General
-
Target
Transaction_receipt_001.js
-
Size
1KB
-
Sample
250603-rs4ehstnt2
-
MD5
1fce2dd8700a03f40d4924820b77dfed
-
SHA1
8375f1d9cfa0cf6783e4deaac0c39e990f90a815
-
SHA256
83dfe38b7b7b5e4f720a22d588efaeba41e95641f1b3a69532d7c8d4c6cbaa0a
-
SHA512
5e09cb0d9d738493ab257cd94a563812d7d10f02322d02846cb6f91a69c20b47900e044ca43e6c4d9beb027f7ec7292683f4ae74c098b51f221b7d78db432ae8
Static task
static1
Behavioral task
behavioral1
Sample
Transaction_receipt_001.js
Resource
win10v2004-20250502-en
Malware Config
Extracted
phantomstealer
v2.0
https://api.telegram.org/bot7780256038:AAFrQkbg3W17BeB2WNvEEgkBwmZCEVUL5do/sendMessage?chat_id=6606011484
ABRNA4RA5VV8T6ZJLM1P
-
anti_analysis
0
-
cb_enables_ssl
0
-
clipper
1
-
debug
0
-
grabber
1
-
keylogger
1
-
rb_discord
0
-
rb_smtp
0
-
rb_telegram
1
-
start_delay
1
-
startup
1
-
webcam_screenshot
0
Targets
-
-
Target
Transaction_receipt_001.js
-
Size
1KB
-
MD5
1fce2dd8700a03f40d4924820b77dfed
-
SHA1
8375f1d9cfa0cf6783e4deaac0c39e990f90a815
-
SHA256
83dfe38b7b7b5e4f720a22d588efaeba41e95641f1b3a69532d7c8d4c6cbaa0a
-
SHA512
5e09cb0d9d738493ab257cd94a563812d7d10f02322d02846cb6f91a69c20b47900e044ca43e6c4d9beb027f7ec7292683f4ae74c098b51f221b7d78db432ae8
-
Phantomstealer family
-
Blocklisted process makes network request
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v16
Persistence
Event Triggered Execution
1Netsh Helper DLL
1Modify Authentication Process
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1