BumbleBee Roasts Its Way to Domain Admin

➡️Initial Access: BumbleBee (zipped ISO /w LNK+DLL)
➡️Persistence: AnyDesk
➡️Discovery: VulnRecon, Seatbelt, AdFind, etc.
➡️Credentials: Kerberoast, comsvcs.dll, ProcDump
➡️C2: BumbleBee, CobaltStrike, AnyDesk

thedfirreport.com/2022/08/08/bum…
Analysis and reporting completed by @Tornado and @MetallicHack

Shout outs: @threatinsight, Google's Threat Analysis Group, @vladhiewsha, @benoitsevens, @DidierStevens, @malpedia, @k3dg3, @malware_traffic, @Unit42_Intel, @EricRZimmerman, & @svch0st. Thanks ya'll!
IOC's

#Bumblebee
BC_invoice_Report_CORP_46.zip
6c87ca630c294773ab760d88587667f26e0213a3
142.91.3[.]109:443
45.140.146[.]30:443

#CobaltStrike
fuvataren[.]com
45.153.243[.]142:443

dofixifa[.]co
108.62.12[.]174:443

CS Payload Hosting
hxxp://104.243.33.50:80/a
IOCs Continued

document.lnk
58739dc62eeac7374db9a8c07df7c7c36b550ce5

namr.dll
7a3db4b3359b60786fcbdaf0115191502fcded07

VulnRecon.exe
d9832b46dd6f249191e9cbcfba2222c1702c499a

VulnRecon.dll
a204f20b1c96c5b882949b93eb4ac20d4f9e4fdf
Detections

5+ ET Snort/Suricata Rules
20+ Sigma Rules
3 Yara Rules
Mistakes by TAs lead to detections (and memes):

github.com/The-DFIR-Repor…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with The DFIR Report

The DFIR Report Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @TheDFIRReport

Mar 1
Here's a thread on some of the interesting things we've seen in the #ContiLeaks.

If you would like to read the chat logs and TrickBot Forum information, @Kostastsale has translated them to English here: github.com/tsale/translat…. He will be adding more as things get leaked.
New chat logs from the 26 Feb to the 28 Feb were released. It included an entertaining exchange where the user "pumba" was not happy with their work partner "tramp" (also referred to as “trump”). “Pumba” ends the conversation by asking to be moved to another team. #ContiLeaks Image
Leaked Bazar Bot panels show hundreds of past infected clients. Entries contain comments that include reconnaissance of revenue, and tracking work to be done. #ContiLeaks ImageImageImageImage
Read 78 tweets
Aug 5, 2021
This content looks VERY familiar...



1. "Initial Actions"
2. rclone config using Mega
3. rclone instructions
4.Powerview/UserHunter instructions

Thanks @vxunderground!!
1. NTDS dumping
2. Kerberoasting
3. Netscan (Thanks Perry)
4. Ping script
1. Dump LSASS via #CobaltStrike, RDP, Mimikatz
2. AnyDesk install/exec
3. Scheduled task and wmic exec
4. AdFind! The same script we've been seeing since 2019
Read 9 tweets
Jul 8, 2021
Here's some newer #CobaltStrike servers we're tracking:

scripts[.]arshmedicalfoundation[.]com
3.142.144[.]90:443

servers[.]indiabullamc[.]com
139.180.214[.]187:80

rce[.]accountrecovery[.]co[.]uk
134.209.118[.]184:80

Full list available @ thedfirreport.com/services
#AllIntel
Here's some newer #CobaltStrike servers we're tracking:

azurecloud[.]dynssl[.]com
136.244.113[.]93:443

securesoftme[.]azureedge[.]net
162.244.80[.]181:80|443

www[.]msclientweb[.]com
147.182.175[.]159:443

Full list available @ thedfirreport.com/services
#AllIntel
Here's some newer #CobaltStrike servers we're tracking:

macrodown[.]azureedge[.]net
85.93.88[.]165:80

taobao[.]alibaba-cn[.]ga
155.94.163[.]56:80

upload[.]dwi22g[.]com
185.244.150[.]52:443

Full list available @ thedfirreport.com/services
#AllIntel
Read 4 tweets
Mar 29, 2021
Sodinokibi (aka REvil) Ransomware

➡️TTR: 4 hours
➡️Initial Access: IcedID
➡️Discovery: nltest, net, wmic, AdFind, BloodHound, etc.
➡️PrivEsc: UAC-TokenMagic & Invoke-SluiBypass
➡️Defense Evasion: Safe Mode & new GPO
➡️Exfil: Rclone
➡️C2: CobaltStrike

thedfirreport.com/2021/03/28/sod… ImageImageImageImage
Shout-out to @hatching_io, @lazyactivist192, @malwrhunterteam, and @R3MRUM. Thanks for doing what you do!

IOCs, ransomware files, PCAPs, logs, memory captures, etc. available @ thedfirreport.com/services Image
🔥C2🔥:

CobaltStrike:
smalleststores[.]com
cloudmetric[.]online
45.86.163[.]78:80
45.86.163[.]78:443
195.189.99[.]74:8080
195.189.99[.]74:80
45.86.163[.]78:8080

IcedID:
nomovee[.]website
cikawemoret34[.]space
161.35.109[.]168:443
206.189.10[.]247:80
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(