MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fed9bc8df9141f8f8f7a9203bc26b5b22123c154702fcd625379f2f7ecd31cb2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BumbleBee


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fed9bc8df9141f8f8f7a9203bc26b5b22123c154702fcd625379f2f7ecd31cb2
SHA3-384 hash: e6b71543eb9239251ea643f5b022aa920f5ee5b1d8137cb81aaeac5beb44c4c6e896739920373bd5cb80749c50ff5614
SHA1 hash: a13903e50408e11996159fba5f7deab1e73e8f08
MD5 hash: c9216484a6371b055705ec5f4098ab01
humanhash: johnny-wolfram-island-sad
File name:information.dll
Download: download sample
Signature BumbleBee
Create hunting rule
File size:2'057'728 bytes
First seen:2022-06-16 16:11:22 UTC
Last seen:2022-06-16 16:34:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2dbfb26b6271bc1a04b3433a1c554f18 (1 x BumbleBee)
ssdeep 49152:G+MhMvcxBbQLsks2EWZs09Xl3ZF9EK99sq+Zy1RDZ5ko4Ebv5g7H11zLG0ZriPkb:G+Yu/ZTjLHS3bmdeQbzWIu78ph13l3bS
TLSH T1729528DD923656CFEC1767971DC43E950CD2446B8F164EE854BE2208CA363F836A42AF
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter Rony
Tags:BUMBLEBEE exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
296
Origin country :
n/a
Vendor Threat Intelligence
Detection:
BumbleBee
Create hunting rule
Link:
https://www.capesandbox.com/analysis/280756/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.39810172.11574.466.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/21649/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/62ab5657c07f2e38a14e4e92/reports/a40ad072-8337-4fce-b57d-6afe13b8d601/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d3cea182-dbce-4a41-ab19-bc2d3ee68c45
Result
Threat name:
BumbleBee
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1014680
Signature
Contain functionality to detect virtual machines
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Searches for specific processes (likely to inject)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected BumbleBee
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fed9bc8df9141f8f8f7a9203bc26b5b22123c154702fcd625379f2f7ecd31cb2/
Threat name:
Win64.Trojan.Bumbleloader
Create hunting rule
Status:
Malicious
First seen:
2022-06-15 13:45:26 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
13 of 26 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=73m3zdpzcqpy7d32sib3yjvvwiqshqkuoax42ystphzpp3gtdsza._file
Result
Malware family:
bumblebee
Create hunting rule
Score:
  10/10
Tags:
family:bumblebee botnet:146l evasion trojan
Link:
https://tria.ge/reports/220616-tng2tsfhfl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Checks BIOS information in registry
Identifies Wine through registry keys
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
BumbleBee
Malware Config
C2 Extraction:
242.165.212.79:339
162.144.249.150:239
63.122.120.151:268
144.52.138.51:193
18.215.29.142:436
115.239.67.202:380
255.11.235.99:426
213.203.201.199:307
143.117.20.123:425
141.98.168.70:443
174.150.214.40:426
133.133.249.24:204
126.68.7.249:422
103.175.16.107:443
146.70.124.77:443
154.56.0.100:443
180.184.129.160:223
28.78.74.145:427
108.28.254.44:399
115.103.22.1:153
149.57.112.159:122
229.139.73.188:287
112.110.146.153:349
249.222.51.70:286
180.23.251.29:230
244.234.60.83:386
79.133.212.60:211
192.21.12.118:231
31.215.170.180:431
140.208.107.161:360
119.177.224.146:124
58.10.55.201:382
57.156.134.113:446
83.142.26.147:465
194.135.33.16:443
35.17.203.69:268
104.135.8.250:417
210.251.188.194:228
53.96.32.99:333
70.77.209.88:224
65.254.82.66:498
65.95.20.151:232
165.158.204.41:469
185.62.58.209:443
102.109.16.255:445
137.253.55.69:235
Unpacked files
SH256 hash:
fed9bc8df9141f8f8f7a9203bc26b5b22123c154702fcd625379f2f7ecd31cb2
MD5 hash:
c9216484a6371b055705ec5f4098ab01
SHA1 hash:
a13903e50408e11996159fba5f7deab1e73e8f08
Link:
https://www.unpac.me/results/24a2d9bd-a98d-4e1c-8d28-2e5c741664be/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fed9bc8df9141f8f8f7a9203bc26b5b22123c154702fcd625379f2f7ecd31cb2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BumbleBeeLoader
Create hunting rule
Author:enzo & kevoreilly
Description:BumbleBee Loader
Rule name:crime_win64_bumbleebee_loader_packed
Create hunting rule
Author:Rony (@r0ny_123)
Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BumbleBee

img 57c4bdf0a644df4fd39f3d73d4570e6c88d8b7239ab4a395dba441ab15a5024f

BumbleBee

Executable exe fed9bc8df9141f8f8f7a9203bc26b5b22123c154702fcd625379f2f7ecd31cb2

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/280756/
  
Dropped by
SHA256 57c4bdf0a644df4fd39f3d73d4570e6c88d8b7239ab4a395dba441ab15a5024f
  
Dropped by
MD5 95ca84ee56bade777c6e867a1f6cd78a

Comments