Edit tour
Windows
Analysis Report
o7m2se.dll
Overview
General Information
Detection
BumbleBee
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected BumbleBee
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contain functionality to detect virtual machines
Searches for specific processes (likely to inject)
C2 URLs / IPs found in malware configuration
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sets debug register (to hijack the execution of another thread)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
AV process strings found (often used to terminate AV products)
Extensive use of GetProcAddress (often used to hide API calls)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Launches processes in debugging mode, may be used to hinder debugging
Found large amount of non-executed APIs
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- loaddll64.exe (PID: 6540 cmdline:
loaddll64. exe "C:\Us ers\user\D esktop\o7m 2se.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA) - cmd.exe (PID: 6552 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\o7m 2se.dll",# 1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - rundll32.exe (PID: 6572 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\o7m2 se.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A) - WerFault.exe (PID: 6752 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 6 572 -s 324 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0) - rundll32.exe (PID: 6560 cmdline:
rundll32.e xe C:\User s\user\Des ktop\o7m2s e.dll,KInM QF MD5: 73C519F050C20580F8A62C849D49215A) - WerFault.exe (PID: 6744 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 6 560 -s 316 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0) - rundll32.exe (PID: 6796 cmdline:
rundll32.e xe C:\User s\user\Des ktop\o7m2s e.dll,KwNq Bn2l9N MD5: 73C519F050C20580F8A62C849D49215A) - WerFault.exe (PID: 6880 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 6 796 -s 316 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0) - rundll32.exe (PID: 6960 cmdline:
rundll32.e xe C:\User s\user\Des ktop\o7m2s e.dll,LLBM PMUsqf MD5: 73C519F050C20580F8A62C849D49215A) - rundll32.exe (PID: 7064 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\o7m2 se.dll",KI nMQF MD5: 73C519F050C20580F8A62C849D49215A) - WerFault.exe (PID: 4448 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 7 064 -s 316 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0) - rundll32.exe (PID: 7072 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\o7m2 se.dll",Kw NqBn2l9N MD5: 73C519F050C20580F8A62C849D49215A) - WerFault.exe (PID: 3488 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 7 072 -s 316 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0) - WerFault.exe (PID: 6824 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 7 072 -s 316 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0) - rundll32.exe (PID: 7096 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\o7m2 se.dll",LL BMPMUsqf MD5: 73C519F050C20580F8A62C849D49215A) - rundll32.exe (PID: 7140 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\o7m2 se.dll",Sr NF6Da MD5: 73C519F050C20580F8A62C849D49215A) - WerFault.exe (PID: 1596 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 7 140 -s 316 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0) - WerFault.exe (PID: 6332 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 7 140 -s 316 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
- cleanup
{"C2 url": ["146.19.173.184:443", "41.15.71.157:274", "66.9.9.138:154", "36.201.196.202:367", "173.200.61.240:100", "116.241.116.41:410", "242.232.106.206:162", "10.195.46.61:489", "249.112.226.98:243", "130.242.219.205:423", "154.56.0.113:443", "179.5.59.188:228", "217.246.42.10:346", "169.197.227.201:474", "231.228.102.246:186", "185.165.82.120:182", "74.230.15.244:376", "94.88.121.46:403", "120.181.249.142:177", "138.141.158.45:217", "128.79.29.175:298", "104.168.200.192:443", "196.168.84.24:372", "143.27.231.233:335", "133.99.126.202:263", "222.202.140.206:438", "117.172.191.115:471", "158.208.5.127:269", "218.155.13.204:130", "219.110.187.248:435", "209.244.102.105:112", "23.19.58.212:443", "4.177.13.86:289", "204.223.28.129:424", "246.134.183.74:364", "165.132.190.127:368", "89.159.155.176:455", "185.69.113.39:124", "47.26.53.19:195", "41.70.42.112:452", "74.219.241.225:481", "66.15.189.146:122", "28.23.200.103:366", "159.248.192.111:424", "170.88.0.154:120", "79.196.23.192:106", "146.70.106.76:443", "249.57.205.117:166", "62.82.188.190:234", "221.131.148.148:357", "206.245.228.10:133", "51.68.146.186:443", "118.89.112.82:338", "116.205.234.96:247", "205.160.222.15:274", "191.190.49.225:191"], "RC4 Key": "iKInPE9WrB"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_BumbleBee | Yara detected BumbleBee | Joe Security | ||
JoeSecurity_BumbleBee | Yara detected BumbleBee | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_BumbleBee | Yara detected BumbleBee | Joe Security | ||
JoeSecurity_BumbleBee | Yara detected BumbleBee | Joe Security | ||
JoeSecurity_BumbleBee | Yara detected BumbleBee | Joe Security | ||
JoeSecurity_BumbleBee | Yara detected BumbleBee | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Virustotal: | Perma Link |
Source: | Malware Configuration Extractor: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |