Decoding the Stealthy Memory-Only Malware

Aug. 23, 2024, 9:31 a.m.

Tags
malware
obfuscation
powershell
infostealer
cryptbot
javascript
2024-08-23
lummac.v2
shadowladder
External References
Description

This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloader script, PEAKLIGHT, responsible for retrieving additional payloads from a content delivery network. The report examines different variations of PEAKLIGHT and the malware it delivers, including LUMMAC.V2, SHADOWLADDER, and CRYPTBOT. The analysis highlights the obfuscation techniques employed by the threat actors, such as system binary proxy execution and CDN abuse.

Date

Published: Aug. 23, 2024, 9:11 a.m.

Created: Aug. 23, 2024, 9:11 a.m.

Modified: Aug. 23, 2024, 9:31 a.m.

Indicators

bf1a0c67b433f52ebd304553f022baa34bfbca258c932d2b4b8b956b1467bfa5

9fa7cacb5730faacc2b17d735c45ee1370130d863c3366d08ec013afe648bfa6

6c30c8a2e827f48fcfc934dd34fb2cb10acb8747fd11faae085d8ad352c01fbf

237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

62.133.61.56

https://forikabrof.click/flkhfaiouwrqkhfasdrhfsa.png

https://brewdogebar.com/code.vue

http://gceight8vt.top/upload.php

http://62.133.61.56/Downloads/Full%20Video%20HD%20

http://62.133.61.56/Downloads/Full

http://62.133.61.56/Downloads

tropicalironexpressiw.shop

gceight8vt.top

forikabrof.click

brewdogebar.com

understanndtytonyguw.shop

relaxtionflouwerwi.shop

patternapplauderw.shop

messtimetabledkolvk.shop

horsedwollfedrwos.shop

detailbaconroollyws.shop

deprivedrinkyfaiir.shop

considerrycurrentyws.shop

Attack Patterns

SHADOWLADDER

LUMMAC.V2

CRYPTBOT

T1218.005