MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e78686c842f5497fa096978d9c4e7b4bff76cb4f34bba2a9d4fb64d06e554a2f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	e78686c842f5497fa096978d9c4e7b4bff76cb4f34bba2a9d4fb64d06e554a2f
SHA3-384 hash:	5688932abf63b1eb68a349002f3c04c0bc153ad59ee307a5876692013a17e6454de073958690bee22abf3fbd095bb399
SHA1 hash:	34886f40b8d6dc97c8892ce2fc2afc367d283439
MD5 hash:	7e869bf508f17734a0d41373f4d84bc2
humanhash:	pennsylvania-solar-michigan-sierra
File name:	2510c_cr29.exe
Download:	download sample
Signature	BumbleBee Alert Create hunting rule
File size:	2'798'080 bytes
First seen:	2022-11-07 09:49:44 UTC
Last seen:	2022-11-07 11:48:59 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	511b2520202d432daab4ac71b9f3305a (2 x BumbleBee)
ssdeep	49152:/lP4yUfaW/LjawSoLABLbudAHfMOU++kH/:9WfamLXCbuikOU+d/
Threatray	2'483 similar samples on MalwareBazaar
TLSH	T1CCD5F10AFDD86FA8C669BB7F516A9295913B5C8A0B03CB073695C33F78029015FA771C
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	f0wlsec
Tags:	BUMBLEBEE exe zipExec

f0wlsec

Parent sample is packed with zipExec, this is the unpacked sample

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

187

Origin country :

DE

Vendor Threat Intelligence

ANY.RUN

Malware family:

n/a

ID:

1

File name:

2510c_cr29.exe

Verdict:

No threats detected

Analysis date:

2022-11-07 09:50:39 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/84850dd1-aa8f-4e64-8bd8-0b1f11a81907

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox BumbleBee

Detection:

BumbleBee

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/329785/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Variant.Lazy.258146.13236.12497.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Detecting VM

Using the Windows Management Instrumentation requests

FileScan.IO Suspicious

Verdict:

Suspicious

Threat level:

  5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6368d4cbd8b92f0ee64c6e47/reports/4f6c2b5b-aa82-4b5e-8f38-a61052454505/overview

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Ramnit

Malware family:

Ramnit

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/64d60cfc-3ae2-4cbc-be3b-e9f2068a0aeb

Joe Sandbox BumbleBee

Result

Threat name:

BumbleBee

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1107109

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Contain functionality to detect virtual machines

Malicious sample detected (through community Yara rule)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Searches for specific processes (likely to inject)

Sets debug register (to hijack the execution of another thread)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected BumbleBee

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e78686c842f5497fa096978d9c4e7b4bff76cb4f34bba2a9d4fb64d06e554a2f/

ReversingLabs TitaniumCloud Win64.Downloader.BumbleBee

Threat name:

Win64.Downloader.BumbleBee

Alert

Create hunting rule

Status:

Malicious

First seen:

2022-11-07 09:50:09 UTC

File Type:

PE+ (Exe)

Extracted files:

1

AV detection:

11 of 41 (26.83%)

Threat level:

  3/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=46dinscc6vex7iews6gzytt3jp7xns2pgs52fkou7nsna3svjixq._file

Threatray malicious

Verdict:

malicious

Similar samples:

7e7ca9fef0083b88e55d517ada57c8a51018000e601d6043815558445277f913

BumbleBee

8e35ce0c3fcdc14d4e441812c7856bdf6428734d8cea0b6d7c075963a5b4b307

BumbleBee

9938cd36c4ba702ce2b134f842c69b71cb56e11bb2dcbfd479074cda88403994

BumbleBee

a0ef27df11265b6574151454bd072b2854b26512fa7be152e3ddd316833408c9

BumbleBee

c78290da99475f965ce54f737e0927a9855e03c9a27f2ee7a797562533779305

BumbleBee

ddb9895f9e74d3e7db4e94aa77338fdc221ed29f29857a9752545cddcf8f45a6

BumbleBee

+ 2'473 additional samples on MalwareBazaar

Hatching Triage bumblebee

Result

Malware family:

bumblebee

Alert

Create hunting rule

Score:

  10/10

Tags:

family:bumblebee botnet:2510 evasion trojan

Link:

https://tria.ge/reports/221107-ltxepsadd5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of NtCreateThreadExHideFromDebugger

Checks BIOS information in registry

Identifies Wine through registry keys

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

BumbleBee

Malware Config

C2 Extraction:

69.46.15.158:443
135.125.241.35:443
172.86.120.141:443

Threat.Zone Malicious

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/d2cc55b0-f9c8-4c6e-b4d8-0ec8917bfd72

UnpacMe

Unpacked files

SH256 hash:

e78686c842f5497fa096978d9c4e7b4bff76cb4f34bba2a9d4fb64d06e554a2f

MD5 hash:

7e869bf508f17734a0d41373f4d84bc2

SHA1 hash:

34886f40b8d6dc97c8892ce2fc2afc367d283439

Link:

https://www.unpac.me/results/1157a1ad-f649-498b-b8b9-d626ba02d1db/

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e78686c842f5497fa096978d9c4e7b4bff76cb4f34bba2a9d4fb64d06e554a2f

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

BumbleBee

iso e81f4b65fb98623c6be24865728e0e894403738cd4413d372da32fcfe3c6a1f5

BumbleBee

exe e78686c842f5497fa096978d9c4e7b4bff76cb4f34bba2a9d4fb64d06e554a2f

(this sample)

  

X

https://twitter.com/f0wlsec/status/1589547994420219906

  

Dropped by

MD5 2d10e35ba9ba3cba78d59a276708efae

  

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/329785/

  

Dropped by

SHA256 e81f4b65fb98623c6be24865728e0e894403738cd4413d372da32fcfe3c6a1f5