MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea52c881008e458daee5570c03b89726a0b3a652c26a3ec63002c82ba461e48c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BumbleBee

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	ea52c881008e458daee5570c03b89726a0b3a652c26a3ec63002c82ba461e48c
SHA3-384 hash:	1315c98c7323401b29de63beb320c23c05a5f22123f6d1c9434e44a03e25684d9aa5263d1820c5e8ca39211d46b615ab
SHA1 hash:	6fd356179d20cd6e6c47ab473a572ee8c3151aac
MD5 hash:	4fe37d388aa99f118ea4d4823f5618a7
humanhash:	quiet-bravo-quiet-london
File name:	lipre.dll
Download:	download sample
Signature	BumbleBee Create hunting rule
File size:	1'584'128 bytes
First seen:	2022-06-01 13:38:35 UTC
Last seen:	2022-06-01 14:43:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	15bba266c2637d472ba4f6412cc30f5b (3 x BumbleBee)
ssdeep	24576:hm92dycudCMdjbztvNJsfxYNtc7PT1JeHo6TiSxz5p415DRCLZlcTXtB:wIAcZM5bzJFNtcLTcXZ5p4xkAT9B
Threatray	2'223 similar samples on MalwareBazaar
TLSH	T1AF75F183B6D87D8FF802DC7E4E43E2D8D0E0BDA65B55C6180B7247B61A2650C4E36F99
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	pr0xylife
Tags:	BUMBLEBEE exe

Intelligence

File Origin

# of uploads :

# of downloads :

341

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

lipre.dll

Verdict:

No threats detected

Analysis date:

2022-06-01 13:41:45 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ab84a6d2-465c-4f50-a90f-f538fb761a85

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/276118/

Detection(s):

SecuriteInfo.com.VHO.Trojan-Dropper.Win64.BumbleBee.bmn.28629.12703.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/a33e77c3-899b-43fb-84ec-49c52cfb92fa

Result

Threat name:

BumbleBee

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1005087

Signature

Contain functionality to detect virtual machines

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Searches for specific processes (likely to inject)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected BumbleBee

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ea52c881008e458daee5570c03b89726a0b3a652c26a3ec63002c82ba461e48c/

Threat name:

Win64.Trojan.BumbleBee

Status:

Malicious

First seen:

2022-06-01 13:39:23 UTC

File Type:

PE+ (Dll)

Extracted files:

AV detection:

15 of 26 (57.69%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5jjmraiarzcy3lxfk4gahoexe2qlhjssyjvd5rrqalecxjdb4sga._file

Verdict:

malicious

BumbleBee

2229a110ce64fed2119603f6cbc6a20a62e518f9153eebd9760210cdd48a1a5a

BumbleBee

98ce00be3d133849c7b74497e8f681235863069df7bbbba55189196ee8037beb

BumbleBee

a27dfea07887442cd18f7f52d3f28994e9b93631a998fe254a8bc654fad94b4e

BumbleBee

e9b974d8bef3bbad04eb70f84f2102ca39faee208aea618fac76730f7d5d75bf

BumbleBee

ea52c881008e458daee5570c03b89726a0b3a652c26a3ec63002c82ba461e48c

BumbleBee

+ 2'213 additional samples on MalwareBazaar

Result

Malware family:

bumblebee

Score:

10/10

Tags:

family:bumblebee botnet:106r evasion trojan

Link:

https://tria.ge/reports/220601-qxyjdscefq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Checks BIOS information in registry

Identifies Wine through registry keys

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

BumbleBee

Malware Config

C2 Extraction:

144.19.20.11:443
150.27.81.2:443
46.21.153.145:443
109.45.29.202:443
6.30.139.246:443
236.110.58.103:443
36.110.58.103:443
149.255.35.134:443
9.63.15.101:443
45.147.229.50:443
184.23.74.168:443
139.24.56.111:443
243.45.135.100:443
21.246.85.34:443
79.44.167.23:443
30.17.4.146:443
56.134.87.45:443
16.46.4.333:443
224.145.6.33:443

Unpacked files

SH256 hash:

ea52c881008e458daee5570c03b89726a0b3a652c26a3ec63002c82ba461e48c

MD5 hash:

4fe37d388aa99f118ea4d4823f5618a7

SHA1 hash:

6fd356179d20cd6e6c47ab473a572ee8c3151aac

Link:

https://www.unpac.me/results/11ae6f4a-7328-40ba-b1e2-dd99ad765b31/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ea52c881008e458daee5570c03b89726a0b3a652c26a3ec63002c82ba461e48c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_win64_bumbleebee_loader_packed Create hunting rule
Author:	Rony (@r0ny_123)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/276118/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample