{
	"id": "ae53971e-7a50-4d9f-b447-6004b2e67b1c",
	"created_at": "2026-04-06T00:06:10.585925Z",
	"updated_at": "2026-04-10T13:11:39.835774Z",
	"deleted_at": null,
	"sha1_hash": "6b8a3936d4516f43972d436eb5912abaf6f4b44d",
	"title": "The DGA of BumbleBee",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 607865,
	"plain_text": "The DGA of BumbleBee\r\nArchived: 2026-04-05 17:05:04 UTC\r\nThe following Tweet by @Artilllerie caught my attention because it mentions a “Possible DGA on .life domains”:\r\nhttps://bin.re/blog/the-dga-of-bumblebee/\r\nPage 1 of 12\n\nThis is the mentioned file\r\nFile type\r\nhttps://bin.re/blog/the-dga-of-bumblebee/\r\nPage 2 of 12\n\nfe3c93db5bfab8423d142e07b5adc73620d8a492f2ac67f4ade1e40bf3abd7cc: PE32+ executable (GUI) x86-\r\n64, for MS Windows\r\nMD5\r\ncf19e55c9604d5c002ac7b9770c529de\r\nSHA1\r\n34a3c780ba2decb6c676723fbcb916c007bacb8c\r\nSHA256\r\nfe3c93db5bfab8423d142e07b5adc73620d8a492f2ac67f4ade1e40bf3abd7cc\r\nSize\r\n595 KB (609280 Bytes)\r\nCompile Timestamp\r\n2023-09-06 10:43:36 UTC\r\nLinks\r\nMalwareBazaar, Cape, VirusTotal\r\nFilenames\r\n7.exe (MalwareBazaar), 7.exe (VirusTotal)\r\nDetections\r\nMalwareBazaar: BumbleBee, Virustotal: 51/73 as of 2023-09-12 03:16:46 -\r\nTrojan.Win32.BumbleBee.4!c (Lionic), Gen:Variant.Lazy.339495 (MicroWorld-eScan),\r\nTrojanDownloader.Win64 (CAT-QuickHeal), Gen:Variant.Lazy.339495 (ALYac),\r\nDownloader.Win64.Bumblebee.Vle3 (Sangfor), Gen:Variant.Lazy.339495 (BitDefender),\r\nTrojan.Lazy.D52E27 (Arcabit), Trojan-Downloader.Win64.BumbleBee.aik (Kaspersky),\r\nDownloader.BumbleBee!8.15B7F (TFE:5:54W0iAL9QiL) (Rising), Trojan.TR/AD.BumbleBee.lfbzg (F-Secure), Gen:Variant.Lazy.339495 (VIPRE), Trojan.Win64.BUMBLELOADER.YXDIHZ (TrendMicro),\r\nW32.Trojan.TR.AD.BumbleBee.lfbz (Webroot), TR/AD.BumbleBee.lfbzg (Avira),\r\nTrojan[Downloader]/Win64.Bumblebee (Antiy-AVL), Trojan:Win32/Synder!ic (Microsoft), Trojan-Downloader.Win64.BumbleBee.aik (ZoneAlarm), Gen:Variant.Lazy.339495 (GData),\r\nTrojanDownloader.BumbleBee (VBA32), Trojan.BumbleBee (Malwarebytes), Trj/Chgt.AD (Panda),\r\nTrojan.Win64.BUMBLELOADER.YXDIHZ (TrendMicro-HouseCall)\r\nThis is the file after unpacking:\r\nFile type\r\n17E93000000.bin: PE32+ executable (GUI) x86-64, for MS Windows\r\nMD5\r\n0b7b1d42e60ceeff49ef796d4d4f5b14\r\nSHA1\r\n54a528d2f62b1af4c331f2c5ae03efdabc793833\r\nSHA256\r\naf59ce785e062bf0d198eb4e3bdbc1ee57d58164de6dc1faf38836c670ef6f7d\r\nSize\r\n1 MB (1048576 Bytes)\r\nCompile Timestamp\r\nhttps://bin.re/blog/the-dga-of-bumblebee/\r\nPage 3 of 12\n\n2023-09-04 16:02:26 UTC\r\nLinks\r\nMalwareBazaar, Twitter, Dropped_by_md5, Cape, VirusTotal\r\nFilenames\r\n17E93000000.bin (MalwareBazaar), 17E93000000.bin (VirusTotal)\r\nDetections\r\nMalwareBazaar: BumbleBee, Virustotal: 25/75 as of 2023-09-15 17:56:30 - Windows.Trojan.Bumblebee\r\n(Elastic), a variant of Win64/Bumblebee.M (ESET-NOD32)\r\nReverse Engineering\r\nThis is the seeding of the DGA:\r\nThe seed can either be based on a time that is passed to the function, or be time-independent. If the seed is time\r\ndependent, then the seed changes based on the current year, month, and second. A magic seed value can be used to\r\ncreate different sets of domains for the same dates (interestingly, the magic seed for the analysed sample is\r\nTEST_SEE ). Here is a reimplementation of the seeding:\r\ndef seed(magic: int, time: Optional[datetime] = None) -\u003e int:\r\n if time:\r\n secs = time.second\r\n month = time.month - 1\r\n year = time.year\r\nhttps://bin.re/blog/the-dga-of-bumblebee/\r\nPage 4 of 12\n\nelse:\r\n secs = 32\r\n month = 13\r\n year = 1899\r\n return magic + (secs | ((month + 256) \u003c\u003c 8)) + year\r\nNot shown is the seeding when the magic value is 0. In this case, the seed is using the current unix timestamp as\r\nthe seed, likely creating domains that are unpredictable to the attackers and any feasible sinkholing attempts.\r\nThe seed is then used for the random number generator:\r\nhttps://bin.re/blog/the-dga-of-bumblebee/\r\nPage 5 of 12\n\nhttps://bin.re/blog/the-dga-of-bumblebee/\r\nPage 6 of 12\n\nOnly the right path of the first branch is relevant. It is a simple LCG (Linear congruential generator) with the\r\ncommon parameters 1664525 as the multiplier and 1013904223 as the increment as proposed in the book\r\nNumerical Recipes .\r\nThe strange loop towards the end extracts the high DWORD of the random number by dividing it 32 times by 2.\r\nBut it also XORs the result with 0xF5000000 if the division has a remainder. I didn’t not figure out what the\r\npurpose of these XOR operations is, but it is likely part of library and improves the RNG.\r\ndef rand(r: int) -\u003e int:\r\n r = r*1664525 + 1013904223\r\n r \u0026= (2**64 - 1)\r\n for _ in range(32):\r\n if r \u0026 1:\r\n r = (r // 2) ^ 0xF5000000\r\n else:\r\n r = (r // 2)\r\n return r\r\nThe random number generator is finally used to generate the domain names:\r\nhttps://bin.re/blog/the-dga-of-bumblebee/\r\nPage 7 of 12\n\nFigure 1The core of BumbleBee's\r\nThe character set szCharSet is the lowercase alphabet followed by the digits. The DGA picks 11 characters\r\nbased on the generated pseudo random numbers, then tacks on the TLD .life . In total, 100 domains are\r\ngenerated.\r\nReimplementation\r\nHere is a reimplementation of the DGA in Python:\r\nfrom datetime import datetime\r\nimport argparse\r\nfrom typing import Optional\r\nimport string\r\ncharset = string.ascii_lowercase + string.digits\r\nhttps://bin.re/blog/the-dga-of-bumblebee/\r\nPage 8 of 12\n\ndef seed(magic: int, time: Optional[datetime] = None) -\u003e int:\r\n if time:\r\n secs = time.second\r\n month = time.month - 1\r\n year = time.year\r\n secs = 0\r\n month = 0\r\n year = 0\r\n else:\r\n secs = 32\r\n month = 13\r\n year = 1899\r\n return magic + (secs | ((month + 256) \u003c\u003c 8)) + year\r\ndef rand(r: int) -\u003e int:\r\n r = r*1664525 + 1013904223\r\n r \u0026= (2**64 - 1)\r\n for _ in range(32):\r\n if r \u0026 1:\r\n r = (r // 2) ^ 0xF5000000\r\n else:\r\n r = (r // 2)\r\n return r\r\ndef dga(seed: int):\r\n r = seed\r\n for _ in range(100):\r\n domain = \"\"\r\n for _ in range(11):\r\n r = rand(r)\r\n domain += charset[r % len(charset)]\r\n yield domain + \".life\"\r\nif __name__==\"__main__\":\r\n parser = argparse.ArgumentParser()\r\n parser.add_argument(\"--magic\", \"-m\", type=str, default=\"TEST_SEE\")\r\n help_msg = (\r\n \"time for which to generate domains, e.g., \"\r\n \"2020-06-28 13:37:12. If not specified, the static DGA is used\"\r\n )\r\n parser.add_argument(\"--time\", \"-t\", help=help_msg\")\r\n args = parser.parse_args()\r\n if args.time:\r\n time = datetime.strptime(args.time, \"%Y-%m-%d %H:%M:%S\")\r\n else:\r\n time = None\r\n magic = sum(ord(v) \u003c\u003c i*8 for i, v in enumerate(args.magic))\r\nhttps://bin.re/blog/the-dga-of-bumblebee/\r\nPage 9 of 12\n\ns = seed(magic=magic, time=time)\r\n for domain in dga(s):\r\n print(domain)\r\nCharacteristics\r\nThe following table summarizes the properties of BazarLoader’s DGA.\r\nproperty value\r\ntype time-independent-deterministic, or time-dependent -deterministic\r\ngeneration scheme arithmetic\r\nseed current date\r\ndomain change frequency never or every month and second (repeating each minute)\r\ndomains per day 100 if time-independent, 6000 if time-dependent\r\nsequence in order\r\nwait time between domains unknown\r\ntop level domain .level\r\nsecond level characters a-z0-9\r\nregex [a-z0-9]{11}\\.life\r\nsecond level domain length 11\r\nExample Domains\r\ncmid1s1zeiu.life\r\nitszko2ot5u.life\r\n3v1n35i5kwx.life\r\nnewdnq1xnl9.life\r\njkyj6awt1ao.life\r\nddrjv6y42b8.life\r\n1pnhp5o5za1.life\r\ny13iqvlfjl5.life\r\nxp0btfgegbo.life\r\ngpv3uw5tmy4.life\r\n5d7rdf3layn.life\r\n2aed6bvquxs.life\r\n5t9oknzu433.life\r\nsy53gmpuq1i.life\r\nhttps://bin.re/blog/the-dga-of-bumblebee/\r\nPage 10 of 12\n\n09cwff8wgdh.life\r\n4elhq2521mw.life\r\nb4arp834sch.life\r\ns3iug4uiy7t.life\r\nq1cvhi9onpu.life\r\nm3j4htyodnu.life\r\ndzzrhn9rvqa.life\r\nuriqas6zede.life\r\ntv45x1ukt9w.life\r\n9dnuk0xl7yc.life\r\nzro95b8zb3r.life\r\n9da1kshoyuq.life\r\nzph13yx1leo.life\r\n0q6mvuo4wl6.life\r\nnyoqtkpub9x.life\r\nl1bnym8lg65.life\r\nd63hq5crsun.life\r\nf4te7v7fi28.life\r\noi27t509pny.life\r\nxg2mddk9qrj.life\r\n9uknixukwim.life\r\n5ejt5qpx2oh.life\r\nv9y5rypfhdj.life\r\naq59tsppo18.life\r\nvdnizm8lcke.life\r\nknof8y1kufn.life\r\nmhwv3bpckbi.life\r\nb4ycw3b0ztx.life\r\ntu0t62osn5m.life\r\npkgbfa9ati6.life\r\nwd60v3x8mun.life\r\nqpgomg0nfob.life\r\n9619skmuswk.life\r\n10fa4glizbq.life\r\nh9cgsquxt5t.life\r\ncpjeg06jqj7.life\r\ntuaksrh3m4v.life\r\npnkk456mk55.life\r\nbryfg80da8m.life\r\n4c9takty1zx.life\r\n17afrof66rf.life\r\nkeoauupcj2n.life\r\nokxar0c3d29.life\r\n759lhww6ixh.life\r\nbr40ztd8bya.life\r\nvdug3t5r2cz.life\r\n6j0uqybrqj4.life\r\nhttps://bin.re/blog/the-dga-of-bumblebee/\r\nPage 11 of 12\n\nkm87l2nqldk.life\r\nd421obfpnmh.life\r\nhsk3pjutatd.life\r\niudmgiv2ndb.life\r\nvf9bknmns0b.life\r\n325g1cipn4m.life\r\ng3z3h2xzdfv.life\r\ni4hmyqc1p69.life\r\nr967duebyji.life\r\nf83jeqe01vd.life\r\nsbprbiukvhf.life\r\nlc2q21q7nd4.life\r\nco7hu2019oy.life\r\nue9panfagh0.life\r\nfby66hp7jm0.life\r\nnjg6qfp2lfa.life\r\nmb1hy4vi0q7.life\r\n7jemrghylwb.life\r\nyxz60ai05jv.life\r\nv68i3v975xq.life\r\n67xsof7l8ak.life\r\nq886dsegew3.life\r\n16nqnk7hvgs.life\r\nwe5x2dfevhn.life\r\n88kwlc3k73o.life\r\np2xo397h86f.life\r\nnjljnzf5c20.life\r\n2g6py8d93tm.life\r\ndz8bw5q6jy2.life\r\ngflfug3a9lb.life\r\nrssaelatar7.life\r\n35l9tvici4l.life\r\nlqhjkq5lfiu.life\r\n3t3qouhmhww.life\r\nfuwisezq1sl.life\r\nibm2bld58ah.life\r\nh02pknjmc6v.life\r\nenenfxgn3fh.life\r\nzcf8nrpzrqk.life\r\nSource: https://bin.re/blog/the-dga-of-bumblebee/\r\nhttps://bin.re/blog/the-dga-of-bumblebee/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://bin.re/blog/the-dga-of-bumblebee/"
	],
	"report_names": [
		"the-dga-of-bumblebee"
	],
	"threat_actors": [],
	"ts_created_at": 1775433970,
	"ts_updated_at": 1775826699,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6b8a3936d4516f43972d436eb5912abaf6f4b44d.pdf",
		"text": "https://archive.orkl.eu/6b8a3936d4516f43972d436eb5912abaf6f4b44d.txt",
		"img": "https://archive.orkl.eu/6b8a3936d4516f43972d436eb5912abaf6f4b44d.jpg"
	}
}