{
	"id": "9d413880-8d0c-4bc2-b642-bd9eb60c606a",
	"created_at": "2026-04-06T00:21:49.622042Z",
	"updated_at": "2026-04-10T13:12:44.358434Z",
	"deleted_at": null,
	"sha1_hash": "cd5742992501ef75e3297ebd6bf29b404dd505a9",
	"title": "BumbleBee: Round Two",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2216296,
	"plain_text": "BumbleBee: Round Two\r\nBy editor\r\nPublished: 2022-09-26 · Archived: 2026-04-05 22:57:02 UTC\r\nIn this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee has\r\nbeen identified as an initial access vector utilized by several ransomware affiliates.\r\nIn this intrusion, we see the threat actor use BumbleBee to deploy Cobalt Strike and Meterpreter. The threat actor\r\nthen used RDP and SMB to move around the network looking at backup systems and file shares before being\r\nevicted from the network.\r\nCase Summary\r\nThe intrusion began with the delivery of an ISO file containing a LNK file and a BumbleBee payload in the form\r\nof a hidden DLL file. A user on a workstation mounted the ISO file and executed the LNK file, running the\r\nBumblebee payload.\r\nAround 15 minutes after the execution of BumbleBee, multiple processes were spawned with the goal of injecting\r\nMeterpreter into each of them. After the threat actors gained access with Meterpreter, they began conducting\r\nreconnaissance on the workstation and network, including querying domain controllers, mapping domain joined\r\ncomputers, enumerating Active Directory trusts, and listing Domain Admin accounts. All of this first wave of\r\ndiscovery relied on built in Windows utilities like nltest, arp, net, ping, nbtstat, and nslookup.\r\nBumbleBee executed under a user with local administrator privileges on all workstations in the environment. At\r\naround six hours after initial execution, we observed a new process created that was then used to host a Cobalt\r\nStrike beacon, from the same command and control server observed in a prior BumbleBee case. This beacon\r\nreprised discovery activity, but also cut a common command short net user /dom instead of /domain , whether\r\nfrom keyboard laziness or a trick to trip-up detections. The threat actor then used their access to execute procdump\r\nvia a remote service creation with the intention of dumping credentials from LSASS from an adjacent workstation\r\non the network.\r\nNext, the threat actors moved laterally via RDP to a server. A new local user, sql_admin, was created and added to\r\nthe local administrator’s group and AnyDesk remote access software was installed. Through the AnyDesk session,\r\nthe threat actor was observed connecting to a file share and accessing multiple documents related to cyber\r\ninsurance and spreadsheets with passwords.\r\nA second round of enumeration was observed on the beachhead using AdFind, which was executed via the Cobalt\r\nStrike beacon on the system. Following this second round of enumeration, the threat actor moved latterly to a\r\nserver hosting backups, via RDP and interacted with the backup console. From the backup system, the threat\r\nactors also opened internet explorer and attempted to load the environment’s mail server, likely checking for\r\nOutlook Web Access.\r\nhttps://thedfirreport.com/2022/09/26/bumblebee-round-two/\r\nPage 1 of 25\n\nA third round of enumeration, this time taking place from the first lateral server host, was observed via a script\r\nnamed ‘1.bat’ that would ping all computers in the environment. Following this third round of enumeration the\r\nthreat actors were evicted from the environment and no further impact was observed.\r\nWe assess with medium confidence this intrusion was related to pre-ransomware activity due to the tool set and\r\ntechniques the actor displayed.\r\nServices\r\nWe offer multiple services including a Threat Feed service which tracks Command and Control frameworks such\r\nas Cobalt Strike, BumbleBee, Covenant, Metasploit, Empire, PoshC2, etc. More information on this service and\r\nothers can be found here.\r\nWe also have artifacts and IOCs available from this case such as pcaps, memory captures, files, event logs\r\nincluding Sysmon, Kape packages, and more, under our Security Researcher and Organization services.\r\nTimeline\r\nhttps://thedfirreport.com/2022/09/26/bumblebee-round-two/\r\nPage 2 of 25\n\nAnalysis and reporting completed by @MetallicHack, @iiamaleks \u0026 @svch0st\r\nInitial Access\r\nhttps://thedfirreport.com/2022/09/26/bumblebee-round-two/\r\nPage 3 of 25\n\nThe BumbleBee malware has been following the trend of using the effective combination of utilizing an .iso\r\nimage containing a .lnk and .dll file. We have observed the same behavior with other major malware distributors\r\nin previous reports:\r\nIcedID – Stolen Images Campaign Ends in Conti Ransomware\r\nBazarLoader – Diavol Ransomware\r\nUsing the event log, “Microsoft-Windows-VHDMP-Operational.evtx”, we can quickly find when the user\r\nmounted the .iso.\r\nUpon clicking the LNK file the BumbleBee payload was executed.\r\n\"C:\\Windows\\System32\\rundll32.exe\" tamirlan.dll,EdHVntqdWt\r\nExecution\r\nFollowing the user mounting the .iso file, they clicked on a .lnk file documents.lnk . As noted in previous\r\nreports, the .dll is hidden from the user unless they display hidden items in explorer like so:\r\nhttps://thedfirreport.com/2022/09/26/bumblebee-round-two/\r\nPage 4 of 25\n\nThe .lnk contains instructions to execute a specific exported function with the BumbleBee DLL file.\r\nWhen the .lnk was doubled clicked by the user, the BumbleBee malware tamirlan.dll was executed:\r\nC:\\Windows\\System32\\rundll32.exe tamirlan.dll,EdHVntqdWt\r\nThe output of LECmd.exe, when used on documents.lnk , provided additional context to where and when this\r\n.lnk file was created:\r\n\u003e\u003e Tracker database block\r\n Machine ID: user-pc\r\n MAC Address: 9a:5b:d6:3e:47:ec\r\n MAC Vendor: (Unknown vendor)\r\n Creation: \u003cREDACTED DATE\u003e\r\nApproximately 5 seconds after execution, the rundll32.exe process contacted the IP 154.56.0.221 . More\r\ninformation on this traffic is covered in the Command and Control section below.\r\nAn interesting tactic of note, was the use of WMI and COM function calls to start the process, used to inject into.\r\nThe BumbleBee loader uses WMI to start new process by calling COM functions to create a new process. Below\r\nyou can see the COM instance creation followed by defining the WMI namespace and WMI object being created\r\n– “Win32_Process”.\r\nhttps://thedfirreport.com/2022/09/26/bumblebee-round-two/\r\nPage 5 of 25\n\nAnalysis of the loader found that a function of the malware chooses 1 of 3 target processes before injecting the\r\nsupplied code:\r\nC:\\Program Files\\Windows Mail\\wabmig.exe\r\nC:\\Program Files\\Windows Mail\\wab.exe\r\nC:\\Program Files\\Windows Photo Viewer\\ImagingDevices.exe\r\nhttps://thedfirreport.com/2022/09/26/bumblebee-round-two/\r\nPage 6 of 25\n\nThis resulted in new processes not being a child of BumbleBee, but rather WmiPrvSE.exe.\r\nIn this intrusion, an instance of C:\\Program Files\\Windows Photo Viewer\\ImagingDevices.exe was created and\r\naccessed by the BumbleBee rundll32.exe process. Shortly after this interaction, the process started\r\ncommunicating to a Meterpreter C2 3.85.198.66 . This process spawned cmd.exe and several typical discovery\r\ncommands that are covered in more detail below.\r\nThe second process, was spawned the WMI technique was an instance of C:\\Program Files\\Windows\r\nMail\\wabmig.exe . This process was used to host both a session to another Meterpreter C2 50.16.62.87 and a\r\nCobalt Strike C2 server 45.153.243.142, which was then used to conduct the majority of additional activity\r\nincluding credential dumping and discovery exercises highlighted below. The pivot to using Cobalt Strike began\r\naround 6 hours after the execution of the BumbleBee loader.\r\nhttps://thedfirreport.com/2022/09/26/bumblebee-round-two/\r\nPage 7 of 25\n\nhttps://thedfirreport.com/2022/09/26/bumblebee-round-two/\r\nPage 8 of 25\n\nPersistence\r\nA new local administrator user was created on a server to facilitate persistence on the machine. The user account\r\nwas observed to be accessed via an AnyDesk session on the same machine.\r\nC:\\Windows\\System32\\cmd.exe\r\n ➝ net user sql_admin P@ssw0rd! /add\r\n ➝ net localgroup Administrators sql_admin /ADD\r\nIn addition, AnyDesk was installed as a service:\r\nDefense Evasion\r\nThe BumbleBee loader itself uses several defense evasion and anti-analysis techniques. As detailed in the\r\nExecution section, the use of WMI to spawn new processes is a known technique to evade any parent/child\r\nprocess heuristics or detections.\r\nAnti-Analysis\r\nOnce the malware is unpacked, it becomes quite apparent to what the malware author(s) were looking for–\r\nKnown malware analysis process names running:\r\nhttps://thedfirreport.com/2022/09/26/bumblebee-round-two/\r\nPage 9 of 25\n\nhttps://thedfirreport.com/2022/09/26/bumblebee-round-two/\r\nPage 10 of 25\n\nKnown sandbox usernames (Sorry if your name is Peter Wilson, no malware for you 😟):\r\nSpecific Virtualization Software files on disk and registry keys (Virtual Box, Qemu, Parallels), example:\r\nhttps://thedfirreport.com/2022/09/26/bumblebee-round-two/\r\nPage 11 of 25\n\nProcess Injection\r\nCreate Remote Thread – The malware used the win32 function CreateRemoteThread in order to execute code in\r\nrundll32.exe.\r\nhttps://thedfirreport.com/2022/09/26/bumblebee-round-two/\r\nPage 12 of 25\n\nNamed Pipes – Two named pipes were created in order to establish inter-process communications (IPC) between\r\nrundll32.exe and wabmig.exe.\r\n\\postex_515f\r\n\\postex_7c7b\r\nCredential Access\r\nProcDump\r\nA remote service was created on one of the workstations in order to dump lsass.\r\nhttps://thedfirreport.com/2022/09/26/bumblebee-round-two/\r\nPage 13 of 25\n\nEvent 7045 from Service Control Manager\r\nC:\\programdata\\procdump64.exe -accepteula -ma lsass.exe C:\\programdata\\lsass.dmp\r\nDiscovery\r\nThe first discovery stage includes TTPs that we have seen in multiple cases, such as trusts discovery, domain\r\nadmin group discovery, network discovery and process enumeration.\r\nC:\\Program Files\\Windows Mail\\wabmig.exe\r\n ➝ C:\\Windows\\system32\\cmd.exe /C ipconfig /all\r\n ➝ C:\\Windows\\system32\\cmd.exe /C ping -n 1 \u003cREDACTED_DOMAIN_NAME\u003e\r\n ➝ C:\\Windows\\system32\\cmd.exe /C nltest /dclist:\r\n ➝ C:\\Windows\\system32\\cmd.exe /C nltest /domain_trusts\r\n ➝ C:\\Windows\\system32\\cmd.exe /C net group \"domain admins\" /domain\r\n ➝ C:\\Windows\\system32\\cmd.exe /C tasklist /v /s \u003cREDACTED_IP\u003e\r\nAdFind\r\nAdFind.exe was renamed to af.exe and was used by threat actors in order to enumerate AD users, computers, OU,\r\ntrusts, subnets and groups.\r\nC:\\Program Files\\Windows Mail\\wabmig.exe\r\n ➝ C:\\Windows\\system32\\cmd.exe /C af.exe -f \"(objectcategory=person)\" \u003e ad_users.txt\r\n ➝ C:\\Windows\\system32\\cmd.exe /C af.exe -f \"objectcategory=computer\" \u003e ad_computers.txt\r\n ➝ C:\\Windows\\system32\\cmd.exe /C af.exe -f \"(objectcategory=organizationalUnit)\" \u003e ad_ous.txt\r\n ➝ C:\\Windows\\system32\\cmd.exe /C af.exe -sc trustdmp \u003e trustdmp.txt\r\n ➝ C:\\Windows\\system32\\cmd.exe /C af.exe -subnets -f (objectCategory=subnet) \u003e subnets.txt\r\n ➝ C:\\Windows\\system32\\cmd.exe /C af.exe -f \"(objectcategory=group)\" \u003e ad_group.txt\r\n ➝ C:\\Windows\\system32\\cmd.exe /C af.exe -gcb -sc trustdmp \u003e trustdmp.txt\r\nLateral Movement\r\nThe threat actor was observed moving via RDP throughout the network with a Domain Admin account.\r\nhttps://thedfirreport.com/2022/09/26/bumblebee-round-two/\r\nPage 14 of 25\n\nAs mentioned in Credential Access, the threat actor used remote services to execute commands on remote hosts.\r\nSMB was used to transfer the various tools laterally, as needed in the environment, like procdump.exe and\r\nAnyDesk executables.\r\nhttps://thedfirreport.com/2022/09/26/bumblebee-round-two/\r\nPage 15 of 25\n\nCollection\r\nThe threat actor accessed multiple documents and folders from a remote file server. The SMB share was accessed\r\nthrough a compromised server via an AnyDesk session.\r\nThe lsass dump file ran remotely, was copied to the beachhead through the admin share C$.\r\nAfter being copied, the file was zipped using 7za.exe (7-zip), in preparation for exfiltration.\r\nC:\\Program Files\\Windows Mail\\wabmig.exe\r\n ➝ C:\\Windows\\system32\\cmd.exe /C copy \\\\\u003cREMOTE_WORKSTATION\u003e\\C$\\ProgramData\\lsass.dmp c:\\programda\r\n ➝ C:\\Windows\\system32\\cmd.exe /C 7za.exe a -tzip -mx5 c:\\programdata\\lsass.zip c:\\programdata\\lsas\r\nCommand and Control\r\nBumbleBee\r\n154.56.0.221:443\r\n64.44.101.250:443\r\nJA3: c12f54a3f91dc7bafd92cb59fe009a35\r\nJA3s: 76c691f46143bf86e2d1bb73c6187767\r\nCertificate: [ac:18:a0:22:b2:ef:65:c8:85:5e:1f:eb:f5:35:23:28:89:3a:5d:f9]\r\nNot Before: 2022/05/19 07:40:24 UTC\r\nNot After: 2023/05/19 07:40:24 UTC\r\nIssuer Org: Internet Widgits Pty Ltd\r\nSubject Org: Internet Widgits Pty Ltd\r\nPublic Algorithm: rsaEncryption\r\nCertificate: [0f:a6:76:b0:de:4c:f6:5e:a8:35:60:94:60:69:2c:2c:9c:cb:11:5c]\r\nNot Before: 2022/05/19 07:48:30 UTC\r\nhttps://thedfirreport.com/2022/09/26/bumblebee-round-two/\r\nPage 16 of 25\n\nNot After: 2023/05/19 07:48:30 UTC\r\nIssuer Org: Internet Widgits Pty Ltd\r\nSubject Org: Internet Widgits Pty Ltd\r\nPublic Algorithm: rsaEncryptiion\r\nMeterpreter\r\nec2-3-85-198-66.compute-1.amazonaws.com\r\n3.85.198.66:443\r\nJA3: ce5f3254611a8c095a3d821d44539877\r\nJA3s: ec74a5c51106f0419184d0dd08fb05bc\r\nCertificate: [e5:a3:1d:28:ee:34:4f:9d:99:b8:a9:6e:b4:a9:d0:1f:63:43:3c:ac ]\r\nNot Before: 2021/05/03 23:37:39 UTC\r\nNot After: 2027/05/02 23:37:39 UTC\r\nIssuer Org: Stracke, Lakin and Windler\r\nSubject Common: stracke.lakin.windler.net\r\nSubject Org: Stracke, Lakin and Windler\r\nPublic Algorithm: rsaEncryption\r\nCertificate: [84:38:01:51:ba:46:74:89:b3:2a:67:57:b7:a1:4a:5b:49:4a:b9:03 ]\r\nNot Before: 2020/03/19 06:49:58 UTC\r\nNot After: 2026/03/18 06:49:58 UTC\r\nIssuer Org: Reilly-Carroll\r\nSubject Common: reilly.carroll.com\r\nSubject Org: Reilly-Carroll\r\nPublic Algorithm: rsaEncryption\r\nec2-50-16-62-87.compute-1.amazonaws.com\r\n50.16.62.87:443\r\nJA3: ce5f3254611a8c095a3d821d44539877\r\nJA3s: ec74a5c51106f0419184d0dd08fb05bc\r\nCertificate: [6c:0e:6d:6e:d8:06:92:c6:9a:13:2a:ee:d7:8c:9d:15:63:5e:e9:f2]\r\nNot Before: 2020/09/03 16:14:07 UTC\r\nNot After: 2024/09/02 16:14:07 UTC\r\nIssuer Org: Jerde-Kreiger\r\nSubject Common: jerde.kreiger.info\r\nSubject Org: Jerde-Kreiger\r\nPublic Algorithm: rsaEncryption\r\nCobalt Strike\r\nhttps://thedfirreport.com/2022/09/26/bumblebee-round-two/\r\nPage 17 of 25\n\nThis C2 server was observed in a previous BumbleBee case.\r\nhttps://fuvataren.com\r\n45.153.243.142:443\r\nJA3: a0e9f5d64349fb13191bc781f81f42e1\r\nJA3s: ae4edc6faf64d08308082ad26be60767\r\nCertificate: [6c:54:cc:ce:ca:da:8b:d3:12:98:13:d5:85:52:81:8a:9d:74:4f:fb]\r\nNot Before: 2022/04/15 00:00:00 UTC\r\nNot After: 2023/04/15 23:59:59 UTC\r\nIssuer Org: Sectigo Limited\r\nSubject Common: fuvataren.com [fuvataren.com ,www.fuvataren.com]\r\nPublic Algorithm: rsaEncryption\r\nConfiguration\r\n{\r\n \"beacontype\": [\r\n \"HTTPS\"\r\n ],\r\n \"sleeptime\": 5000,\r\n \"jitter\": 24,\r\n \"maxgetsize\": 1398708,\r\n \"spawnto\": \"AAAAAAAAAAAAAAAAAAAAAA==\",\r\n \"license_id\": 1580103814,\r\n \"cfg_caution\": false,\r\n \"kill_date\": null,\r\n \"server\": {\r\n \"hostname\": \"fuvataren.com\",\r\n \"port\": 443,\r\n \"publickey\": \"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5eYxmuxksHBu5Hqtk11PJye1th52fYvmUXmFrL1vEIQs\r\n },\r\n \"host_header\": \"\",\r\n \"useragent_header\": null,\r\n \"http-get\": {\r\n \"uri\": \"/rs.js\",\r\n \"verb\": \"GET\",\r\n \"client\": {\r\n \"headers\": null,\r\n \"metadata\": null\r\n },\r\n \"server\": {\r\n \"output\": [\r\n \"print\",\r\nhttps://thedfirreport.com/2022/09/26/bumblebee-round-two/\r\nPage 18 of 25\n\n\"prepend 600 characters\",\r\n \"base64\",\r\n \"mask\"\r\n ]\r\n }\r\n },\r\n \"http-post\": {\r\n \"uri\": \"/en\",\r\n \"verb\": \"POST\",\r\n \"client\": {\r\n \"headers\": null,\r\n \"id\": null,\r\n \"output\": null\r\n }\r\n },\r\n \"tcp_frame_header\": \"AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"crypto_scheme\": 0,\r\n \"proxy\": {\r\n \"type\": null,\r\n \"username\": null,\r\n \"password\": null,\r\n \"behavior\": \"Use IE settings\"\r\n },\r\n \"http_post_chunk\": 0,\r\n \"uses_cookies\": true,\r\n \"post-ex\": {\r\n \"spawnto_x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\",\r\n \"spawnto_x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\"\r\n },\r\n \"process-inject\": {\r\n \"allocator\": \"VirtualAllocEx\",\r\n \"execute\": [\r\n \"CreateThread\",\r\n \"CreateRemoteThread\",\r\n \"RtlCreateUserThread\"\r\n ],\r\n \"min_alloc\": 11977,\r\n \"startrwx\": false,\r\n \"stub\": \"tUr+Aexqde3zXhpE+L05KQ==\",\r\n \"transform-x86\": [\r\n \"prepend '\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90'\"\r\n ],\r\n \"transform-x64\": [\r\n \"prepend '\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90'\"\r\n ],\r\n \"userwx\": false\r\n },\r\nhttps://thedfirreport.com/2022/09/26/bumblebee-round-two/\r\nPage 19 of 25\n\n\"dns-beacon\": {\r\n \"dns_idle\": null,\r\n \"dns_sleep\": null,\r\n \"maxdns\": null,\r\n \"beacon\": null,\r\n \"get_A\": null,\r\n \"get_AAAA\": null,\r\n \"get_TXT\": null,\r\n \"put_metadata\": null,\r\n \"put_output\": null\r\n },\r\n \"pipename\": null,\r\n \"smb_frame_header\": \"AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"stage\": {\r\n \"cleanup\": true\r\n },\r\n \"ssh\": {\r\n \"hostname\": null,\r\n \"port\": null,\r\n \"username\": null,\r\n \"password\": null,\r\n \"privatekey\": null\r\n }\r\n}\r\nAnyDesk\r\nAnyDesk was installed to facilitate interactive desktop command and control access to a server in the\r\nenvironment.\r\nReviewing the ad_svc.trace logs from Anydesk located in %programdata%\\AnyDesk reveal the logins originating\r\nfrom 108.177.235.25. This was again the same IP observered in the prior Bumblebee case.\r\ninfo REDACTED 19:07:21.173 gsvc 1160 408 24 anynet.any_socket - Logged in from 108.177.235.25:49672 o\r\ninfo REDACTED 19:27:45.255 gsvc 1160 408 41 anynet.any_socket - Logged in from 108.177.235.25:49672 o\r\nThe Client-ID observed in the logs was 892647610\r\ninfo REDACTED 18:56:00.723 lsvc 5924 5928 2 anynet.connection_mgr - New user data. Client-ID: 8926476\r\nExfiltration\r\nNo exfiltration methods were observed beyond the established command and control channels, which can be\r\nassessed as likely used to take data like the lsass dump out of the network.\r\nhttps://thedfirreport.com/2022/09/26/bumblebee-round-two/\r\nPage 20 of 25\n\nImpact\r\nThe threat actors were evicted from the network before any further impact.\r\nIndicators\r\nAtomic\r\nBumbleBee\r\n154.56.0.221:443\r\n64.44.101.250:443\r\n103.175.16.117:443\r\nCobalt Strike\r\nhttps://fuvataren.com\r\n45.153.243.142:443\r\nMeterpreter\r\n50.16.62.87:443\r\n3.85.198.66:443\r\nComputed\r\ndocument.iso\r\nf4235fde77119ac772a2730d55c49c54\r\na250adaf3d5a5c2cd4d5ad4390e4cecbe00b3dd7\r\n11bce4f2dcdc2c1992fddefb109e3ddad384b5171786a1daaddadc83be25f355\r\ndocuments.lnk\r\nfe0a99334486dcd2fcb6ec7a79163524\r\n7aca51b571005c5d1be54fb8a056c33160abbf8d\r\ncadd3f05b496ef137566c90c8fee3905ff13e8bda086b2f0d3cf7512092b541c\r\ntamirlan.dll\r\n69f1eeb7d5d466a2d53c8b7e3a929e9c\r\na27f6f5cc0051f4c4deed6ee14d5110c7807545f\r\n123f96ff0a583d507439f79033ba4f5aa28cf43c5f2c093ac2445aaebdcfd31b\r\nBehavioral\r\nThe threat actor delivers the BumbleBee loader in the form of a DLL (tamirlan.dll) via an ISO file na\r\nThe threat actor dumps lsass using procdump and copies it over an admin share before using 7zip to zi\r\nhttps://thedfirreport.com/2022/09/26/bumblebee-round-two/\r\nPage 21 of 25\n\nBumbleBee is used to load both Meterpreter and Cobalt Strike into memory and communicate with the C2\r\nDetections\r\nNetwork\r\nET USER_AGENTS AnyDesk Remote Desktop Software User-Agent\r\nET POLICY SSL/TLS Certificate Observed (AnyDesk Remote Desktop Software)\r\nET RPC DCERPC SVCCTL - Remote Service Control Manager Access\r\nET POLICY SMB2 NT Create AndX Request For an Executable File\r\nET POLICY SMB Executable File Transfer\r\nSigma\r\nhttps://github.com/The-DFIR-Report/Sigma-Rules/blob/main/14373/bumblebee_wmiprvse_execution_pattern.yaml\r\ntitle: BumbleBee WmiPrvSE execution pattern\r\nid: 1620db43-fde5-45f3-b4d9-45ca6e79e047\r\nstatus: Experimental\r\ndescription: Detects BumbleBee WmiPrvSE parent process manipulation\r\nauthor: TheDFIRReport\r\nreferences:\r\n - https://thedfirreport.com/\r\ndate: 2022/09/26\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection_image:\r\n Image|endswith:\r\n - 'ImagingDevices.exe'\r\n - 'wabmig.exe'\r\n selection_parent:\r\n ParentImage:endswith:\r\n - 'WmiPrvSE.exe'\r\n condition: selection_image and selection_parent\r\nfalsepositives:\r\n - Unknown\r\nlevel: high\r\ntags:\r\n - attack.defense_evasion\r\n - attack.t1036\r\nhttps://thedfirreport.com/2022/09/26/bumblebee-round-two/\r\nPage 22 of 25\n\nYARA\n/*\n YARA Rule Set\n Author: The DFIR Report\n Date: 2022-09-26\n Identifier: Case 14373 BumbleBee\n Reference: https://thedfirreport.com/\n*/\n/* Rule