This script will extract the final DLL of the recent BumbleBee PowerShell Loaders.

BumbleBeePS1LoaderExtractor.py

from base64 import b64decode
import re
import os
import gzip

PS1_FILE_PATH = '' # Full path to inital ps1 payload
OUTPUT_FOLDER = '' # Full path for archives, example: C:/Users/Bumble/Archives/
OUTPUT_FILE = '' # Full path for second stage script
OUTPUT_PAYLOAD = '' # Full path for final DLL

REG_PATTERN = '^\$elem.*\=\"(.*)\"$'

archiveIndex = 0

if not os.path.exists(OUTPUT_FOLDER):
    os.makedirs(OUTPUT_FOLDER)

ps1File = open(PS1_FILE_PATH, 'rb').readlines()
for line in ps1File:
    regMatch = re.findall(REG_PATTERN, line.replace(b'\x00',b'').decode('iso-8859-1'))
    if regMatch:
        varData = b64decode('H' + regMatch[0][1:])
        open(f'{OUTPUT_FOLDER}/archive{archiveIndex}.gz', 'wb').write(varData)
        print(f'[+] gz archive was created in:{OUTPUT_FOLDER}/archive{archiveIndex}.gz')
        archiveIndex += 1

countArchives = sum(1 for file in os.scandir(OUTPUT_FOLDER))

finalString = ''

for x in range(0,countArchives):
    with gzip.open(f'{OUTPUT_FOLDER}/archive{x}.gz', 'rb') as f:
        finalString += f.read().decode('utf-8')

open(OUTPUT_FILE, 'w').write(finalString)

ps1FileContent = open(OUTPUT_FILE, 'r').readlines()
REG_PATTERN = '^\$mbVar.*FromBase64String\(\"(.*)\"\)$'

finalPayload = b''
for line in ps1FileContent:
    regMatch = re.findall(REG_PATTERN, line)
    if regMatch:
        finalPayload += b64decode(regMatch[0])

open(OUTPUT_PAYLOAD, 'wb').write(b'\x4d' + finalPayload[1:])
print(f'[+] Payload was extracted to the path:{OUTPUT_PAYLOAD}')