General

  • Target

    05062025_1238_04062025_invoice scheduled for payment 04062025.gz

  • Size

    14KB

  • Sample

    250605-pt59dsxnx3

  • MD5

    5443df15aeafe15ec0d06be7b2f75552

  • SHA1

    3fb78f9045dd6ade2b811bd02d31f2228a2ec7da

  • SHA256

    a63ede8ff57e1d7a3d595793461ada63cc78e58178b78a7147a5b8e7ed22233a

  • SHA512

    97a3f370919a85bc6d0a8aa2198189f6929b689f7b95bb2bb31000cd43a79acebecfd4333fba6d18bb28273ec184235462ff3db9b99b8ea5bda9fc778dcf08e8

  • SSDEEP

    384:XRzFMFmA65lBu3Y+h9vKT3ojO45xHpQSmmT68iRRLKiRae1:XRzFMB67Qo+h9vKTojO4rHpAmG1Rrz

Malware Config

Extracted

Credentials

Extracted

Family

phantomstealer

Version

v2.0

Credentials
Mutex

CEBJNFYZQCI1JYAUQDV5

Attributes
  • anti_analysis

    0

  • cb_enables_ssl

    1

  • clipper

    1

  • debug

    0

  • grabber

    1

  • keylogger

    1

  • rb_discord

    0

  • rb_smtp

    1

  • rb_telegram

    0

  • start_delay

    1

  • startup

    1

  • webcam_screenshot

    0

Targets

    • Target

      invoice scheduled for payment 04062025.exe

    • Size

      25KB

    • MD5

      d361a53d0eb818131a37d645618ae42d

    • SHA1

      95cc416da5bd1a6b92053bb3e01a9d26e6d3939a

    • SHA256

      3a407759a4a6cd17b12c567c4cadedb43f31c6e5b292448d50db47dc66105364

    • SHA512

      fa8ed42dda71e5c825e417f44df696e00e24ae4ff60d21dbf3f7977420ee05a3129898d438e390301632639cd1b597f26e0610401920ae4b0a8bde9aa565310e

    • SSDEEP

      384:sRbhiOqAF2+pUL8Sb3ujJCFsGuYsF/5fMhmTsMlnhqCyOK9axCEMg:sF7nELCsyYsF/VNhxK9axC/g

    • Phantomstealer family

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks