General
-
Target
invoice and bill of lading.zip
-
Size
6.6MB
-
Sample
250604-jp7nrstky8
-
MD5
325ae804a682c7e7da2422230559e7e8
-
SHA1
7be04842a5ccce4fb1dccbb416efd8be6c48bf0c
-
SHA256
8f11b176d54b1dc5946894e5857175224b278cdef32c4052d7ede16b39d7fe66
-
SHA512
a6a2079bea218b01c4fec3c6563d634b70116dfb65cc09ffe68350585b24681a361256a45b9608f91c94b646a559752d1de47482bedf4967e0b843b4c300ac81
-
SSDEEP
196608:E5eG5jH7ImPFy9u9nEVIlqn0FKUngxk0+R:E5bz7ny09EVI00UUnL
Static task
static1
Behavioral task
behavioral1
Sample
invoice and bill of lading.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
invoice and bill of lading.exe
Resource
win11-20250502-en
Malware Config
Extracted
phantomstealer
v2.0
https://api.telegram.org/bot7700607016:AAF00GqE7J7pf7Rj7lZL3x7VgkUCsmh1qoU/sendMessage?chat_id=7463064549
1AZ1XDV6SUXI7AGUVJNF
-
anti_analysis
0
-
cb_enables_ssl
0
-
debug
0
-
keylogger
0
-
rb_discord
0
-
rb_smtp
0
-
rb_telegram
1
-
start_delay
0
-
startup
0
-
webcam_screenshot
0
Targets
-
-
Target
invoice and bill of lading.exe
-
Size
6.6MB
-
MD5
264d6646f6bfb80e7fa01231e392154c
-
SHA1
3fcc161f9dab9cdd7083a8b73a075fa9f5aec009
-
SHA256
c8b98d4b3f738d2aa5c67c2e4d3bf985a4cc214bd3d491c6a4f83e0468568bdf
-
SHA512
b861710aa9b4c26c0e5e030e267b9c9b645afa3e9b45e660c5677bb7461a6738564e33b7ebe6e40f561482903bf623ad85e4800df4dbdf3bdf3b16be18dfb7fa
-
SSDEEP
196608:6eG9rzh6AVXY/u7hET21s94DwStKdoga:6bHhjYW7+T2y48St
-
Phantomstealer family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Event Triggered Execution
1Netsh Helper DLL
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1