{
	"id": "2d1d9aa5-c4ee-49b0-9cbb-e484ff95b638",
	"created_at": "2026-04-06T00:17:23.235981Z",
	"updated_at": "2026-04-10T13:12:28.459633Z",
	"deleted_at": null,
	"sha1_hash": "03d5659ede82aeffa7c45c88843439a8e83b8b8b",
	"title": "Bumblebee Loader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 66790,
	"plain_text": "Bumblebee Loader\r\nPublished: 2022-05-12 · Archived: 2026-04-05 20:06:00 UTC\r\nTriage\r\nThe ISO contains two files desk.dll and New Folder.Lnk . We can right click properties on the lnk file to take a\r\nlook at its command. The lnk file is used to launch the dll with the following command.\r\nC:\\Windows\\System32\\rundll32.exe desk.dll,aCmHmjrptS\r\nUnpacking\r\nload rundll32.exe in x64dbg and change the command line to pass desk.dll,#1\r\nenable break on dll load\r\nonce desk.dll is loaded locate export we want to debug ( aCmHmjrptS ord 1) and add a hardware breakpoint\r\nremove the break on dll load and run until the export is bp is hit\r\nwe initially tried watching for allocated memory via VirutalAllocEx but didn't see anything interesting\r\ninstead we eneabled break on exit and just ran the dll\r\nwhen the break on exit was hit we searched memory for the PE header DOS string and located a mapped PE\r\nwe unmapped the PE to reveal the payload\r\nPayload\r\nUnpacked and unmapped payload abaa83ab368cbd3bbdaf7dd844251da61a571974de9fd27f5dbaed945b7c38f6 available on\r\nmalshare.\r\nBuild Artifacts\r\nThere is a build artifact that may be useful for hunting other samples.\r\nZ:\\hooker2\\Common\\md5.cpp\r\nWe searched for this on VirusTotal using the search term\r\nhttps://www.virustotal.com/gui/search/content%253A%257B5a003a005c0068006f006f006b006500720032005c00%257D/files\r\nand found other sample but nothing too interesting.\r\nAnti-Analysis\r\nThere are many anti-analysis checks some of which have been directly copied from the open source project al-khaser. To\r\nget some free work we compiled al-khaser and created and IDB using a build version with symbols. We when used\r\nbindiff to match the al-khaser IDB with the payload. This allowed us to import all of the symbols from al-khaser.\r\nIDA Filtering\r\nhttps://research.openanalysis.net/bumblebee/malware/loader/unpacking/2022/05/12/bumblebee_loader.html\r\nPage 1 of 2\n\nWhile using BinDiff we ran into some issues with the IDA filter not working correcte (we were trying to filter out std and\r\ninternal functions). To get the filter to work correctly we needed use a specific order shown below.\r\nConfig\r\nInstead of a config the payload contains a series of encrypted strings in the .data section. These strings include the\r\ncampaign name and a C2 list. The encryption is RC4 and the key is a hard-coded plaintext string (also in the .data\r\nsection). In our sample the key was BLACK .\r\nDecrypted Config String\r\nSource: https://research.openanalysis.net/bumblebee/malware/loader/unpacking/2022/05/12/bumblebee_loader.html\r\nhttps://research.openanalysis.net/bumblebee/malware/loader/unpacking/2022/05/12/bumblebee_loader.html\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.openanalysis.net/bumblebee/malware/loader/unpacking/2022/05/12/bumblebee_loader.html"
	],
	"report_names": [
		"bumblebee_loader.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434643,
	"ts_updated_at": 1775826748,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/03d5659ede82aeffa7c45c88843439a8e83b8b8b.pdf",
		"text": "https://archive.orkl.eu/03d5659ede82aeffa7c45c88843439a8e83b8b8b.txt",
		"img": "https://archive.orkl.eu/03d5659ede82aeffa7c45c88843439a8e83b8b8b.jpg"
	}
}