The Pumpkin Eclipse - Chalubo Malware
June 4, 2024, 4:31 p.m.
Tags
External References
Description
Chalubo is a commodity remote access trojan (RAT). First identified in 2018, employed savvy tradecraft to obfuscate its activity; it removed all files from disk to run in-memory, assumed a random process name already present on the device, and encrypted all communications with the command and control (C2) server. Chalubo has payloads designed for all major SOHO/IoT kernels, pre-built functionality to perform DDoS attacks, and can execute any Lua script sent to the bot.
Date
Published: June 4, 2024, 3:58 p.m.
Created: June 4, 2024, 3:58 p.m.
Modified: June 4, 2024, 4:31 p.m.
Indicators
f9db9632ffd7e3bd5b700025fa9278420de0778029fe2eedb6ea7b3d7b999ef6
f5894f0cc7d9da2f188b740bb0596206038d9dba430c7d2a145d7454d9f1b4db
f37eaf27fe12b105c6661d303537787959eeb4bf52c6937d9165fd6b569faf30
ed9511c16229f4bb41f461e90fff7964e79f2c2d27e7de2b107e4d003e9e0def
e5030083c101058f52394820420a372bf93bcac2d802902d4d4c91470c96b608
d9322af52b941e76bec3d2596a1c1be47dffc4fb161656da2c7c45b3d492cfd8
d68f2ed30f344122db9f9e2729787450e1e8653e98bd61026fb4d75bf89de664
d6778d5ad096516b881bbf2aca2d790b5217dfb83bb256e3f9d710056c9b512a
c5317722effa07b56f9e81ef096b1711048eac6629c0ec72d8e8c72c6aae8f41
d0643c777b0b24ca747f7dc79d3bdfbc04d3095ded760e6a54fa62bfa6945df3
bdef8e089ffa00794f40f14ad3cdb8f1629241a4ac313bef8fe3d38e08207e4c
b5fc0c265eb192b2a2d778e66d6f076e876eeacf57c3927e406b4e1b72152038
b2e2193e49ee1240be30f5040dbb5e2c973cdfb02c3ea88ef4ffeda884de28c2
a9cea205140babed24faea1b27f62b2f36464b8562223d96ecb617258a2fd284
9b929bcc182c39540767a9b8237a8436c82997c68d4d2ba710241387c39c27f5
967289406b0da030a93cefaa2644b109260565f5f767b95ce2a5d96d49c57bf2
8f4b61975539dbfe903f448636a48168351018801f2581a63d97179c37cad979
8639bbb3ffe5fa51334c6ab4d45ae1647a29a97f061a9456991333ab166b52fd
847e7f8209803d786660c5ba6d19ce59f76fe26e3e33e50cbe6dd663d40ad569
7a81bbb1f7055cd3f30db8bb2a104b969914ccd520cf85c24b25ba5b0c720206
7a6cdae75006d44d9b61093e5e65ae45c0d153bcc87c6a69974cbdfd6fc3b58b
6be5b4bc461f1ba931bfe773df66bf5f8052626adbdf2b1156a06d0da2d8d3d1
619564061e62a6352f0ce1a06d2883d46eb69df16322b30e8a2a9c65e2d32f5f
5fc8534d490312823a49e2a13afc8a7b6b026280c79db704465fddd8a1fdc376
5b9405418b654c9418e514ae3420c72af58d418adefca43644bf2bf14d89cc5a
5b7874b18e8365e07624946a33518988aea4c72478a285a36047b4ba554a7576
59437e986acd685ad3ce48bf010efff22aa866c0fa066b0e64e510ecb026dd1a
5621cdb8d07900a333d022a9696c1a6f7e45d6cfc713558c462a3ace7c4b426f
51c421f69ad5d7a8de69efa798d1784ce7b41886dece435b879a5815a7f7a2c2
49c04e56dfb17ac16acddfcf9eff7ae82d70294a8ec70b6365ab43a07441badd
38c639a245e1dd04786881fae1060fbd72d3ed419b2f0d38d6082dc9d67876c3
2ec65d77b5146dc898acf5b14df33f49306d539f6d84784e135d32d1807b37ce
2a65fdd8c44a6b7191c09702d9f747471564346c465a42b9abbb4dfa1bc5f7fb
2653886ab93ab5d7c779b796f87199e033ce012970d565d91cf9063d6149a1f8
117bd27a209d6350b10f5c8f8cf841755c253276460be8c7681f5357e07d2e0c
0f9cfe8eefbb983daa9c0e4bfb14a29a534b1c6d00fc16fe8a762d109ad0e037
0c7c6926e854aac4dc4821be07f826157b576d0a217d74d5675d7b32eb78b50e
00550d5c2ed14a445ae13cff8eff32ba7a7dd502d145481bcd18161cf1df540d
a8a2c2f82d542b0e05848d102e2f04239982b48ba7522a83dfc8b1308d7a8c12
82c569b93da5c18ed649ebd4c2c79437db4611a6a1373e805a3cb001c64130b7
91.211.88.225
45.116.160.62
45.116.160.182
45.116.160.154
45.116.160.115
45.116.160.105
45.116.160.100
38.54.27.204
216.118.241.206
216.118.241.205
216.118.241.204
216.118.241.203
216.118.241.202
2.59.223.253
2.59.223.226
2.59.223.218
2.59.223.213
2.59.223.144
2.59.222.99
2.59.222.97
2.59.222.35
2.59.222.146
2.59.222.126
2.59.222.125
2.59.222.124
2.59.222.102
194.36.190.99
185.189.241.246
185.189.241.180
185.189.240.21
180.178.46.245
180.178.46.244
180.178.46.242
141.193.159.11
141.193.159.10
139.5.202.19
139.5.202.18
116.213.39.6
116.213.39.5
116.213.39.4
116.213.39.3
116.213.39.2
114.29.255.77
114.29.255.123
112.121.165.78
112.121.165.76
112.121.165.75
107.148.88.123
107.148.0.182
104.233.210.119
104.233.210.118
104.233.167.82
104.233.167.81
104.233.167.63
104.233.167.62
104.233.167.103
104.233.166.194
104.233.166.129
103.84.84.251
103.248.22.5
103.248.22.16
103.244.2.217
103.244.2.171
103.244.2.170
103.140.187.149
103.117.147.67
103.117.146.222
103.117.146.220
103.117.146.219
103.117.146.218
103.117.145.110
103.117.145.109
103.117.145.108
103.117.145.107
103.117.145.106
91.211.88.6
34.19.73.9
2.59.222.3
185.189.240.13
180.178.46.246
180.178.46.243
139.5.202.106
112.121.165.77
112.121.165.74
103.117.147.66
103.84.84.250
103.244.2.218
36.75.75.75
138.112.25.25
123.181.24.36
1.13.16.45
71.162.181.51
http://104.233.210.119:51248/get_scrpc
http://104.233.210.119:51248/get_fwuueicj.
www.v5002.cn
https://www.v5002.cn
https://mh.55dmh.com
https://m.isanyin.com
https://m.aiguoba.com
https://dh.id3cqcmgjcb.top
https://cu6s.com
http://xmsecu100.net/23652xxxxx000008skcai/res.dat
http://xmsecu.net/00030695mcksiqq/res.dat\t
http://xmsecu.net/00030695mcksiqq/res.dat
http://xmsecu.io/c638020vkklkjjiu/res.dat
http://xmsecu.io/00030678bbgstrjs/res.dat
http://xmsecu.io/00030674uucyttsikk/res.dat
http://secu100.com/23652xxxxx000008skcai/res.dat
http://sainnguatc.com:8080/ASUHALUMNABTC/res.dat
http://sainnguatc.com:8080/ASUHALUMNABTC
http://coreconf.net:8080/E2XRIEGSOAPU3Z5Q8/mips
http://nihiosuxnmo.com:8080/SASBCKXOWYALLCZXF
http://coreconf.net:8080/E2XRIEGSOAPU3Z5Q8
http://ammhdfgygb.com/dldsc522dsdasd/res.dat
http://91.211.88.6:8080/ASUHALUMNABTC
http://91.211.88.225:8080/SASBCKXOWYALLCZXF
http://2.59.222.97/dldsc522dsdasd/res.dat
http://194.36.190.99:38291/as/crtarm3
http://185.189.240.13:8080/E2XRIEGSOAPU3Z5Q8/res.dat
http://185.189.240.13:8080/E2XRIEGSOAPU3Z5Q8
mh.55dmh.com
m.isanyin.com
m.aiguoba.com
lighten.medyamol.com
dh.id3cqcmgjcb.top
axon-stall.riddlecamera.net
xmsecu100.net
xmsecu.net
xmsecu.io
secu100.com
sainnguatc.com
nihiosuxnmo.com
cu6s.com
coreconf.net
ammhdfgygb.com
2fgithub.com
Attack Patterns
Chalubo
T1495
T1199
T1016
T1070
T1218
T1104
T1102
T1055
T1140
T1195