General
-
Target
05062025_1442_04062025_DHL Air Waybill Number 290132771.gz
-
Size
14KB
-
Sample
250605-r3etxadn9s
-
MD5
1eea696296a71a44f7651356dfdc3c6c
-
SHA1
a4d282765f2bf43935373e1665b8f08ff0563126
-
SHA256
47a5ee0846e78d478bdbdbdde8d5f29b02c9273933b65614fbb320615ff31b1e
-
SHA512
2e072e380a79e06357b75357d13bf740afd6f7365a96ec0d16bc2266d162571ad726ab598d7415f8bc6df855b325ffe33ae86b67de1d94af82c8a5a5692e32db
-
SSDEEP
384:oRzFMFmA65lBu3Y+h9vKT3ojO45xHpQSmmT68iRRLKiRae1:oRzFMB67Qo+h9vKTojO4rHpAmG1Rrz
Static task
static1
Behavioral task
behavioral1
Sample
DHL Air Waybill Number 290132771.exe
Resource
win10v2004-20250502-en
Malware Config
Extracted
Protocol: smtp- Host:
changesfinancial.com - Port:
587 - Username:
[email protected] - Password:
[email protected]
Extracted
phantomstealer
v2.0
Protocol: smtp- Host:
changesfinancial.com - Port:
587 - Username:
[email protected] - Password:
[email protected] - Email To:
[email protected]
CEBJNFYZQCI1JYAUQDV5
-
anti_analysis
0
-
cb_enables_ssl
1
-
clipper
1
-
debug
0
-
grabber
1
-
keylogger
1
-
rb_discord
0
-
rb_smtp
1
-
rb_telegram
0
-
start_delay
1
-
startup
1
-
webcam_screenshot
0
Targets
-
-
Target
DHL Air Waybill Number 290132771.exe
-
Size
25KB
-
MD5
d361a53d0eb818131a37d645618ae42d
-
SHA1
95cc416da5bd1a6b92053bb3e01a9d26e6d3939a
-
SHA256
3a407759a4a6cd17b12c567c4cadedb43f31c6e5b292448d50db47dc66105364
-
SHA512
fa8ed42dda71e5c825e417f44df696e00e24ae4ff60d21dbf3f7977420ee05a3129898d438e390301632639cd1b597f26e0610401920ae4b0a8bde9aa565310e
-
SSDEEP
384:sRbhiOqAF2+pUL8Sb3ujJCFsGuYsF/5fMhmTsMlnhqCyOK9axCEMg:sF7nELCsyYsF/VNhxK9axC/g
-
Phantomstealer family
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v16
Persistence
Event Triggered Execution
1Netsh Helper DLL
1Modify Authentication Process
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1