Manuel Statik Analiz — BumbleBee Loader | Tehdit: KRITIK

Datei Kimligi

SHA256670781d0d35582d3094cf375a43c59cfba157e0a99fe919e462ad06045f0843c
Größe1.852.656 byte (1.8MB)
String Sayisi7.909

C2 Konfigurasyonu (Sifrelenmis)

wC2%]     -- Sifrelenmis C2 config fragmenti
FC2ER     -- C2 referansi
ZC2;a     -- C2 sekman isaretcisi
j4 =c2Z   -- C2 config bayti

TLS Sertifikasi

http://crl.globalsign.com/ca/gstsacasha384g4.crl
-- GlobalSign SHA384 CA sertifikasi
-- BumbleBee HTTPS C2 trafinini mesgru TLS ile gizler

BumbleBee Hakkinda

BumbleBee, 2022 yilinda C++ ile yazilmis loader ailesidir. Google Ads ve phishing ile dagitilir. Cobalt Strike, Meterpreter, Sliver yukler. AES sifrelenmis HTTPS C2 kullanir.

IOC

SHA256670781d0d35582d3094cf375a43c59cfba157e0a99fe919e462ad06045f0843c
C2 ProtokolHTTPS + TLS (GlobalSign)

BumbleBee — Malware-Profil

Bumblebee, 2022 den aktif C++ loader. Conti/Lazarus bağlantılı. ISO/VHD/LNK dağıtım. Cobalt Strike dropper. Anti-debug.

Malware-Typ
Loader
Programmiersprache
C++
C2-Protokoll
HTTPS
Zielsysteme
Windows

Technische Details

Loader ailesi: HTTP/HTTPS C2, payload sifre cozme ve bellek icerisinde yükleme, anti-sandbox/VM kontrolleri, process injection, persistence mekanizmasi, yükü indirme ve calistirma zinciri

Fähigkeiten & Verhalten

Payload İndirme
Süreç Enjeksiyonu
Modüler Mimari
Kimlik Bilgisi Hırsızlığı
Yanal Hareket
Kalıcılık
Anti-VM/Sandbox
İkincil Payload Dağıtımı

IOC-Liste (1 Indikatoren)

IOC — BumbleBee
# SHA256 670781d0d35582d3094cf375a43c59cfba157e0a99fe919e462ad06045f0843c
TypWertBemerkung
sha256 670781d0d35582d3094cf375a43c59cfba157e0a99fe919e462ad06045f0843c

C2-Server (3 erfasste Server für diese Familie)

Adresse Typ Port Protokoll Status Land
odoca.com domain 443 HTTPS active —
108.61.55.248 ip 443 HTTPS inactive US
45.8.146.78 ip 443 HTTPS inactive RU

C2-Adressen stammen ausschließlich aus vom KEYDAL-Team manuell verifizierten Malware-Samples. Kommerzielle Nutzung ist untersagt.

Tags
bumblebeeloadertlscobalt-strikehttpssifrelenmis-c2