ioc[.]one - OSINT Cyber Threat Intelligence Database

Bumblebee: increasing its capacity and evolving its TTPs - Check Point Research

Tags

attack-pattern:

Data Botnet - T1583.005 Botnet - T1584.005 Ip Addresses - T1590.005 Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Server - T1583.004 Server - T1584.004 Powershell - T1086

Show in Graph

Common Information

Type	Value
UUID	6afe05fa-087d-4433-8e41-647e12495cfa
Fingerprint	a57109d1a833ae83
Analysis status	DONE
Considered CTI value	2
Text language
Published	Oct. 3, 2022, 11:18 a.m.
Added to db	Oct. 24, 2023, 1:37 p.m.
Last updated	Sept. 5, 2024, 2:20 a.m.
Headline	Bumblebee: increasing its capacity and evolving its TTPs
Title	Bumblebee: increasing its capacity and evolving its TTPs - Check Point Research
Detected Hints/Tags/Attributes	55/1/52

Source URLs

	Redirection	Url
Details	Source	https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/

URL Provider

Details	Provider	Source level domain
Details	checkpoint.com	research.checkpoint.com

Attributes

Details	Type	#Events	Value
Details	md5	1	3f4aa6d4e02790dea90186c5376c0064
Details	sha256	1	6bc2ab410376c1587717b2293f2f3ce47cb341f4c527a729da28ce00adaaa8db
Details	sha256	1	82aab01a3776e83695437f63dacda88a7e382af65af4af1306b5dbddbf34f9eb
Details	sha256	1	a5bcb48c0d29fbe956236107b074e66ffc61900bc5abfb127087bb1f4928615c
Details	sha256	1	ca9da17b4b24bb5b24cc4274cc7040525092dffdaa5922f4a381e5e21ebf33aa
Details	sha256	1	13c573cad2740d61e676440657b09033a5bec1e96aa1f404eed62ba819858d78
Details	sha256	1	b2c28cdc4468f65e6fe2f5ef3691fa682057ed51c4347ad6b9672a9e19b5565e
Details	sha256	1	7024ec02c9670d02462764dcf99b9a66b29907eae5462edb7ae974fe2efeebad
Details	sha256	1	68ac44d1a9d77c25a97d2c443435459d757136f0d447bfe79027f7ef23a89fce
Details	sha256	1	c70413851599bbcd9df3ce34cc356b66d10a5cbb2da97b488c1b68894c60ea69
Details	sha256	1	14f04302df7fa49d138c876705303d6991083fd84c59e8a618d6933d50905c61
Details	sha256	1	76e4742d9e7f4fd3a74a98c006dfdce23c2f9434e48809d62772acff169c3549
Details	sha256	1	024f8b16ee749c7bb0d76500ab22aa1418cd8256fb12dcbf18ab248acf45947e
Details	sha256	1	2691858396d4993749fec76ac34cf3cc3658ee3d4eaf9c748e2782cfc994849d
Details	sha256	1	083a4678c635f5d14ac5b6d15675d2b39f947bb9253be34d0ab0db18d3140f96
Details	sha256	1	21df56d1d4b0a6a54bae3aba7fe15d307bac0e3391625cef9b05dd749cf78c0c
Details	sha256	1	31005979dc726ed1ebfe05558f00c841912ca950dccdcdf73fd2ffbae1f2b97f
Details	sha256	2	2d67a6e6e7f95d3649d4740419f596981a149b500503cbc3fcbeb11684e55218
Details	sha256	1	3c0f67f71e427b24dc77b3dee60b08bfb19012634465115e1a2e7ee5bef16015
Details	sha256	1	07f277c527d707c6138aae2742939e8edc9f700e68c4f50fd3d17fe799641ea8
Details	sha256	1	ee27cceac88199bf3546e8b187d77509519d6782a0e114fc9cfc11faa2d33cd1
Details	IPv4	1	104.168.201.219
Details	IPv4	1	142.11.234.230
Details	IPv4	2	145.239.30.26
Details	IPv4	1	145.239.135.155
Details	IPv4	1	145.239.28.110
Details	IPv4	1	146.19.173.202
Details	IPv4	1	146.70.125.122
Details	IPv4	1	152.89.247.79
Details	IPv4	1	185.17.40.189
Details	IPv4	2	185.62.58.175
Details	IPv4	1	205.185.122.143
Details	IPv4	1	205.185.123.137
Details	IPv4	1	209.141.46.50
Details	IPv4	2	209.141.58.141
Details	IPv4	1	51.210.158.156
Details	IPv4	2	51.68.144.94
Details	IPv4	1	51.68.145.54
Details	IPv4	1	51.68.146.186
Details	IPv4	2	51.68.147.233
Details	IPv4	3	51.75.62.99
Details	IPv4	1	51.83.250.240
Details	IPv4	2	51.83.251.245
Details	IPv4	1	51.83.253.131
Details	IPv4	2	51.83.253.244
Details	IPv4	2	54.37.130.166
Details	IPv4	1	54.37.131.14
Details	IPv4	1	54.38.136.111
Details	IPv4	2	54.38.136.187
Details	IPv4	1	54.38.138.94
Details	IPv4	3	54.38.139.20
Details	Yara rule	1	rule malware_bumblebee_packed { meta: author = "Marc Salinas @ CheckPoint Research" malware_family = "BumbleBee" date = "13/07/2022" description = "Detects the packer used by bumblebee, the rule is based on the code responsible for allocating memory for a critical structure in its logic." dll_jul = "6bc2ab410376c1587717b2293f2f3ce47cb341f4c527a729da28ce00adaaa8db" dll_jun = "82aab01a3776e83695437f63dacda88a7e382af65af4af1306b5dbddbf34f9eb" dll_may = "a5bcb48c0d29fbe956236107b074e66ffc61900bc5abfb127087bb1f4928615c" iso_jul = "ca9da17b4b24bb5b24cc4274cc7040525092dffdaa5922f4a381e5e21ebf33aa" iso_jun = "13c573cad2740d61e676440657b09033a5bec1e96aa1f404eed62ba819858d78" iso_may = "b2c28cdc4468f65e6fe2f5ef3691fa682057ed51c4347ad6b9672a9e19b5565e" zip_jun = "7024ec02c9670d02462764dcf99b9a66b29907eae5462edb7ae974fe2efeebad" zip_may = "68ac44d1a9d77c25a97d2c443435459d757136f0d447bfe79027f7ef23a89fce" strings: $heapalloc = { 48 8? EC [1-6] FF 15 ?? ?? 0? 00 [0-5] 33 D2 4? [2-5] 4? ?? ?? FF 15 ?? ?? 0? 00 [8-11] 48 89 05 ?? ?? ?? 00 E8 ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? 00 } condition: $heapalloc }