PEAKLIGHT: Illuminating the Shadows

    Wednesday, January 22, 2025 In: Threat Research Print

    Date: 01/22/2025

    Severity: Medium

    Summary

    "PEAKLIGHT: Illuminating the Shadows" refers to a PowerShell-based downloader malware, first identified by Mandiant, that facilitates the delivery of infostealers through malware-as-a-service. The infection begins via a Microsoft Shortcut File (LNK) which connects to a CDN, serving a JavaScript dropper. This dropper ultimately runs a PowerShell script that delivers various payloads, including LummaC2, HijackLoader, and CryptBot. The name "PEAKLIGHT" symbolizes the malware's ability to expose and deploy malicious activity in a covert manner.

    Indicators of Compromise (IOC) List

    Hash

    8220a9b7b5a2ca3188278ea2e576df9b96d2d23ddfddc2fd5260851dcff9218a 

8ea35c2bfdf4cad1197abadd19f4f0e09579afcfdb32abc7e71bb5818c6d3ba6 

6a4ccd0f0bf4985af98f5e40da68cff98881c45b2f32dc03619f78bf43418575 

c18219bff85d2db88626e0f3b45a55558e5adbabea84f8a8132313338fea2383 

76cf24666515ee68ffa0a4756884e42783af499d6ba01c1aaa5d352900af349a 

164bccacc811b573c359f001fc433ca7e08cae806422a33981aa446f502d28e8 

480667dd13f7ac103847dd7f19c61e4b676210568fa0dfc3a4f354e688618cae 

ef1e6fc41fc225dc1fcddb2d46e7908f

c5997a14e872d97d48e1d4ea8b66910f

c90cd850078a3688894afc507e6b9ce8

25e7cee7a15413a5171636165e0e0473

34347638bdf37ee21b971dfe2d9f69a9

68b5c374fab2ba56faa7e4e7f7524753

00cf9fd36c2868c46213b30cbc0aec64

3ad01b6c99c252f92d17473e8988ee2c

762d0bf4de8d11d709c56029eb902274

afcfa278d35726531039ed7311ffb41c

0d607a2750534d9f766109bda6b1f64f

6256a054d02e57e9f09211dae0e0429e

a3cf7c78d143162733c64741467b5b90

f9bdd8a74c2aa0240891a88c3568e913

7ac24d827758131eb0a58b32e01ad4e6

1928fc6a52da76bc8fa4e4aa3bf5dd27

569b906fe8dbb14621c2252b4571d627

fe2880259f82e5da4a7cc7bb0d9e983f

08a0a6e7f4a639f48ff1a44e3fb71467

9f9f82c147b71f7d9bb2a16eac345f62

087dd017a8261d6c06f3401db80e0c33

c86bc7bcabe91e27c43fe08b8e23d816

9ac418c2925b4026c3e2a18734f9923b

78ba98ea23ee5075a0ff2974bedf9925

768acf01fb1307b85111624f1081558b

2b4fda1a5ba8b1f32a629fa2eaf3b4a4

ae4dbbe945aeacfa5bb920e8d85cd0cb

624101f6b4285e2425c8851c2350d787

100803ba06906668a3d67de120d96a8c

f16fd1b2fbbf2388361cfcde055aa9e5

cdbf2db8c078c2964d02c7518e3bed81

c7457eb8cd1165d1e3392c79eaf9dd9d

a0544a9da1f3cc3f51cb227005ce984e

40a2e2f1f905c2917bf236ed8c7de180

6512f4488986f503a7e8fbb190de5d35

2263edd629a11dd0c4f2d53c93c7f1d5

4b29635ecb4afdf5b7bde98aef117f5d

6f31310e10aa5facb395d7d86405233f

1c9724d7b7ef354f4ccc0ceeb178374a

b874532b90be5bd56eca4b28951f2f76

856d2403156f94f3d2b411d83675facf

e9c39ccd214cc4e72d93569bfee1aaf3

90de1044962e092ea916ae08649227ba

d53df33a543f82f01cd65a969c026f0c

165394413aa5c037bb2527eb50117083

a6aa04067a00840bd40f5cbbd551800d

73c7642674cc373755aecb1633199af8

d645880d73ca07c8213f1889eee11e6b

466ad64f877888f59d8741fa7062cbe8

76542aff65c99957776d45d81337163c

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    sha256hash IN ("8ea35c2bfdf4cad1197abadd19f4f0e09579afcfdb32abc7e71bb5818c6d3ba6","8220a9b7b5a2ca3188278ea2e576df9b96d2d23ddfddc2fd5260851dcff9218a","c18219bff85d2db88626e0f3b45a55558e5adbabea84f8a8132313338fea2383","480667dd13f7ac103847dd7f19c61e4b676210568fa0dfc3a4f354e688618cae","164bccacc811b573c359f001fc433ca7e08cae806422a33981aa446f502d28e8","6a4ccd0f0bf4985af98f5e40da68cff98881c45b2f32dc03619f78bf43418575","76cf24666515ee68ffa0a4756884e42783af499d6ba01c1aaa5d352900af349a")

    Detection Query 2

    
md5hash IN ("9ac418c2925b4026c3e2a18734f9923b","a0544a9da1f3cc3f51cb227005ce984e","25e7cee7a15413a5171636165e0e0473","a6aa04067a00840bd40f5cbbd551800d","4b29635ecb4afdf5b7bde98aef117f5d","76542aff65c99957776d45d81337163c","7ac24d827758131eb0a58b32e01ad4e6","6256a054d02e57e9f09211dae0e0429e","1928fc6a52da76bc8fa4e4aa3bf5dd27","087dd017a8261d6c06f3401db80e0c33","d53df33a543f82f01cd65a969c026f0c","762d0bf4de8d11d709c56029eb902274","34347638bdf37ee21b971dfe2d9f69a9","fe2880259f82e5da4a7cc7bb0d9e983f","1c9724d7b7ef354f4ccc0ceeb178374a","b874532b90be5bd56eca4b28951f2f76","c86bc7bcabe91e27c43fe08b8e23d816","165394413aa5c037bb2527eb50117083","569b906fe8dbb14621c2252b4571d627","90de1044962e092ea916ae08649227ba","0d607a2750534d9f766109bda6b1f64f","6512f4488986f503a7e8fbb190de5d35","624101f6b4285e2425c8851c2350d787","afcfa278d35726531039ed7311ffb41c","6f31310e10aa5facb395d7d86405233f","c7457eb8cd1165d1e3392c79eaf9dd9d","c90cd850078a3688894afc507e6b9ce8","68b5c374fab2ba56faa7e4e7f7524753","2b4fda1a5ba8b1f32a629fa2eaf3b4a4","100803ba06906668a3d67de120d96a8c","ae4dbbe945aeacfa5bb920e8d85cd0cb","40a2e2f1f905c2917bf236ed8c7de180","466ad64f877888f59d8741fa7062cbe8","9f9f82c147b71f7d9bb2a16eac345f62","ef1e6fc41fc225dc1fcddb2d46e7908f","c5997a14e872d97d48e1d4ea8b66910f","00cf9fd36c2868c46213b30cbc0aec64","3ad01b6c99c252f92d17473e8988ee2c","a3cf7c78d143162733c64741467b5b90","f9bdd8a74c2aa0240891a88c3568e913","08a0a6e7f4a639f48ff1a44e3fb71467","78ba98ea23ee5075a0ff2974bedf9925","768acf01fb1307b85111624f1081558b","f16fd1b2fbbf2388361cfcde055aa9e5","cdbf2db8c078c2964d02c7518e3bed81","2263edd629a11dd0c4f2d53c93c7f1d5","856d2403156f94f3d2b411d83675facf","e9c39ccd214cc4e72d93569bfee1aaf3","73c7642674cc373755aecb1633199af8","d645880d73ca07c8213f1889eee11e6b")

    Reference: 

    https://medium.com/trac-labs/peaklight-illuminating-the-shadows-02a1bb44885c             


    Tags

    MalwareLummacHijackLoaderCryptBot

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.