216.73.217.22

The Pumpkin Eclipse - Chalubo Malware

· Published 04/06/2024 15:58 · Modified 04/06/2024 16:31

Export JSON

Essential information

Published
04/06/2024 15:58
Modified
04/06/2024 16:31
Tags
2024-06-04 actiontec black body button chalubo chalubo malware close code contact copy ddos download enterprise find footer form header dropdown iconbutton link lotus labs lua script lumen main meta next november october open path product reload script soho solutions span star template write
Related entities
176 observables, 10 techniques (mitre), 1 malware

Description

is a commodity remote access trojan (RAT). First identified in 2018, employed savvy tradecraft to obfuscate its activity; it removed all files from disk to run in-memory, assumed a random process name already present on the device, and encrypted all communications with the command and control (C2) server. has payloads designed for all major /IoT kernels, pre-built functionality to perform attacks, and can execute any sent to the bot.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (176)

  • 91.211.88.225
  • 45.116.160.62
  • 45.116.160.182
  • 45.116.160.154
  • 45.116.160.115
  • 45.116.160.105
  • 45.116.160.100
  • 38.54.27.204
  • 216.118.241.206
  • 216.118.241.205
  • 216.118.241.204
  • 216.118.241.203
  • 216.118.241.202
  • 2.59.223.253
  • 2.59.223.226
  • 2.59.223.218
  • 2.59.223.213
  • 2.59.223.144
  • 2.59.222.99
  • 2.59.222.97
  • 2.59.222.35
  • 2.59.222.146
  • 2.59.222.126
  • 2.59.222.125
  • 2.59.222.124
  • 2.59.222.102
  • 194.36.190.99
  • 185.189.241.246
  • 185.189.241.180
  • 185.189.240.21
  • 180.178.46.245
  • 180.178.46.244
  • 180.178.46.242
  • 141.193.159.11
  • 141.193.159.10
  • 139.5.202.19
  • 139.5.202.18
  • 116.213.39.6
  • 116.213.39.5
  • 116.213.39.4
  • 116.213.39.3
  • 116.213.39.2
  • 114.29.255.77
  • 114.29.255.123
  • 112.121.165.78
  • 112.121.165.76
  • 112.121.165.75
  • 107.148.88.123
  • 107.148.0.182
  • 104.233.210.119
  • 104.233.210.118
  • 104.233.167.82
  • 104.233.167.81
  • 104.233.167.63
  • 104.233.167.62
  • 104.233.167.103
  • 104.233.166.194
  • 104.233.166.129
  • 103.84.84.251
  • 103.248.22.5
  • 103.248.22.16
  • 103.244.2.217
  • 103.244.2.171
  • 103.244.2.170
  • 103.140.187.149
  • 103.117.147.67
  • 103.117.146.222
  • 103.117.146.220
  • 103.117.146.219
  • 103.117.146.218
  • 103.117.145.110
  • 103.117.145.109
  • 103.117.145.108
  • 103.117.145.107
  • 103.117.145.106
  • 91.211.88.6
  • 34.19.73.9
  • 2.59.222.3
  • 185.189.240.13
  • 180.178.46.246
  • 180.178.46.243
  • 139.5.202.106
  • 112.121.165.77
  • 112.121.165.74
  • 103.117.147.66
  • 103.84.84.250
  • 103.244.2.218
  • 36.75.75.75
  • 138.112.25.25
  • 123.181.24.36
  • 1.13.16.45
  • 71.162.181.51
  • http://104.233.210.119:51248/get_scrpc
  • http://104.233.210.119:51248/get_fwuueicj.
  • www.v5002.cn
  • https://www.v5002.cn
  • https://mh.55dmh.com
  • https://m.isanyin.com
  • https://m.aiguoba.com
  • https://dh.id3cqcmgjcb.top
  • https://cu6s.com
  • http://xmsecu100.net/23652xxxxx000008skcai/res.dat
  • http://xmsecu.net/00030695mcksiqq/res.dat\t
  • http://xmsecu.net/00030695mcksiqq/res.dat
  • http://xmsecu.io/c638020vkklkjjiu/res.dat
  • http://xmsecu.io/00030678bbgstrjs/res.dat
  • http://xmsecu.io/00030674uucyttsikk/res.dat
  • http://secu100.com/23652xxxxx000008skcai/res.dat
  • http://sainnguatc.com:8080/ASUHALUMNABTC/res.dat
  • http://sainnguatc.com:8080/ASUHALUMNABTC
  • http://coreconf.net:8080/E2XRIEGSOAPU3Z5Q8/mips
  • http://nihiosuxnmo.com:8080/SASBCKXOWYALLCZXF
  • http://coreconf.net:8080/E2XRIEGSOAPU3Z5Q8
  • http://ammhdfgygb.com/dldsc522dsdasd/res.dat
  • http://91.211.88.6:8080/ASUHALUMNABTC
  • http://91.211.88.225:8080/SASBCKXOWYALLCZXF
  • http://2.59.222.97/dldsc522dsdasd/res.dat
  • http://194.36.190.99:38291/as/crtarm3
  • http://185.189.240.13:8080/E2XRIEGSOAPU3Z5Q8/res.dat
  • http://185.189.240.13:8080/E2XRIEGSOAPU3Z5Q8
  • mh.55dmh.com
  • m.isanyin.com
  • m.aiguoba.com
  • lighten.medyamol.com
  • dh.id3cqcmgjcb.top
  • axon-stall.riddlecamera.net
  • xmsecu100.net
  • xmsecu.net
  • xmsecu.io
  • secu100.com
  • sainnguatc.com
  • nihiosuxnmo.com
  • cu6s.com
  • coreconf.net
  • ammhdfgygb.com
  • 2fgithub.com
  • f9db9632ffd7e3bd5b700025fa9278420de0778029fe2eedb6ea7b3d7b999ef6
  • f5894f0cc7d9da2f188b740bb0596206038d9dba430c7d2a145d7454d9f1b4db
  • f37eaf27fe12b105c6661d303537787959eeb4bf52c6937d9165fd6b569faf30
  • ed9511c16229f4bb41f461e90fff7964e79f2c2d27e7de2b107e4d003e9e0def
  • e5030083c101058f52394820420a372bf93bcac2d802902d4d4c91470c96b608
  • d9322af52b941e76bec3d2596a1c1be47dffc4fb161656da2c7c45b3d492cfd8
  • d68f2ed30f344122db9f9e2729787450e1e8653e98bd61026fb4d75bf89de664
  • d6778d5ad096516b881bbf2aca2d790b5217dfb83bb256e3f9d710056c9b512a
  • c5317722effa07b56f9e81ef096b1711048eac6629c0ec72d8e8c72c6aae8f41
  • d0643c777b0b24ca747f7dc79d3bdfbc04d3095ded760e6a54fa62bfa6945df3
  • bdef8e089ffa00794f40f14ad3cdb8f1629241a4ac313bef8fe3d38e08207e4c
  • b5fc0c265eb192b2a2d778e66d6f076e876eeacf57c3927e406b4e1b72152038
  • b2e2193e49ee1240be30f5040dbb5e2c973cdfb02c3ea88ef4ffeda884de28c2
  • a9cea205140babed24faea1b27f62b2f36464b8562223d96ecb617258a2fd284
  • 9b929bcc182c39540767a9b8237a8436c82997c68d4d2ba710241387c39c27f5
  • 967289406b0da030a93cefaa2644b109260565f5f767b95ce2a5d96d49c57bf2
  • 8f4b61975539dbfe903f448636a48168351018801f2581a63d97179c37cad979
  • 8639bbb3ffe5fa51334c6ab4d45ae1647a29a97f061a9456991333ab166b52fd
  • 847e7f8209803d786660c5ba6d19ce59f76fe26e3e33e50cbe6dd663d40ad569
  • 7a81bbb1f7055cd3f30db8bb2a104b969914ccd520cf85c24b25ba5b0c720206
  • 7a6cdae75006d44d9b61093e5e65ae45c0d153bcc87c6a69974cbdfd6fc3b58b
  • 6be5b4bc461f1ba931bfe773df66bf5f8052626adbdf2b1156a06d0da2d8d3d1
  • 619564061e62a6352f0ce1a06d2883d46eb69df16322b30e8a2a9c65e2d32f5f
  • 5fc8534d490312823a49e2a13afc8a7b6b026280c79db704465fddd8a1fdc376
  • 5b9405418b654c9418e514ae3420c72af58d418adefca43644bf2bf14d89cc5a
  • 5b7874b18e8365e07624946a33518988aea4c72478a285a36047b4ba554a7576
  • 59437e986acd685ad3ce48bf010efff22aa866c0fa066b0e64e510ecb026dd1a
  • 5621cdb8d07900a333d022a9696c1a6f7e45d6cfc713558c462a3ace7c4b426f
  • 51c421f69ad5d7a8de69efa798d1784ce7b41886dece435b879a5815a7f7a2c2
  • 49c04e56dfb17ac16acddfcf9eff7ae82d70294a8ec70b6365ab43a07441badd
  • 38c639a245e1dd04786881fae1060fbd72d3ed419b2f0d38d6082dc9d67876c3
  • 2ec65d77b5146dc898acf5b14df33f49306d539f6d84784e135d32d1807b37ce
  • 2a65fdd8c44a6b7191c09702d9f747471564346c465a42b9abbb4dfa1bc5f7fb
  • 2653886ab93ab5d7c779b796f87199e033ce012970d565d91cf9063d6149a1f8
  • 117bd27a209d6350b10f5c8f8cf841755c253276460be8c7681f5357e07d2e0c
  • 0f9cfe8eefbb983daa9c0e4bfb14a29a534b1c6d00fc16fe8a762d109ad0e037
  • 0c7c6926e854aac4dc4821be07f826157b576d0a217d74d5675d7b32eb78b50e
  • 00550d5c2ed14a445ae13cff8eff32ba7a7dd502d145481bcd18161cf1df540d
  • a8a2c2f82d542b0e05848d102e2f04239982b48ba7522a83dfc8b1308d7a8c12
  • 82c569b93da5c18ed649ebd4c2c79437db4611a6a1373e805a3cb001c64130b7

Techniques (MITRE) (10)

  • T1495
    Firmware Corruption
  • T1199
    Trusted Relationship
  • T1016
    System Network Configuration Discovery
  • T1070
    Indicator Removal
  • T1218
    System Binary Proxy Execution
  • T1104
    T1104
  • T1102
    Web Service
  • T1055
    Process Injection
  • T1140
    Deobfuscate/Decode Files or Information
  • T1195
    Supply Chain Compromise

Malware (1)

  • Chalubo
    Family
    Published 04/06/2024 15:58 · Modified 04/06/2024 15:58

External references