216.73.217.80

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 21:52 · Modified 20/12/2025 21:52

Essential information

Value / Name
22b031df8240118e1667d6bb04ad2859b8e373b1
Confidence
100/100
Revoked
Yes
Valid from
09/08/2022 09:20
Valid until
12/11/2023 08:20
Pattern type
yara
Published
20/12/2025 21:52
Modified
20/12/2025 21:52
Author / Source
AlienVault

Description

BumbleBee - file VulnRecon.exe

Pattern

rule bumblebee_13387_VulnRecon_exe {   
      meta:   
         description = "BumbleBee - file VulnRecon.exe"   
         author = "TheDFIRReport"   
         reference = "https://thedfirreport.com"   
         date = "2022-08-08"   
         hash1 = "eb4cba90938df28f6d8524be639ed7bd572217f550ef753b2f2d39271faddaef"   
      strings:   
         $s1 = "hostfxr.dll" fullword wide   
         $s2 = "--- Invoked %s [version: %s, commit hash: %s] main = {" fullword wide   
         $s3 = "This executable is not bound to a managed DLL to execute. The binding value is: '%s'" fullword wide   
         $s4 = "D:\\a\\_work\\1\\s\\artifacts\\obj\\win-x64.Release\\corehost\\cli\\apphost\\standalone\\Release\\apphost.pdb" fullword ascii   
         $s5 = "VulnRecon.dll" fullword wide   
         $s6 = "api-ms-win-crt-runtime-l1-1-0.dll" fullword ascii   
         $s7 = "  - %s&apphost_version=%s" fullword wide   
         $s8 = "api-ms-win-crt-convert-l1-1-0.dll" fullword ascii   
         $s9 = "api-ms-win-crt-math-l1-1-0.dll" fullword ascii   
         $s10 = "api-ms-win-crt-time-l1-1-0.dll" fullword ascii   
         $s11 = "api-ms-win-crt-stdio-l1-1-0.dll" fullword ascii   
         $s12 = "api-ms-win-crt-heap-l1-1-0.dll" fullword ascii   
         $s13 = "api-ms-win-crt-string-l1-1-0.dll" fullword ascii   
         $s14 = "The managed DLL bound to this executable is: '%s'" fullword wide   
         $s15 = "A fatal error was encountered. This executable was not bound to load a managed DLL." fullword wide   
         $s16 = "api-ms-win-crt-locale-l1-1-0.dll" fullword ascii   
         $s17 = "Showing error dialog for application: '%s' - error code: 0x%x - url: '%s'" fullword wide   
         $s18 = "Failed to resolve full path of the current executable [%s]" fullword wide   
         $s19 = "https://go.microsoft.com/fwlink/?linkid=798306" fullword wide   
         $s20 = "The managed DLL bound to this executable could not be retrieved from the executable image." fullword wide   
      condition:   
         uint16(0) == 0x5a4d and filesize < 400KB and   
         all of them   
   }

Labels / Tags

Labels: bumblebee cobalt strike dev-0193 exotic lily fin12 wizard spider

Marking (TLP)

TLP:CLEAR