Pages

Monday, September 2, 2024

2024-08-22 PEAKLIGHT Stealthy Memory-Only Malware Samples





Analysis of complex memory-only malware that uses a multi-stage infection chain to evade detection. The attack starts with a malicious Microsoft Shortcut File (LNK) hidden in fake movie ZIP files. When executed, this file uses forfiles.exe and mshta.exe to run a heavily obfuscated PowerShell script, which downloads more payloads from a remote CDN. The script operates entirely in memory and uses custom decryption routines to handle encrypted payloads, protected by AES-CBC or AES-ECB and encoded in hexadecimal or Base64.

PEAKLIGHT further evades detection by employing DLL side-loading techniques to execute infostealers like Cryptbot and SHADOWLADDER malware, while dynamically unpacking ZIP files and running their contents in hidden directories. By using legitimate Windows tools and trusted content delivery networks for its operations.



Download

File Information

├── CRYPTBOT
│   ├── 31fa6a32b73ceef86560bdad24f0b69c50bf035cb1b18ccbf7a97857a39deb64 Setup exe 
│   ├── 34dcc780d2a2357c52019d87a0720802a92f358d15320247c80cc21060fb6f57 erefgojgbu
│   └── d6b2e83093cdaa1c59777b91a68ebd801161cf0e8f6499ca41fd2f99dfb2d839 L2 zip 
├── LUMMAC V2
│   ├── 3f86ca59335214a918870d86a47b21cc77f941dfcb32b7ba97620021621e7444 oqnhustu
│   └── e63d29cda8af6ad95286c11996f0ac32a70ac24c1c2baa78d22593babd826a41 WebView2Loader dll 
├── PEAKLIGHT
│   └── 07061f3fd8c15bdd484b55baa44191aa9d045c9889234550939f46c063e6211c Powershell
└── SHADOWLADDER
    ├── 11e72df66c5673a99696cf302f1ea3aa35877b668474900e5272f0e33eb73348 cymophane doc 
    ├── 218106e2f5ee44e8ae3ecf62e5c2cb1c3db50e5825f4737c9d13bbd48114ed0b WCLDll dll 
    ├── 658ac17f4047ccc594edfd7c038701fe2c72ec2edf4aefe6f3c2dd28ab3dd471 bentonite cfg 
    ├── 8235bd354b95a117a50922b994732cba101815a26a502ab9dc039a533329e2a5 K1 zip 
    ├── 98a93c1e0708be18eea76134a5d49a052373c38458c8fb434339ca4c3e37a5ab K2 zip 
    ├── 9fa7cacb5730faacc2b17d735c45ee1370130d863c3366d08ec013afe648bfa6 SkinUtils DLL 
    ├── a1010375ee640ecb61d0912243ff7ca8ea56f3ad3eeacb0f109bff56f519c1fb K2 zip 
    ├── bf1a0c67b433f52ebd304553f022baa34bfbca258c932d2b4b8b956b1467bfa5 Aaaa exe 
    └── ead01fc10a3a7c5bef4f37a8137724c290716d07f4f032d5057f2a198834d5d7 k1 zip

No comments:

Post a Comment