MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9b974d8bef3bbad04eb70f84f2102ca39faee208aea618fac76730f7d5d75bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BumbleBee

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	e9b974d8bef3bbad04eb70f84f2102ca39faee208aea618fac76730f7d5d75bf
SHA3-384 hash:	59b7b985d7539fb58088c4219e07d9fdf6df4c5fbf6eb15837fdb82d2ac0d97ef7a54ceeed20668db13eb3a1ab28ab5e
SHA1 hash:	1442fdec502b7c73c233dfd84bfcd2634731a551
MD5 hash:	d600d4444917bd5c85343ac1eb968cc6
humanhash:	oregon-september-march-four
File name:	lipre.dll
Download:	download sample
Signature	BumbleBee Create hunting rule
File size:	1'584'128 bytes
First seen:	2022-06-01 13:16:19 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	15bba266c2637d472ba4f6412cc30f5b (3 x BumbleBee)
ssdeep	24576:5w0WmAVaK6OttQZ81RYBdEaCzWpOEQqUEtFxznRH706DJVH:51Vfu9RPfWrQqUGxLRb0MJ
Threatray	2'223 similar samples on MalwareBazaar
TLSH	T19175F1C3F7897A9BF80AAC3D49439AD6D091ECB727A180089F73526D0625E1C5F36F58
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	boi_cyber
Tags:	BUMBLEBEE dll exe

Intelligence

File Origin

# of uploads :

# of downloads :

320

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

lipre.dll

Verdict:

No threats detected

Analysis date:

2022-06-01 17:56:22 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c7304e5f-4365-4d50-8d19-fcf47b45ec52

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/276085/

Detection(s):

SecuriteInfo.com.UDS.Trojan-Dropper.Win64.BumbleBee.4404.19264.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/07d9ffc3-3a9c-4fd5-b89c-e0a7c941e71c

Result

Threat name:

BumbleBee

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1005195

Signature

Contain functionality to detect virtual machines

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Searches for specific processes (likely to inject)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected BumbleBee

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e9b974d8bef3bbad04eb70f84f2102ca39faee208aea618fac76730f7d5d75bf/

Threat name:

Win64.Trojan.Bumbleloader

Status:

Malicious

First seen:

2022-06-01 13:17:13 UTC

File Type:

PE+ (Dll)

Extracted files:

AV detection:

16 of 26 (61.54%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5g4xjwf66o522bhlod4e6iiczi47v3rarlvgdd5mozzq67k5ow7q._file

Verdict:

malicious

BumbleBee

2229a110ce64fed2119603f6cbc6a20a62e518f9153eebd9760210cdd48a1a5a

BumbleBee

98ce00be3d133849c7b74497e8f681235863069df7bbbba55189196ee8037beb

BumbleBee

a27dfea07887442cd18f7f52d3f28994e9b93631a998fe254a8bc654fad94b4e

BumbleBee

e9b974d8bef3bbad04eb70f84f2102ca39faee208aea618fac76730f7d5d75bf

BumbleBee

ea52c881008e458daee5570c03b89726a0b3a652c26a3ec63002c82ba461e48c

BumbleBee

+ 2'213 additional samples on MalwareBazaar

Result

Malware family:

bumblebee

Score:

10/10

Tags:

family:bumblebee botnet:106r evasion trojan

Link:

https://tria.ge/reports/220601-qjet5aghc9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Checks BIOS information in registry

Identifies Wine through registry keys

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

BumbleBee

Malware Config

C2 Extraction:

144.19.20.11:443
150.27.81.2:443
46.21.153.145:443
109.45.29.202:443
6.30.139.246:443
236.110.58.103:443
36.110.58.103:443
149.255.35.134:443
9.63.15.101:443
45.147.229.50:443
184.23.74.168:443
139.24.56.111:443
243.45.135.100:443
21.246.85.34:443
79.44.167.23:443
30.17.4.146:443
56.134.87.45:443
16.46.4.333:443
224.145.6.33:443

Unpacked files

SH256 hash:

e9b974d8bef3bbad04eb70f84f2102ca39faee208aea618fac76730f7d5d75bf

MD5 hash:

d600d4444917bd5c85343ac1eb968cc6

SHA1 hash:

1442fdec502b7c73c233dfd84bfcd2634731a551

Link:

https://www.unpac.me/results/c93d7cc5-20a5-4f5e-8d11-5378b4eb3932/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e9b974d8bef3bbad04eb70f84f2102ca39faee208aea618fac76730f7d5d75bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_win64_bumbleebee_loader_packed Create hunting rule
Author:	Rony (@r0ny_123)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/276085/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample