Edit tour
Windows
Analysis Report
CryptocommSetup.msi
Overview
General Information
| Sample name: | CryptocommSetup.msi |
| Analysis ID: | 1634370 |
| MD5: | b6a96e71ad5c0f9b96b2f1d7021e4e09 |
| SHA1: | 73eabaad78c61de825ed0c8bec9e3b81f5568dbd |
| SHA256: | 834875b1149dde2148145b28f379c37235d4eb9671ddaeb7722b7c0e75c2aca9 |
| Tags: | BumbleBeemsitechspotnet-techuser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
BumbleBee
| Score: | 100 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected BumbleBee
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Contains functionality to determine the online IP of the system
Installs Task Scheduler Managed Wrapper
Joe Sandbox ML detected suspicious sample
PE file has a writeable .text section
Queries random domain names (often used to prevent blacklisting and sinkholes)
Searches for specific processes (likely to inject)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Connects to many different domains
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates COM task schedule object (often to register a task for autostart)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected non-DNS traffic on DNS port
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Executes massive DNS lookups (> 100)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Suricata IDS alerts with low severity for network traffic
Tries to resolve many domain names, but no domain seems valid
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected AdvancedInstaller
Yara signature match
Classification
- System is w10x64
msiexec.exe (PID: 7072 cmdline: "C:\Window s\System32 \msiexec.e xe" /i "C: \Users\use r\Desktop\ Cryptocomm Setup.msi" MD5: E5DA170027542E25EDE42FC54C929077)
- msiexec.exe (PID: 6344 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077) 
ZipItNow.exe (PID: 7212 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\Applic ationInsta llationFol der_11\Zip ItNow.exe" MD5: 534CD01067C81867723338B17697EE32) - msiexec.exe (PID: 7416 cmdline:
"C:\Window s\system32 \msiexec.e xe" /i "C: \Users\use r\AppData\ Roaming\Zi p It Now\Z ip It Now 1.4.0.0\in stall\7645 A40\ZipItN ow.msi" AI _SETUPEXEP ATH=C:\Use rs\user\Ap pData\Loca l\Temp\App licationIn stallation Folder_11\ ZipItNow.e xe SETUPEX EDIR=C:\Us ers\user\A ppData\Loc al\Temp\Ap plicationI nstallatio nFolder_11 \ EXE_CMD_ LINE="/exe noupdates /forceclea nup /winti me 1741642 932 " AI_E UIMSI="" MD5: 9D09DC1EDA745A5F87553048E57620CF) 
rundll32.exe (PID: 7228 cmdline: "rundll32. exe" "C:\U sers\user\ AppData\Lo cal\Temp\A pplication Installati onFolder_1 1\ZipItNow .dll",DllR egisterSer ver MD5: EF3179D498793BF4234F708D3BE28633) - msiexec.exe (PID: 7372 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng FAA517A 9CD690048D EE40A47415 2A1BA C MD5: 9D09DC1EDA745A5F87553048E57620CF) - msiexec.exe (PID: 7460 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 569E9FB 090ECBBFAB C7E546D990 0128B MD5: 9D09DC1EDA745A5F87553048E57620CF) - rundll32.exe (PID: 7508 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSI6B DB.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_3894343 3 Request Sender!Req uestSender .CustomAct ions.Start MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7636 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSI73 86.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_3896312 61 Reques tSender!Re questSende r.CustomAc tions.Crea teSchedule dTask MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 8084 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSIC8 6F.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_3918015 1940 Requ estSender! RequestSen der.Custom Actions.Fi nish MD5: 889B99C52A60DD49227C5E485A016679)
upd.exe (PID: 7724 cmdline: "C:\Users\ user\AppDa ta\Roaming \Zip It No w\upd.exe" MD5: D68A0453311D9645436889D698DFD3BC)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| BumbleBee | This malware is delivered by an ISO file, with an DLL inside with a custom loader. Because of the unique user-agent "bumblebee" this malware was dubbed BUMBLEBEE. At the time of Analysis by Google's Threat Analysis Group (TAG) BumbleBee was observed to fetch Cobalt Strike Payloads. |
{"C2 url": ["vca3utda017.click", "knvop5puf3w.click", "fuoor4i9488.click", "e27y0btovqa.click", "4td54jwr0zo.click", "8u1tf686x8r.click", "7rbvv9nr7ux.click", "0qlcz1igan7.click", "1ywg4j0oomt.click", "uk2cx2bz9oh.click", "mmh6zjh9rws.click", "tyv7socu189.click", "nu1ry3ywid2.click", "qbjc9488vee.click", "v8tarf4uflp.click", "nubhcl6uvd6.click", "pj2h7xw21zx.click", "n22xrd1xrto.click", "1age5rpmnbq.click", "s7ebb7t79vn.click", "t8vxfebri9r.click", "77ch3dlvcuc.click", "4k2znm7tg08.click", "ie4jzevdaka.click", "pweekbw7x9i.click", "dg4j9l1r2ay.click", "6linr1ga29p.click", "ae4fgatomcn.click", "i0rwy7k6rh8.click", "zrvvmchlzab.click", "ld6w0ra2n5v.click", "0iy3kqu94si.click", "a2h8x65mhmb.click", "n8sbjfep5yd.click", "mxnz6y6v6it.click", "tj17eq1yv9p.click", "ih1fzdij3lw.click", "trjwgh2g6wj.click", "uecqk6x4j8t.click", "b2fqqlxq123.click", "efu7sqzes6x.click", "7avrr81op36.click", "yn20wnog91u.click", "gypx84c0psc.click", "tiitp659yg7.click", "xdfbgydlc05.click", "zpz5jkazftt.click", "w5o0gvbo6gz.click", "u4fhmu65x9q.click", "mwu8dx0r8l6.click", "hwcnz0dhias.click", "zj7zlpwpgk2.click", "es6fj45yryo.click", "vfhfp5pv5jq.click", "n6uv59241o8.click", "vxg5zt80xk1.click", "f8vdyr368rr.click", "u0hs21xo0oj.click", "lk34zp37aa8.click", "qbn8ng1n4y6.click", "anwx8vvu2tn.click", "amwy9i160dz.click", "mhd2v73drk9.click", "e64hgph4fpf.click", "gisulurnufk.click", "wsswivqef2j.click", "tay4gok6gyf.click", "2wbw7n1xihz.click", "otuk9puv3dy.click", "8ra21ma0ldn.click", "6wo9w60mg4p.click", "119qwh18wha.click", "88crnaq8rxq.click", "l52j1936qx7.click", "0ffmtln7j1y.click", "c2h9uj4rq5j.click", "99e0wxgydv3.click", "8x4zwderijh.click", "aoh4pifqjfw.click", "pfga45i3mid.click", "6u8p3dxuusp.click", "73wkg93t6yb.click", "9d2285jpz2p.click", "q8h20fokn7m.click", "sjq07uvdff3.click", "kmm14f207e0.click", "96l0jwdfwsf.click", "5t86twnzcmf.click", "jgyffzjilwz.click", "gb52rzeqsel.click", "jsnwvpzo96y.click", "5ijbx337vd2.click", "e107j7ub2do.click", "2plnxces98r.click", "6r3ypuoxg63.click", "kmmfsxcqiyv.click", "2aecwymugah.click", "s38tusi2x3c.click", "lznvqhcqtqs.click", "wnmatvjf2h9.click", "kucqx0vafku.click", "cpv7boidplb.click", "ne2zv67ff4w.click", "94eglntbdur.click", "ykl2qv386hr.click", "8knidjus98f.click", "wvs1z0uvn22.click", "lhlgrhqcv88.click", "dq08agjyis7.click", "lhxxt08ai6o.click", "6sqtyfoht9l.click", "pjqxgepuuxs.click", "t52sdbm13om.click", "wxcln2wlnhw.click", "i4eneu6mdrc.click", "ko4bo769zz7.click", "9vzu8lt5gfa.click", "vj04lk1o8ap.click", "njw2mly3gp2.click", "ys3844kcr0z.click", "751pzl1k7ru.click", "uwy8pn7se7b.click", "dr9246f6s6l.click", "enuq9dl52m3.click", "g8m8yjye3ha.click", "tifwab6uy6t.click", "hxdjnq9y2tf.click", "pa1hbnoohz2.click", "zs1ffuhp837.click", "ti18xwdwt1l.click", "dadec2g78sc.click", "n60hergp5i1.click", "5dwy52kpv9b.click", "9onudoucpop.click", "zgcgefh40gx.click", "lrn0z4vhs7i.click", "a6yd6fx61tc.click", "awqnq8gjfzw.click", "rzftt23dyz5.click", "e2kxh90scmn.click", "xoz2qzlb8kq.click", "vib2cn03qfj.click", "k3fff4avppe.click", "swjzhmujv7y.click", "m77i9q5433m.click", "at29watz76g.click", "esrj2fl3fkj.click", "0zn2so0zgyj.click", "womnuuahre3.click", "p1u0oy2fsaa.click", "z1hhugojrb7.click", "ryywkuoidqa.click", "zh00p2xhbc3.click", "g4g74vkatnh.click", "p4hxcc1ryt6.click", "dmnwh4hhbae.click", "6andejt34fm.click", "lpv5wu5s5jc.click", "e16qxa5a0x5.click", "s3rdb2mrcsh.click", "ax1ygtd18gp.click", "t5tucz0hybz.click", "u4fh5ldwfza.click", "5f3ebvpukrk.click", "4hc98sdamp0.click", "58oxlxuqaq5.click", "uudq6jblsp2.click", "0murdtba2o3.click", "a3y10sgbbvk.click", "2dau07h6k17.click", "7w9n1ekf99b.click", "4ayqsfi0frd.click", "bknot0mxcmy.click", "eezcti0865s.click", "75u1xvupwy3.click", "iouwahp82yh.click", "0szo2m8ytu4.click", "tvo5pcspdk3.click", "ibnlf6ruz6i.click", "t3wnsc1lf6m.click", "xux5834xj2v.click", "yiinkrgx909.click", "pjkd7svtqyt.click", "9nu6ob9yisd.click", "jkund4pf7vs.click", "t0ug2073blk.click", "ugcjmsd979x.click", "f39llnutow1.click", "ydp1wcn6wjc.click", "c497xw4aqdm.click", "dzgbb9tb8us.click", "ki1e2lrrkab.click", "x10ai1h5k4i.click", "z67frn680cp.click", "nzqeawje6ww.click", "axee3wisuxs.click", "0e4ykh9d7k7.click", "euvl2d6y99j.click", "pv9sf56pm4m.click", "5ejcuwqmzb9.click", "ple4wnxbe69.click", "1x1yo5pko9x.click", "imk5htcomi6.click", "tj23acum82m.click", "g3i7sutsk12.click", "5lmt48rx41d.click", "4euze8kz5ji.click", "1jefj7xac8q.click", "unxyj66bcvh.click", "esxquugkfce.click", "w13gm0otbf7.click", "n7cje11zxw6.click", "70vwxtv11dw.click", "95rlgtcuahq.click", "gelqzmrcfun.click", "pnrn5ibtkoi.click", "rvmfj6uvqol.click", "z4br67e4pmu.click", "ut9q9m3xzn8.click", "cxb56fm5ero.click", "8m2dood1yoh.click", "65bxe4f289i.click", "v53ub1ek0c3.click", "5v4vprlnf1n.click", "3dpa9b43ohv.click", "uim2clr02st.click", "oz5dqn7i3p9.click", "cxahitpgek3.click", "qzy5mm7zq48.click", "i1nghzvqqw2.click", "upy95n1br0q.click", "jlei39yhui0.click", "reoq4nq1uxy.click", "iy0fu8vdjbm.click", "dlpxgm04qg9.click", "ybhoykhbcm3.click", "n2v9iwcj5lv.click", "5284u69ffk2.click", "4pc1ncx1mcy.click", "pp99r7idm47.click", "2u27sfjco3w.click", "7skh2n8lxji.click", "1vj5me987ef.click", "hnpxeksl6z9.click", "jphokolus37.click", "pck8bewecd3.click", "4v2s2z8epmd.click", "3mibffhnyi0.click", "1roeeh9jina.click", "ja7zxnoe636.click", "qksyhib7zyv.click", "plh1z2c4cod.click", "u8ree4paj98.click", "96ee942zsw7.click", "sei8qt3dvnx.click", "r4fdtv6l0zt.click", "bue8o8ghun3.click", "p9s154rw222.click", "vq8k3ph0zfc.click", "t9w049vk6ff.click", "6pw6pxmkusw.click", "zoql7t6ai2j.click", "1evjkcljww1.click", "t5nv5hwf6xq.click", "1ehmf2jswpf.click", "dfkn2gbzi9y.click", "kvyz834555f.click", "gy2okaumph3.click", "wua8g5ux08g.click", "j4u90kxcsjx.click", "lr7bhtn4zb5.click", "hq4m4bni69p.click", "bdmr8nb86ja.click", "uxn5yk90rs8.click", "2oyzpakeuca.click", "7u3hg5ic6v9.click", "eeayckwouit.click", "vknmfmm75hy.click", "ts4kuo6q3fq.click", "no87qw0tt1n.click", "tg878idk6zk.click", "7n45idh4yj8.click", "33y30z4ce50.click", "fa1zmtf2m3x.click", "15h1vcxjhcy.click", "5oy2h2i3s12.click", "8eoxb33106v.click", "yzain1fjta2.click", "tq580ndi36m.click", "nd4s9y4ej08.click", "yul1jw5agk7.click", "xraf83jqez0.click", "3leycamcmfo.click", "sfprfnm3jz6.click", "mp7h1aoti1g.click", "75m3o0suck0.click", "2gs1v6rp60s.click", "jz1u17o13nd.click", "492kjd62lfx.click", "ku53frhnnq9.click"], "DGA Seed": 7827833623176771557, "Domain Length": 11, "Domain Count": 300}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AdvancedInstaller | Yara detected AdvancedInstaller | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_BumbleBee | Yara detected BumbleBee | Joe Security | ||
| Windows_Trojan_Bumblebee_35f50bea | unknown | unknown |
| |
| JoeSecurity_BumbleBee | Yara detected BumbleBee | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_BumbleBee | Yara detected BumbleBee | Joe Security | ||
| Windows_Trojan_Bumblebee_35f50bea | unknown | unknown |
|
System Summary |   |
|---|
| Source: | Author: frack113: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-10T22:44:55.340598+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 60810 | 169.150.247.37 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-10T22:45:19.340417+0100 | 2056726 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 63872 | 194.127.179.88 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-10T22:44:32.778118+0100 | 2829202 | 1 | A Network Trojan was detected | 192.168.2.6 | 49688 | 138.199.36.11 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||