General

  • Target

    87f381d998b7a808b5514dee3b54f101f02116c3192671111762aafe9cf2a868

  • Size

    6.5MB

  • Sample

    250602-kgmt3aaj7w

  • MD5

    ffc03520436f0da1142009d02f9eadf5

  • SHA1

    ca65e6b3ba78fcf6046b810448647b355012b0a4

  • SHA256

    87f381d998b7a808b5514dee3b54f101f02116c3192671111762aafe9cf2a868

  • SHA512

    bb74661db74898a0ca70a7f8f8899fdf8b37fe948926bd8718a6415cac9f724b0ed2d02f6126829d223c023b98f74037ce3b32c109194fed3d651777706cf3b6

  • SSDEEP

    196608:H8zwFIohWL95Vf4LK4b4oXOJp6iHr5ayvG8qkRAlX:+wbWLrRYK4koX9iHV19RAlX

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.tecnostone.com.br
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    nga=HF5ye(a}

Extracted

Family

phantomstealer

Version

v2.0

Credentials
Mutex

MXPWAYYXTHFI9GBMMZU0

Attributes
  • anti_analysis

    0

  • cb_enables_ssl

    1

  • debug

    1

  • keylogger

    1

  • rb_discord

    0

  • rb_smtp

    1

  • rb_telegram

    0

  • start_delay

    0

  • startup

    1

  • webcam_screenshot

    0

Targets

    • Target

      New folder/PROFORMA DA VSL’S DISCH 16000 MTS PETROLEUM COKE SF ABT 47’ WOG.exe

    • Size

      6.6MB

    • MD5

      c3af80bd20501ed614a3a5c4bc196c80

    • SHA1

      6c47ea4c5bf8651008f7ce3570688585af6457bc

    • SHA256

      0ebd2b53b4a52b33438592b1489ebdd6edde665818ac4f0364735ff1914a8a07

    • SHA512

      cc5384c7d56a82c39db86536f6810550144b70bb821cdd4ba90a6674204bdb7dad9096b1c86ec07355dddb31f7f25a2c10a63681c9833e8a66cce6899bdc1272

    • SSDEEP

      196608:ul92V8uxCjpLhvSbKqj2EX6ZXIexTJ0OtGAy2DItlo:g2HCj1B2KqyEXXex1NRDItlo

    • Phantomstealer family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks