General

  • Target

    Transaction_receipt_001.js

  • Size

    1KB

  • Sample

    250603-rs4ehstnt2

  • MD5

    1fce2dd8700a03f40d4924820b77dfed

  • SHA1

    8375f1d9cfa0cf6783e4deaac0c39e990f90a815

  • SHA256

    83dfe38b7b7b5e4f720a22d588efaeba41e95641f1b3a69532d7c8d4c6cbaa0a

  • SHA512

    5e09cb0d9d738493ab257cd94a563812d7d10f02322d02846cb6f91a69c20b47900e044ca43e6c4d9beb027f7ec7292683f4ae74c098b51f221b7d78db432ae8

Malware Config

Extracted

Family

phantomstealer

Version

v2.0

C2

https://api.telegram.org/bot7780256038:AAFrQkbg3W17BeB2WNvEEgkBwmZCEVUL5do/sendMessage?chat_id=6606011484

Mutex

ABRNA4RA5VV8T6ZJLM1P

Attributes
  • anti_analysis

    0

  • cb_enables_ssl

    0

  • clipper

    1

  • debug

    0

  • grabber

    1

  • keylogger

    1

  • rb_discord

    0

  • rb_smtp

    0

  • rb_telegram

    1

  • start_delay

    1

  • startup

    1

  • webcam_screenshot

    0

Targets

    • Target

      Transaction_receipt_001.js

    • Size

      1KB

    • MD5

      1fce2dd8700a03f40d4924820b77dfed

    • SHA1

      8375f1d9cfa0cf6783e4deaac0c39e990f90a815

    • SHA256

      83dfe38b7b7b5e4f720a22d588efaeba41e95641f1b3a69532d7c8d4c6cbaa0a

    • SHA512

      5e09cb0d9d738493ab257cd94a563812d7d10f02322d02846cb6f91a69c20b47900e044ca43e6c4d9beb027f7ec7292683f4ae74c098b51f221b7d78db432ae8

    • Phantomstealer family

    • Blocklisted process makes network request

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks