The Pumpkin Eclipse - Chalubo Malware

June 4, 2024, 4:31 p.m.

Description

Chalubo is a commodity remote access trojan (RAT). First identified in 2018, employed savvy tradecraft to obfuscate its activity; it removed all files from disk to run in-memory, assumed a random process name already present on the device, and encrypted all communications with the command and control (C2) server. Chalubo has payloads designed for all major SOHO/IoT kernels, pre-built functionality to perform DDoS attacks, and can execute any Lua script sent to the bot.

Date

Published: June 4, 2024, 3:58 p.m.

Created: June 4, 2024, 3:58 p.m.

Modified: June 4, 2024, 4:31 p.m.

Indicators

f9db9632ffd7e3bd5b700025fa9278420de0778029fe2eedb6ea7b3d7b999ef6

f5894f0cc7d9da2f188b740bb0596206038d9dba430c7d2a145d7454d9f1b4db

f37eaf27fe12b105c6661d303537787959eeb4bf52c6937d9165fd6b569faf30

ed9511c16229f4bb41f461e90fff7964e79f2c2d27e7de2b107e4d003e9e0def

e5030083c101058f52394820420a372bf93bcac2d802902d4d4c91470c96b608

d9322af52b941e76bec3d2596a1c1be47dffc4fb161656da2c7c45b3d492cfd8

d68f2ed30f344122db9f9e2729787450e1e8653e98bd61026fb4d75bf89de664

d6778d5ad096516b881bbf2aca2d790b5217dfb83bb256e3f9d710056c9b512a

c5317722effa07b56f9e81ef096b1711048eac6629c0ec72d8e8c72c6aae8f41

d0643c777b0b24ca747f7dc79d3bdfbc04d3095ded760e6a54fa62bfa6945df3

bdef8e089ffa00794f40f14ad3cdb8f1629241a4ac313bef8fe3d38e08207e4c

b5fc0c265eb192b2a2d778e66d6f076e876eeacf57c3927e406b4e1b72152038

b2e2193e49ee1240be30f5040dbb5e2c973cdfb02c3ea88ef4ffeda884de28c2

a9cea205140babed24faea1b27f62b2f36464b8562223d96ecb617258a2fd284

9b929bcc182c39540767a9b8237a8436c82997c68d4d2ba710241387c39c27f5

967289406b0da030a93cefaa2644b109260565f5f767b95ce2a5d96d49c57bf2

8f4b61975539dbfe903f448636a48168351018801f2581a63d97179c37cad979

8639bbb3ffe5fa51334c6ab4d45ae1647a29a97f061a9456991333ab166b52fd

847e7f8209803d786660c5ba6d19ce59f76fe26e3e33e50cbe6dd663d40ad569

7a81bbb1f7055cd3f30db8bb2a104b969914ccd520cf85c24b25ba5b0c720206

7a6cdae75006d44d9b61093e5e65ae45c0d153bcc87c6a69974cbdfd6fc3b58b

6be5b4bc461f1ba931bfe773df66bf5f8052626adbdf2b1156a06d0da2d8d3d1

619564061e62a6352f0ce1a06d2883d46eb69df16322b30e8a2a9c65e2d32f5f

5fc8534d490312823a49e2a13afc8a7b6b026280c79db704465fddd8a1fdc376

5b9405418b654c9418e514ae3420c72af58d418adefca43644bf2bf14d89cc5a

5b7874b18e8365e07624946a33518988aea4c72478a285a36047b4ba554a7576

59437e986acd685ad3ce48bf010efff22aa866c0fa066b0e64e510ecb026dd1a

5621cdb8d07900a333d022a9696c1a6f7e45d6cfc713558c462a3ace7c4b426f

51c421f69ad5d7a8de69efa798d1784ce7b41886dece435b879a5815a7f7a2c2

49c04e56dfb17ac16acddfcf9eff7ae82d70294a8ec70b6365ab43a07441badd

38c639a245e1dd04786881fae1060fbd72d3ed419b2f0d38d6082dc9d67876c3

2ec65d77b5146dc898acf5b14df33f49306d539f6d84784e135d32d1807b37ce

2a65fdd8c44a6b7191c09702d9f747471564346c465a42b9abbb4dfa1bc5f7fb

2653886ab93ab5d7c779b796f87199e033ce012970d565d91cf9063d6149a1f8

117bd27a209d6350b10f5c8f8cf841755c253276460be8c7681f5357e07d2e0c

0f9cfe8eefbb983daa9c0e4bfb14a29a534b1c6d00fc16fe8a762d109ad0e037

0c7c6926e854aac4dc4821be07f826157b576d0a217d74d5675d7b32eb78b50e

00550d5c2ed14a445ae13cff8eff32ba7a7dd502d145481bcd18161cf1df540d

a8a2c2f82d542b0e05848d102e2f04239982b48ba7522a83dfc8b1308d7a8c12

82c569b93da5c18ed649ebd4c2c79437db4611a6a1373e805a3cb001c64130b7

91.211.88.225

45.116.160.62

45.116.160.182

45.116.160.154

45.116.160.115

45.116.160.105

45.116.160.100

38.54.27.204

216.118.241.206

216.118.241.205

216.118.241.204

216.118.241.203

216.118.241.202

2.59.223.253

2.59.223.226

2.59.223.218

2.59.223.213

2.59.223.144

2.59.222.99

2.59.222.97

2.59.222.35

2.59.222.146

2.59.222.126

2.59.222.125

2.59.222.124

2.59.222.102

194.36.190.99

185.189.241.246

185.189.241.180

185.189.240.21

180.178.46.245

180.178.46.244

180.178.46.242

141.193.159.11

141.193.159.10

139.5.202.19

139.5.202.18

116.213.39.6

116.213.39.5

116.213.39.4

116.213.39.3

116.213.39.2

114.29.255.77

114.29.255.123

112.121.165.78

112.121.165.76

112.121.165.75

107.148.88.123

107.148.0.182

104.233.210.119

104.233.210.118

104.233.167.82

104.233.167.81

104.233.167.63

104.233.167.62

104.233.167.103

104.233.166.194

104.233.166.129

103.84.84.251

103.248.22.5

103.248.22.16

103.244.2.217

103.244.2.171

103.244.2.170

103.140.187.149

103.117.147.67

103.117.146.222

103.117.146.220

103.117.146.219

103.117.146.218

103.117.145.110

103.117.145.109

103.117.145.108

103.117.145.107

103.117.145.106

91.211.88.6

34.19.73.9

2.59.222.3

185.189.240.13

180.178.46.246

180.178.46.243

139.5.202.106

112.121.165.77

112.121.165.74

103.117.147.66

103.84.84.250

103.244.2.218

36.75.75.75

138.112.25.25

123.181.24.36

1.13.16.45

71.162.181.51

http://104.233.210.119:51248/get_scrpc

http://104.233.210.119:51248/get_fwuueicj.

www.v5002.cn

https://www.v5002.cn

https://mh.55dmh.com

https://m.isanyin.com

https://m.aiguoba.com

https://dh.id3cqcmgjcb.top

https://cu6s.com

http://xmsecu100.net/23652xxxxx000008skcai/res.dat

http://xmsecu.net/00030695mcksiqq/res.dat\t

http://xmsecu.net/00030695mcksiqq/res.dat

http://xmsecu.io/c638020vkklkjjiu/res.dat

http://xmsecu.io/00030678bbgstrjs/res.dat

http://xmsecu.io/00030674uucyttsikk/res.dat

http://secu100.com/23652xxxxx000008skcai/res.dat

http://sainnguatc.com:8080/ASUHALUMNABTC/res.dat

http://sainnguatc.com:8080/ASUHALUMNABTC

http://coreconf.net:8080/E2XRIEGSOAPU3Z5Q8/mips

http://nihiosuxnmo.com:8080/SASBCKXOWYALLCZXF

http://coreconf.net:8080/E2XRIEGSOAPU3Z5Q8

http://ammhdfgygb.com/dldsc522dsdasd/res.dat

http://91.211.88.6:8080/ASUHALUMNABTC

http://91.211.88.225:8080/SASBCKXOWYALLCZXF

http://2.59.222.97/dldsc522dsdasd/res.dat

http://194.36.190.99:38291/as/crtarm3

http://185.189.240.13:8080/E2XRIEGSOAPU3Z5Q8/res.dat

http://185.189.240.13:8080/E2XRIEGSOAPU3Z5Q8

mh.55dmh.com

m.isanyin.com

m.aiguoba.com

lighten.medyamol.com

dh.id3cqcmgjcb.top

axon-stall.riddlecamera.net

xmsecu100.net

xmsecu.net

xmsecu.io

secu100.com

sainnguatc.com

nihiosuxnmo.com

cu6s.com

coreconf.net

ammhdfgygb.com

2fgithub.com

Attack Patterns

Chalubo

T1495

T1199

T1016

T1070

T1218

T1104

T1102

T1055

T1140

T1195