Bumblebee Loader
Published: 2022-05-12 · Archived: 2026-04-05 20:06:00 UTC
Triage
The ISO contains two files desk.dll and New Folder.Lnk . We can right click properties on the lnk file to take a
look at its command. The lnk file is used to launch the dll with the following command.
C:\Windows\System32\rundll32.exe desk.dll,aCmHmjrptS
Unpacking
load rundll32.exe in x64dbg and change the command line to pass desk.dll,#1
enable break on dll load
once desk.dll is loaded locate export we want to debug ( aCmHmjrptS ord 1) and add a hardware breakpoint
remove the break on dll load and run until the export is bp is hit
we initially tried watching for allocated memory via VirutalAllocEx but didn't see anything interesting
instead we eneabled break on exit and just ran the dll
when the break on exit was hit we searched memory for the PE header DOS string and located a mapped PE
we unmapped the PE to reveal the payload
Payload
Unpacked and unmapped payload abaa83ab368cbd3bbdaf7dd844251da61a571974de9fd27f5dbaed945b7c38f6 available on
malshare.
Build Artifacts
There is a build artifact that may be useful for hunting other samples.
Z:\hooker2\Common\md5.cpp
We searched for this on VirusTotal using the search term
https://www.virustotal.com/gui/search/content%253A%257B5a003a005c0068006f006f006b006500720032005c00%257D/files
and found other sample but nothing too interesting.
Anti-Analysis
There are many anti-analysis checks some of which have been directly copied from the open source project al-khaser. To
get some free work we compiled al-khaser and created and IDB using a build version with symbols. We when used
bindiff to match the al-khaser IDB with the payload. This allowed us to import all of the symbols from al-khaser.
IDA Filtering
https://research.openanalysis.net/bumblebee/malware/loader/unpacking/2022/05/12/bumblebee_loader.html
Page 1 of 2

While using BinDiff we ran into some issues with the IDA filter not working correcte (we were trying to filter out std and
internal functions). To get the filter to work correctly we needed use a specific order shown below.
Config
Instead of a config the payload contains a series of encrypted strings in the .data section. These strings include the
campaign name and a C2 list. The encryption is RC4 and the key is a hard-coded plaintext string (also in the .data
section). In our sample the key was BLACK .
Decrypted Config String
Source: https://research.openanalysis.net/bumblebee/malware/loader/unpacking/2022/05/12/bumblebee_loader.html
https://research.openanalysis.net/bumblebee/malware/loader/unpacking/2022/05/12/bumblebee_loader.html
Page 2 of 2