General
-
Target
05062025_1238_04062025_invoice scheduled for payment 04062025.gz
-
Size
14KB
-
Sample
250605-pt59dsxnx3
-
MD5
5443df15aeafe15ec0d06be7b2f75552
-
SHA1
3fb78f9045dd6ade2b811bd02d31f2228a2ec7da
-
SHA256
a63ede8ff57e1d7a3d595793461ada63cc78e58178b78a7147a5b8e7ed22233a
-
SHA512
97a3f370919a85bc6d0a8aa2198189f6929b689f7b95bb2bb31000cd43a79acebecfd4333fba6d18bb28273ec184235462ff3db9b99b8ea5bda9fc778dcf08e8
-
SSDEEP
384:XRzFMFmA65lBu3Y+h9vKT3ojO45xHpQSmmT68iRRLKiRae1:XRzFMB67Qo+h9vKTojO4rHpAmG1Rrz
Static task
static1
Behavioral task
behavioral1
Sample
invoice scheduled for payment 04062025.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
invoice scheduled for payment 04062025.exe
Resource
win11-20250502-en
Malware Config
Extracted
Protocol: smtp- Host:
changesfinancial.com - Port:
587 - Username:
[email protected] - Password:
[email protected]
Extracted
phantomstealer
v2.0
Protocol: smtp- Host:
changesfinancial.com - Port:
587 - Username:
[email protected] - Password:
[email protected] - Email To:
[email protected]
CEBJNFYZQCI1JYAUQDV5
-
anti_analysis
0
-
cb_enables_ssl
1
-
clipper
1
-
debug
0
-
grabber
1
-
keylogger
1
-
rb_discord
0
-
rb_smtp
1
-
rb_telegram
0
-
start_delay
1
-
startup
1
-
webcam_screenshot
0
Targets
-
-
Target
invoice scheduled for payment 04062025.exe
-
Size
25KB
-
MD5
d361a53d0eb818131a37d645618ae42d
-
SHA1
95cc416da5bd1a6b92053bb3e01a9d26e6d3939a
-
SHA256
3a407759a4a6cd17b12c567c4cadedb43f31c6e5b292448d50db47dc66105364
-
SHA512
fa8ed42dda71e5c825e417f44df696e00e24ae4ff60d21dbf3f7977420ee05a3129898d438e390301632639cd1b597f26e0610401920ae4b0a8bde9aa565310e
-
SSDEEP
384:sRbhiOqAF2+pUL8Sb3ujJCFsGuYsF/5fMhmTsMlnhqCyOK9axCEMg:sF7nELCsyYsF/VNhxK9axC/g
-
Phantomstealer family
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v16
Persistence
Event Triggered Execution
1Netsh Helper DLL
1Modify Authentication Process
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1