216.73.217.80

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 21:52 · Modified 20/12/2025 21:52

Essential information

Value / Name
fa7ea690108dc602d2b358a2d9232ec1141c1191
Confidence
100/100
Revoked
Yes
Valid from
09/08/2022 09:20
Valid until
12/11/2023 08:20
Pattern type
yara
Published
20/12/2025 21:52
Modified
20/12/2025 21:52
Author / Source
AlienVault

Description

BumbleBee - file VulnRecon.dll

Pattern

rule bumblebee_13387_VulnRecon_dll {   
      meta:   
         description = "BumbleBee - file VulnRecon.dll"   
         author = "TheDFIRReport"   
         reference = "https://thedfirreport.com"   
         date = "2022-08-08"   
         hash1 = "a9e90587c54e68761be468181e56a5ba88bac10968ff7d8c0a1c01537158fbe8"   
      strings:   
         $x1 = "Use VulnRecon.exe  -i, --SystemInfo  to execute this command" fullword wide   
         $x2 = "Use VulnRecon.exe  -v, --Vulnerability  to execute this command" fullword wide   
         $x3 = "Use VulnRecon.exe  -h, --HotFixes  to execute this command" fullword wide   
         $x4 = "Use VulnRecon.exe -m, --MicrosoftUpdates to execute this command" fullword wide   
         $x5 = "Use VulnRecon.exe   -s, --SupportedCve  to execute this command" fullword wide   
         $s6 = "VulnRecon.dll" fullword wide   
         $s7 = "VulnRecon.Commands.SystemCommands" fullword ascii   
         $s8 = "VulnRecon.Commands.CveCommands" fullword ascii   
         $s9 = "VulnRecon.Commands" fullword ascii   
         $s10 = "VulnRecon.CommandLine" fullword ascii   
         $s11 = "D:\\work\\rt\\VulnRecon\\VulnRecon\\obj\\Release\\net5.0\\VulnRecon.pdb" fullword ascii   
         $s12 = "VulnRecon.Commands.ToolsCommand" fullword ascii   
         $s13 = "Using VulnRecon.exe -o or VulnRecon.exe --OptionName" fullword wide   
         $s14 = "commandVersion" fullword ascii   
         $s15 = "GetSystemInfoCommand" fullword ascii   
         $s16 = "CreateGetSupportedCveCommand" fullword ascii   
         $s17 = "CreateWindowsVersionCommand" fullword ascii   
         $s18 = "        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>" fullword ascii   
         $s19 = "get_CommandVersion" fullword ascii   
         $s20 = "<CommandVersion>k__BackingField" fullword ascii   
      condition:   
         uint16(0) == 0x5a4d and filesize < 50KB and   
         1 of ($x*) and 4 of them   
   }

Labels / Tags

Labels: bumblebee cobalt strike dev-0193 exotic lily fin12 wizard spider

Marking (TLP)

TLP:CLEAR