General

  • Target

    invoice and bill of lading.zip

  • Size

    6.6MB

  • Sample

    250604-jp7nrstky8

  • MD5

    325ae804a682c7e7da2422230559e7e8

  • SHA1

    7be04842a5ccce4fb1dccbb416efd8be6c48bf0c

  • SHA256

    8f11b176d54b1dc5946894e5857175224b278cdef32c4052d7ede16b39d7fe66

  • SHA512

    a6a2079bea218b01c4fec3c6563d634b70116dfb65cc09ffe68350585b24681a361256a45b9608f91c94b646a559752d1de47482bedf4967e0b843b4c300ac81

  • SSDEEP

    196608:E5eG5jH7ImPFy9u9nEVIlqn0FKUngxk0+R:E5bz7ny09EVI00UUnL

Malware Config

Extracted

Family

phantomstealer

Version

v2.0

C2

https://api.telegram.org/bot7700607016:AAF00GqE7J7pf7Rj7lZL3x7VgkUCsmh1qoU/sendMessage?chat_id=7463064549

Mutex

1AZ1XDV6SUXI7AGUVJNF

Attributes
  • anti_analysis

    0

  • cb_enables_ssl

    0

  • debug

    0

  • keylogger

    0

  • rb_discord

    0

  • rb_smtp

    0

  • rb_telegram

    1

  • start_delay

    0

  • startup

    0

  • webcam_screenshot

    0

Targets

    • Target

      invoice and bill of lading.exe

    • Size

      6.6MB

    • MD5

      264d6646f6bfb80e7fa01231e392154c

    • SHA1

      3fcc161f9dab9cdd7083a8b73a075fa9f5aec009

    • SHA256

      c8b98d4b3f738d2aa5c67c2e4d3bf985a4cc214bd3d491c6a4f83e0468568bdf

    • SHA512

      b861710aa9b4c26c0e5e030e267b9c9b645afa3e9b45e660c5677bb7461a6738564e33b7ebe6e40f561482903bf623ad85e4800df4dbdf3bdf3b16be18dfb7fa

    • SSDEEP

      196608:6eG9rzh6AVXY/u7hET21s94DwStKdoga:6bHhjYW7+T2y48St

    • Phantomstealer family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks