Indicator (IOC)
Essential information
- Value / Name
fa7ea690108dc602d2b358a2d9232ec1141c1191- Confidence
- 100/100
- Revoked
- Yes
- Valid from
- 09/08/2022 09:20
- Valid until
- 12/11/2023 08:20
- Pattern type
- yara
- Published
- 20/12/2025 21:52
- Modified
- 20/12/2025 21:52
- Author / Source
- AlienVault
Description
BumbleBee - file VulnRecon.dll
Pattern
rule bumblebee_13387_VulnRecon_dll {
meta:
description = "BumbleBee - file VulnRecon.dll"
author = "TheDFIRReport"
reference = "https://thedfirreport.com"
date = "2022-08-08"
hash1 = "a9e90587c54e68761be468181e56a5ba88bac10968ff7d8c0a1c01537158fbe8"
strings:
$x1 = "Use VulnRecon.exe -i, --SystemInfo to execute this command" fullword wide
$x2 = "Use VulnRecon.exe -v, --Vulnerability to execute this command" fullword wide
$x3 = "Use VulnRecon.exe -h, --HotFixes to execute this command" fullword wide
$x4 = "Use VulnRecon.exe -m, --MicrosoftUpdates to execute this command" fullword wide
$x5 = "Use VulnRecon.exe -s, --SupportedCve to execute this command" fullword wide
$s6 = "VulnRecon.dll" fullword wide
$s7 = "VulnRecon.Commands.SystemCommands" fullword ascii
$s8 = "VulnRecon.Commands.CveCommands" fullword ascii
$s9 = "VulnRecon.Commands" fullword ascii
$s10 = "VulnRecon.CommandLine" fullword ascii
$s11 = "D:\\work\\rt\\VulnRecon\\VulnRecon\\obj\\Release\\net5.0\\VulnRecon.pdb" fullword ascii
$s12 = "VulnRecon.Commands.ToolsCommand" fullword ascii
$s13 = "Using VulnRecon.exe -o or VulnRecon.exe --OptionName" fullword wide
$s14 = "commandVersion" fullword ascii
$s15 = "GetSystemInfoCommand" fullword ascii
$s16 = "CreateGetSupportedCveCommand" fullword ascii
$s17 = "CreateWindowsVersionCommand" fullword ascii
$s18 = " <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>" fullword ascii
$s19 = "get_CommandVersion" fullword ascii
$s20 = "<CommandVersion>k__BackingField" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 50KB and
1 of ($x*) and 4 of them
}
Labels / Tags
Marking (TLP)
TLP:CLEAR