a0245a30fd7863aa75d01fabf25e4a89ad46
SHA1 hash: 84bbd8096165d191e2adb6b8175722ef30ea18c6
MD5 hash: 281007bcec06bd1df65eb965ea407018
humanhash: coffee-steak-island-west
File name:4b2ca1.msi
Download: download sample
Signature BumbleBee
Create hunting rule
File size:1'941'504 bytes
First seen:2025-04-16 22:51:53 UTC
Last seen:2025-04-17 11:09:38 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:MJR+HgJ9sOkg75MC68AUJk3HOUjdP1JNGSwsF:MJR+AJLkgVMC+OUjx1JHws
Threatray 24 similar samples on MalwareBazaar
TLSH T11C9533B331546176E74F6172316AEA8DAF18FEBA0DDB50436E38333E04B80565637C9A
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter g0njxa
Tags:BUMBLEBEE LLC Alliance msi signed

Code Signing Certificate

Organisation:LLC Alliance
Issuer:GlobalSign GCC R45 EV CodeSigning CA 2020
Algorithm:sha256WithRSAEncryption
Valid from:2025-03-24T13:34:02Z
Valid to:2026-03-25T13:34:02Z
Serial number: 39111d565c62321e447f9b5e
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: a52d4fb335c95b6f0aa4019c3f135519f71141b34a9b158d1a0c083d72f86515
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
85
Origin country :
ES ES
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/2541/
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=680036f3280f5f89a0cfe7fa
Tags:
spawn virus
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer invalid-signature signed
Link:
https://www.filescan.io/uploads/6800349590767142c3d80045/reports/b3e6e730-4fff-4681-a611-03dd8ea0b29e/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/e5e8a24a628b99b2172fee5d53f003ff097739dc5c23b4374d328d72f45813cd
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/e5e8a24a628b99b2172fee5d53f003ff097739dc5c23b4374d328d72f45813cd
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
BumbleBee
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1666828
Signature
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Contains functionality to determine the online IP of the system
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries random domain names (often used to prevent blacklisting and sinkholes)
Searches for specific processes (likely to inject)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected BumbleBee
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/e5e8a24a628b99b2172fee5d53f003ff097739dc5c23b4374d328d72f45813cd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e5e8a24a628b99b2172fee5d53f003ff097739dc5c23b4374d328d72f45813cd/
Threat name:
Win64.Trojan.Bumbleloader
Create hunting rule
Status:
Suspicious
First seen:
2025-04-16 22:52:11 UTC
File Type:
Binary (Archive)
Extracted files:
2
AV detection:
18 of 38 (47.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4xukestcrom3efzp5zovh4ad74exooo4lqr3in2ngkgxf5cycpgq._file
Verdict:
malicious
Label(s):
bumblebee
Create hunting rule
Similar samples:
0ab5b3e9790aa8ada1bbadd5d22908b5ba7b9f078e8f5b4e8fcc27cc0011cce7
BumbleBee
39f609e59d6bbb9e705ae430de6eb6e92cee2e722d74f4369cc6ff7c601809a7
BumbleBee
41e0c02901f4ad04874574d3020eecc8b9d74c14840db1b10c18484de4713105
BumbleBee
65e4da53beeeef0e8b00ec86fda5e63b653005b3d2e22183053f2cc220532f03
BumbleBee
9e07d09f1457297a9a229def9771f6badaa8798751b22611dd915327069fa831
BumbleBee
error
BumbleBee
f82d15eed385a7a913b98a28bce9b27a7e3611e1c0c4d9fa65741d3fdd76d23c
BumbleBee
+ 14 additional samples on MalwareBazaar
Result
Malware family:
bumblebee
Create hunting rule
Score:
  10/10
Tags:
family:bumblebee botnet:err2 loader persistence privilege_escalation
Link:
https://tria.ge/reports/250416-2tesnawya1/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
Drops file in Windows directory
Loads dropped DLL
Blocklisted process makes network request
Enumerates connected drives
BumbleBee
Bumblebee family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b10d5934-ad50-47b3-8b35-8c426df42c1d
Malware family:
BumbleBee
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e5e8a24a628b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e5e8a24a628b99b2172fee5d53f003ff097739dc5c23b4374d328d72f45813cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/2541/

Comments