General
-
Target
Phantom.exe
-
Size
764KB
-
Sample
240701-wb9bna1cmb
-
MD5
f9dbf286fc2655045699c429f76d708e
-
SHA1
49ec367b5e8d4035a389469005f96cf717e18f17
-
SHA256
f4d9d7d07cf500816361daad500873f5d17480ae0ba49f3348435478cf93d949
-
SHA512
cff7af066fa10c93d1f3b7b460de720f8f64b73c7a0a6be999f2d73bcceb5368e1656492b925d25f0e69132ab263c6198279743db942037108453acbecce3275
-
SSDEEP
12288:ydSxkJb4ZQivRFZKP0m4FdWaGNGGLUWl6JB+A6+rN6FAZXhqDnxlrug6JnGf:l2Jb4/U8mGWArwCZ6FPxk
Static task
static1
Malware Config
Extracted
quasar
3.1.5
Slave
stop-largely.gl.at.ply.gg:27116
$Sxr-kl1r656AGsPQksTmi8
-
encryption_key
WyBm1iVkHZmEnGPMAZWV
-
install_name
$phantom.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
$phantomSTARTUP~MSF
-
subdirectory
$phantom
Extracted
asyncrat
Default
finally-grande.gl.at.ply.gg:25844
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
xworm
best-bird.gl.at.ply.gg:27196
super-nearest.gl.at.ply.gg:17835
wiz.bounceme.net:6000
-
Install_directory
%ProgramData%
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
147.185.221.205:52809
FANTA~69
-
delay
1
-
install
false
-
install_file
Update.exe
-
install_folder
%AppData%
Extracted
quasar
-
reconnect_delay
3000
Targets
-
-
Target
Phantom.exe
-
Size
764KB
-
MD5
f9dbf286fc2655045699c429f76d708e
-
SHA1
49ec367b5e8d4035a389469005f96cf717e18f17
-
SHA256
f4d9d7d07cf500816361daad500873f5d17480ae0ba49f3348435478cf93d949
-
SHA512
cff7af066fa10c93d1f3b7b460de720f8f64b73c7a0a6be999f2d73bcceb5368e1656492b925d25f0e69132ab263c6198279743db942037108453acbecce3275
-
SSDEEP
12288:ydSxkJb4ZQivRFZKP0m4FdWaGNGGLUWl6JB+A6+rN6FAZXhqDnxlrug6JnGf:l2Jb4/U8mGWArwCZ6FPxk
-
Detect Xworm Payload
-
Quasar payload
-
Async RAT payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Event Triggered Execution
1Component Object Model Hijacking
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1