General

  • Target

    05062025_1442_04062025_DHL Air Waybill Number 290132771.gz

  • Size

    14KB

  • Sample

    250605-r3etxadn9s

  • MD5

    1eea696296a71a44f7651356dfdc3c6c

  • SHA1

    a4d282765f2bf43935373e1665b8f08ff0563126

  • SHA256

    47a5ee0846e78d478bdbdbdde8d5f29b02c9273933b65614fbb320615ff31b1e

  • SHA512

    2e072e380a79e06357b75357d13bf740afd6f7365a96ec0d16bc2266d162571ad726ab598d7415f8bc6df855b325ffe33ae86b67de1d94af82c8a5a5692e32db

  • SSDEEP

    384:oRzFMFmA65lBu3Y+h9vKT3ojO45xHpQSmmT68iRRLKiRae1:oRzFMB67Qo+h9vKTojO4rHpAmG1Rrz

Malware Config

Extracted

Credentials

Extracted

Family

phantomstealer

Version

v2.0

Credentials
Mutex

CEBJNFYZQCI1JYAUQDV5

Attributes
  • anti_analysis

    0

  • cb_enables_ssl

    1

  • clipper

    1

  • debug

    0

  • grabber

    1

  • keylogger

    1

  • rb_discord

    0

  • rb_smtp

    1

  • rb_telegram

    0

  • start_delay

    1

  • startup

    1

  • webcam_screenshot

    0

Targets

    • Target

      DHL Air Waybill Number 290132771.exe

    • Size

      25KB

    • MD5

      d361a53d0eb818131a37d645618ae42d

    • SHA1

      95cc416da5bd1a6b92053bb3e01a9d26e6d3939a

    • SHA256

      3a407759a4a6cd17b12c567c4cadedb43f31c6e5b292448d50db47dc66105364

    • SHA512

      fa8ed42dda71e5c825e417f44df696e00e24ae4ff60d21dbf3f7977420ee05a3129898d438e390301632639cd1b597f26e0610401920ae4b0a8bde9aa565310e

    • SSDEEP

      384:sRbhiOqAF2+pUL8Sb3ujJCFsGuYsF/5fMhmTsMlnhqCyOK9axCEMg:sF7nELCsyYsF/VNhxK9axC/g

    • Phantomstealer family

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks