General
-
Target
87f381d998b7a808b5514dee3b54f101f02116c3192671111762aafe9cf2a868
-
Size
6.5MB
-
Sample
250602-kgmt3aaj7w
-
MD5
ffc03520436f0da1142009d02f9eadf5
-
SHA1
ca65e6b3ba78fcf6046b810448647b355012b0a4
-
SHA256
87f381d998b7a808b5514dee3b54f101f02116c3192671111762aafe9cf2a868
-
SHA512
bb74661db74898a0ca70a7f8f8899fdf8b37fe948926bd8718a6415cac9f724b0ed2d02f6126829d223c023b98f74037ce3b32c109194fed3d651777706cf3b6
-
SSDEEP
196608:H8zwFIohWL95Vf4LK4b4oXOJp6iHr5ayvG8qkRAlX:+wbWLrRYK4koX9iHV19RAlX
Static task
static1
Behavioral task
behavioral1
Sample
New folder/PROFORMA DA VSL’S DISCH 16000 MTS PETROLEUM COKE SF ABT 47’ WOG.exe
Resource
win10v2004-20250502-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.tecnostone.com.br - Port:
587 - Username:
[email protected] - Password:
nga=HF5ye(a}
Extracted
phantomstealer
v2.0
Protocol: smtp- Host:
mail.tecnostone.com.br - Port:
587 - Username:
[email protected] - Password:
nga=HF5ye(a} - Email To:
[email protected]
MXPWAYYXTHFI9GBMMZU0
-
anti_analysis
0
-
cb_enables_ssl
1
-
debug
1
-
keylogger
1
-
rb_discord
0
-
rb_smtp
1
-
rb_telegram
0
-
start_delay
0
-
startup
1
-
webcam_screenshot
0
Targets
-
-
Target
New folder/PROFORMA DA VSL’S DISCH 16000 MTS PETROLEUM COKE SF ABT 47’ WOG.exe
-
Size
6.6MB
-
MD5
c3af80bd20501ed614a3a5c4bc196c80
-
SHA1
6c47ea4c5bf8651008f7ce3570688585af6457bc
-
SHA256
0ebd2b53b4a52b33438592b1489ebdd6edde665818ac4f0364735ff1914a8a07
-
SHA512
cc5384c7d56a82c39db86536f6810550144b70bb821cdd4ba90a6674204bdb7dad9096b1c86ec07355dddb31f7f25a2c10a63681c9833e8a66cce6899bdc1272
-
SSDEEP
196608:ul92V8uxCjpLhvSbKqj2EX6ZXIexTJ0OtGAy2DItlo:g2HCj1B2KqyEXXex1NRDItlo
-
Phantomstealer family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v16
Persistence
Event Triggered Execution
1Netsh Helper DLL
1Modify Authentication Process
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1