Set ----------------------------------------------------------------- */\nrule case_14373_bumblebee_document_iso {\n meta:\n description = \"Files - file document.iso\"\n author = \"The DFIR Report\"\n reference = \"https://thedfirreport.com/\"\n date = \"2022-09-26\"\n hash1 = \"11bce4f2dcdc2c1992fddefb109e3ddad384b5171786a1daaddadc83be25f355\"\n strings:\n $x1 = \"tamirlan.dll,EdHVntqdWt\\\"%systemroot%\\\\system32\\\\imageres.dll\" fullword wide\n $s2 = \"C:\\\\Windows\\\\System32\\\\rundll32.exe\" fullword ascii\n $s3 = \"xotgug064ka8.dll\" fullword ascii\n $s4 = \"tamirlan.dll\" fullword wide\n $s5 = \")..\\\\..\\\\..\\\\..\\\\Windows\\\\System32\\\\rundll32.exe\" fullword wide\n $s6 = \" \" fullword ascii\n $s7 = \"claims indebted fires plastic naturalist deduction meaningless yielded automatic wrote d\n $s8 = \"documents.lnk\" fullword wide\n $s9 = \"4System32\" fullword wide\n $s10 = \"\\\\_P^YVPX[SY]WT^^RQ_V[YQV\\\\Y]USUZV[XWT_SWT[UYURVVRVR^^[__XRQPPUXZWYYVU]V\\\\[TS[SSWWVY_R_\n $s11 = \"\\\\_P^YVPX[SY]WT^^RQ_V[YQV\\\\Y]USUZV[XWT_SWT[UYURVVRVR^^[__XRQPPUXZWYYVU]V\\\\[TS[SSWWVY_R_\n $s12 = \" Type Descriptor'\" fullword ascii\n $s13 = \"YP^WTS]V[WPTWR_\\\\P[]WX_SPYQ[SQ]]UWTU]QR\\\\UQR]]\\\\\\\\^]UZUX\\\\X^U]P_^S[ZY^R^]UXWZURR\\\\]X[^T\n $s14 = \"494[/D59:\" fullword ascii /* hex encoded string 'IMY' */\n $s15 = \"_ZQ\\\\V\\\\TW]P\\\\YW^_PZT_TR[T_WVQUSQPVSPYRSWPS^WVQR_[T_PS[]TT]RSSQV_[_Q]UY\\\\\\\\QPVQRXXPPR^_\n $s16 = \"?+7,*6@24\" fullword ascii /* hex encoded string 'v$' */\n $s17 = \"67?.68@6.3=\" fullword ascii /* hex encoded string 'ghc' */\n $s18 = \"*;+273++C\" fullword ascii /* hex encoded string ''\u003c' */\n $s19 = \"*:\u003e?2-:E?@\u003e5D+\" fullword ascii /* hex encoded string '.]' */\n $s20 = \"UPVX]VWVQU[_^ZU[_W^[R^]SPQ[[VPRR]]Z[\\\\XVU^_TR[YPR\\\\PY]RXT[_RXSPYSWTU]PV_SWWUVU\\\\R_X_U_V\n condition:\n uint16(0) == 0x0000 and filesize \u003c 8000KB and\n 1 of ($x*) and 4 of them\n}\nhttps://thedfirreport.com/2022/09/26/bumblebee-round-two/\nPage 23 of 25\n\nrule case_14373_bumblebee_tamirlan_dll {\n meta:\n description = \"Files - file tamirlan.dll\"\n author = \"The DFIR Report\"\n reference = \"https://thedfirreport.com/\"\n date = \"2022-09-26\"\n hash1 = \"123f96ff0a583d507439f79033ba4f5aa28cf43c5f2c093ac2445aaebdcfd31b\"\n strings:\n $s1 = \"xotgug064ka8.dll\" fullword ascii\n $s2 = \" \" fullword ascii\n $s3 = \"claims indebted fires plastic naturalist deduction meaningless yielded automatic wrote d\n $s4 = \"\\\\_P^YVPX[SY]WT^^RQ_V[YQV\\\\Y]USUZV[XWT_SWT[UYURVVRVR^^[__XRQPPUXZWYYVU]V\\\\[TS[SSWWVY_R_Y\n $s5 = \"\\\\_P^YVPX[SY]WT^^RQ_V[YQV\\\\Y]USUZV[XWT_SWT[UYURVVRVR^^[__XRQPPUXZWYYVU]V\\\\[TS[SSWWVY_R_Y\n $s6 = \" Type Descriptor'\" fullword ascii\n $s7 = \"YP^WTS]V[WPTWR_\\\\P[]WX_SPYQ[SQ]]UWTU]QR\\\\UQR]]\\\\\\\\^]UZUX\\\\X^U]P_^S[ZY^R^]UXWZURR\\\\]X[^TX\n $s8 = \"494[/D59:\" fullword ascii /* hex encoded string 'IMY' */\n $s9 = \"_ZQ\\\\V\\\\TW]P\\\\YW^_PZT_TR[T_WVQUSQPVSPYRSWPS^WVQR_[T_PS[]TT]RSSQV_[_Q]UY\\\\\\\\QPVQRXXPPR^_V\n $s10 = \"?+7,*6@24\" fullword ascii /* hex encoded string 'v$' */\n $s11 = \"67?.68@6.3=\" fullword ascii /* hex encoded string 'ghc' */\n $s12 = \"*;+273++C\" fullword ascii /* hex encoded string ''\u003c' */\n $s13 = \"*:\u003e?2-:E?@\u003e5D+\" fullword ascii /* hex encoded string '.]' */\n $s14 = \"UPVX]VWVQU[_^ZU[_W^[R^]SPQ[[VPRR]]Z[\\\\XVU^_TR[YPR\\\\PY]RXT[_RXSPYSWTU]PV_SWWUVU\\\\R_X_U_V\n $s15 = \"YX\\\\^SPP^XW_^^_Y]ZY[T_UQU_QXP[SV^RT_ZRPV\\\\YVVYPVR^UP^QYQXV^\\\\]]T_SQQR_ZSQZT_Y^^_]Z]QYW\\\n $s16 = \"Z_VV\\\\PSYWUT_Z\\\\WQSPY\\\\ZZ\\\\PY]W][RW^\\\\^ZPUZV[WZ\\\\QU_V[YU\\\\X[Q__\\\\YQQPZ[VR\\\\QUZUQVQ^PUPU\n $s17 = \"R_XUSP^T[RVXUR_\\\\VU\\\\Y[YWV\\\\WYXV\\\\SQ_RU][R\\\\ZTU\\\\PWYQ[ZSRTQUZ]\\\\WSPY\\\\P[_]TX]YZPTSSZ[VX\n $s18 = \"Z_VV\\\\PSYWUT_Z\\\\WQSPY\\\\ZZ\\\\PY]W][RW^\\\\^ZPUZV[WZ\\\\QU_V[YU\\\\X[Q__\\\\YQQPZ[VR\\\\QUZUQVQ^PUPU\n $s19 = \"PQP]^__\\\\ZZUSZYT_^S_SPPV]\\\\XPT_TPQU\\\\VWZQYZPZ^]]SW]R^[WYP]^[[R_RTSPYW^WU^QVPZ\" fullword\n $s20 = \"Y]_QU\\\\ZQQSXRX[SPYVRWXU^P[VSSWUR]]PSWV\\\\X]Y[PX_UZ_PPP[WQVXY^^]^RRSPZ]^XWV^]\" fullword a\n condition:\n uint16(0) == 0x5a4d and filesize \u003c 3000KB and\n 8 of them\n}\nrule case_14373_bumblebee_documents_lnk {\n meta:\n description = \"Files - file documents.lnk\"\n author = \"The DFIR Report\"\n reference = \"https://thedfirreport.com/\"\n date = \"2022-09-26\"\n hash1 = \"cadd3f05b496ef137566c90c8fee3905ff13e8bda086b2f0d3cf7512092b541c\"\n strings:\n $x1 = \"tamirlan.dll,EdHVntqdWt\\\"%systemroot%\\\\system32\\\\imageres.dll\" fullword wide\n $s2 = \"C:\\\\Windows\\\\System32\\\\rundll32.exe\" fullword ascii\n $s3 = \")..\\\\..\\\\..\\\\..\\\\Windows\\\\System32\\\\rundll32.exe\" fullword wide\nhttps://thedfirreport.com/2022/09/26/bumblebee-round-two/\nPage 24 of 25\n\n$s4 = \"4System32\" fullword wide\r\n $s5 = \"user-pc\" fullword ascii\r\n $s6 = \"}Windows\" fullword wide\r\n condition:\r\n uint16(0) == 0x004c and filesize \u003c 4KB and\r\n 1 of ($x*) and all of them\r\n}\r\nMITRE\r\nMark-of-the-Web Bypass - T1553.005\r\nUser Execution - T1204\r\nRundll32 - T1218.011\r\nMasquerading - T1036\r\nLocal Account - T1136.001\r\nLSASS Memory - T1003.001\r\nArchive via Utility - T1560.001\r\nArchive Collected Data - T1560\r\nService Execution - T1569.002\r\nProcess Discovery - T1057\r\nSystem Network Configuration Discovery - T1016\r\nDomain Trust Discovery - T1482\r\nDomain Groups - T1069.002\r\nSMB/Windows Admin Shares - T1021.002\r\nLateral Tool Transfer - T1570\r\nRemote Desktop Protocol - T1021.001\r\nWeb Protocols - T1071.001\r\nRemote Access Software - T1219\r\nProcess Injection - T1055\r\nInternal case #14373\r\nSource: https://thedfirreport.com/2022/09/26/bumblebee-round-two/\r\nhttps://thedfirreport.com/2022/09/26/bumblebee-round-two/\r\nPage 25 of 25\n\n  https://thedfirreport.com/2022/09/26/bumblebee-round-two/    \nKnown sandbox usernames (Sorry if your name is Peter Wilson, no malware for you ):\nSpecific Virtualization Software files on disk and registry keys (Virtual Box, Qemu, Parallels), example:\n   Page 11 of 25   \n\n  https://thedfirreport.com/2022/09/26/bumblebee-round-two/    \nAs mentioned in Credential Access, the threat actor used remote services to execute commands on remote hosts.\nSMB was used to transfer the various tools laterally, as needed in the environment, like procdump.exe and\nAnyDesk executables.      \n   Page 15 of 25  \n\n$s20 = \"UPVX]VWVQU[_^ZU[_W^[R^]SPQ[[VPRR]]Z[\\\\XVU^_TR[YPR\\\\PY]RXT[_RXSPYSWTU]PV_SWWUVU\\\\R_X_U_V condition:   \nuint16(0) == 0x0000 and filesize \u003c 8000KB and\n1 of ($x*) and 4 of them  \n}   \n  Page 23 of 25",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://thedfirreport.com/2022/09/26/bumblebee-round-two/"
	],
	"report_names": [
		"bumblebee-round-two"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434909,
	"ts_updated_at": 1775826764,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cd5742992501ef75e3297ebd6bf29b404dd505a9.pdf",
		"text": "https://archive.orkl.eu/cd5742992501ef75e3297ebd6bf29b404dd505a9.txt",
		"img": "https://archive.orkl.eu/cd5742992501ef75e3297ebd6bf29b404dd505a9.jpg"
	}
}