Analysis
-
max time kernel
22s -
max time network
23s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
01-05-2021 12:27
Static task
static1
General
-
Target
Phantom.exe
-
Size
1.5MB
-
MD5
de410adc180c797cacd651d8cdce4bf5
-
SHA1
4366c4de79abd01a8e4fc8cb135807f857a7acdd
-
SHA256
3d5f85346e83ad7a3c1e881c20afc95dd4d7ddf0a1372e47193761225e054cd4
-
SHA512
d1c38390395fa720460b2188be6a96bbaa4f34c642d5e827f5e3c4ab9f14b7d8d77ec73691a514902671a0b796e4aebd2269b20a71570dc1e4095ee69988bff0
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 6 api.ipify.org 11 ip-api.com -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Phantom.exepid process 740 Phantom.exe 740 Phantom.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Phantom.exedescription pid process Token: SeDebugPrivilege 740 Phantom.exe