MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f98898df74fb2b2fad3a2ea2907086397b36ae496ef3f4454bf6b7125fc103b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BumbleBee


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f98898df74fb2b2fad3a2ea2907086397b36ae496ef3f4454bf6b7125fc103b8
SHA3-384 hash: 1b35883da3c5c9ee56edf6bf556157506901074732ce357ebc7c2e9cc4f8d3a6184100ba99ee3c5ce093e6e522fa4abc
SHA1 hash: a9c8b7c411571700e6ea03e4e48ddb896a33e53e
MD5 hash: f48b2ee9ce1412acd632068b751d1a1b
humanhash: rugby-fillet-massachusetts-eleven
File name:neqw.dll
Download: download sample
Signature BumbleBee
Create hunting rule
File size:2'577'920 bytes
First seen:2022-04-03 14:31:21 UTC
Last seen:2022-05-12 19:37:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2dd36b0d9aa438043b5c7c7e8350d53a (1 x BumbleBee)
ssdeep 49152:PWGb+KVNJi17U5Fzf45fBDfBkfY9ljd99aYkemXVML/sow2svs4j9WZSOyNeTulQ:PqKVNa7ch45fRJ9lT977/sow2AsU9WAY
Threatray 2'034 similar samples on MalwareBazaar
TLSH T127C512858E360EDCE8780F7828CF3B89099C7727D9604D6F863A045693356AB709BD7D
Reporter Rony
Tags:BUMBLEBEE dll exe X64

Intelligence

File Origin
# of uploads :
3
# of downloads :
302
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/260251/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.39408366.12688.17517.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
mikey
Link:
https://www.filescan.io/uploads/6249afe49253b276b7d955d1/reports/f48a5ef5-409b-4c19-a3bc-187b12037f1f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4e5b0285-5f50-4189-80a8-0529565f7cc3
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/969575
Signature
Contain functionality to detect virtual machines
Multi AV Scanner detection for submitted file
Queries BIOS fan information (via WMI, Win32_Fan, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Searches for specific processes (likely to inject)
Sigma detected: Suspicious Call by Ordinal
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 602062 Sample: neqw.dll Startdate: 03/04/2022 Architecture: WINDOWS Score: 92 27 Multi AV Scanner detection for submitted file 2->27 29 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->29 31 Sigma detected: Suspicious Call by Ordinal 2->31 7 loaddll64.exe 1 2->7         started        process3 process4 9 rundll32.exe 7->9         started        12 cmd.exe 1 7->12         started        14 rundll32.exe 7->14         started        17 2 other processes 7->17 dnsIp5 37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 9->37 39 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 9->39 41 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 9->41 45 3 other signatures 9->45 19 rundll32.exe 12->19         started        25 192.168.2.1 unknown unknown 14->25 43 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->43 signatures6 process7 dnsIp8 23 45.147.229.23, 443, 49768, 49769 COMBAHTONcombahtonGmbHDE Germany 19->23 33 System process connects to network (likely due to code injection or exploit) 19->33 35 Tries to detect sandboxes / dynamic malware analysis system (registry check) 19->35 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f98898df74fb2b2fad3a2ea2907086397b36ae496ef3f4454bf6b7125fc103b8/
Threat name:
Win64.Backdoor.Parazit
Create hunting rule
Status:
Malicious
First seen:
2022-04-01 09:28:09 UTC
File Type:
PE+ (Dll)
AV detection:
21 of 42 (50.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0555b34b40f176362f5b9e070253358d8faec831f9675c03adfdb2929d168ee8
BumbleBee
596b8d2ea9be082c0eea726b7217597fe293eef85069a8dd03a6024b48c7a199
BumbleBee
5ddc2cf610e2d96fd8c46286bf28c201d3435f2e848302657376ff6feace226b
BumbleBee
8396909ec9189c75463b0868cdd5f2535bfd136c6bae194d8b4bfb362cd2ba8b
BumbleBee
8d28f3c7f370b5d1bf1868e5de0e16d380ca93d583ca74c45fae83ba24f9c8aa
BumbleBee
d17d26fe698a00cf23683e5df58679d6d1bf18866de4b87edb62a2bc64cb22bc
BumbleBee
d19fdf53603310203c8bc83e1d27e14b60cac0a65932fe3824dedca50ff5c0a9
BumbleBee
e8b1a240c6fad4dd2e7bd0b08a0681131f2804d64d58869e60ad333cddc58cb0
BumbleBee
edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f
BumbleBee
+ 2'024 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion
Link:
https://tria.ge/reports/220403-rv9z3sfdgj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Checks BIOS information in registry
Identifies Wine through registry keys
Looks for VMWare Tools registry key
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
Unpacked files
SH256 hash:
f98898df74fb2b2fad3a2ea2907086397b36ae496ef3f4454bf6b7125fc103b8
MD5 hash:
f48b2ee9ce1412acd632068b751d1a1b
SHA1 hash:
a9c8b7c411571700e6ea03e4e48ddb896a33e53e
Link:
https://www.unpac.me/results/422e1cfe-c357-438e-ab3c-92b27d6ae309/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/f98898df74fb2b2fad3a2ea2907086397b36ae496ef3f4454bf6b7125fc103b8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/260251/

Comments