Windows Analysis Report
phantomtoolsv2.exe

Overview

General Information

Sample name: phantomtoolsv2.exe
Analysis ID: 1532357
MD5: 0c01cfc0685211b3c655c7a9526f1849
SHA1: 864d23804b6e3c98efd1b56863a484b505ddf40b
SHA256: 8d6ee227c57e825bc978db47c7587d46e7df06e3656d493486ee26b1426c98a6
Tags: exeuser-aachum
Infos:

Detection

CredGrabber, Meduza Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected CredGrabber
Yara detected Meduza Stealer
AI detected suspicious sample
Creates files in alternative data streams (ADS)
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Self deletion via cmd or bat file
Sigma detected: Suspicious Ping/Del Command Combination
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Terminates after testing mutex exists (may check infected machine status)
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\Desktop\phantomtoolsv2.exe:a.dll Avira: detection malicious, Label: HEUR/AGEN.1354117
Found malware configuration
Source: 1.2.phantomtoolsv2.exe.140000000.0.unpack Malware Configuration Extractor: Meduza Stealer {"C2 url": "79.137.202.152", "anti_vm": true, "anti_dbg": true, "port": 15666, "build_name": "Legenda", "self_destruct": true, "extensions": ".txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite", "links": "", "grabber_max_size": 1048576}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\Desktop\phantomtoolsv2.exe:a.dll Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014006FB80 CryptUnprotectData,LocalFree, 1_2_000000014006FB80
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00000001400D0090 CryptUnprotectData, 1_2_00000001400D0090
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_0000000140035E00 CryptUnprotectData,LocalFree, 1_2_0000000140035E00
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014006FEA0 CryptProtectData,LocalFree, 1_2_000000014006FEA0
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: phantomtoolsv2.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00000001400B6740 FindClose,FindFirstFileExW,GetLastError, 1_2_00000001400B6740
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00000001400B67F0 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle, 1_2_00000001400B67F0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014007EF60 GetLogicalDriveStringsW, 1_2_000000014007EF60
Source: C:\Users\user\Desktop\phantomtoolsv2.exe File opened: D:\sources\migration\ Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe File opened: D:\sources\replacementmanifests\ Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe File opened: D:\sources\migration\wtr\ Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\ Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\ Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe File opened: D:\sources\replacementmanifests\hwvid-migration-2\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 4x nop then push rdi 0_2_00007FF7B890C950
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 4x nop then sub rsp, 28h 0_2_00007FF7B890C460
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 4x nop then push rdi 1_2_00007FF7B890C950
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 4x nop then sub rsp, 28h 1_2_00007FF7B890C460

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2049441 - Severity 1 - ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt : 192.168.2.4:49737 -> 79.137.202.152:15666
Source: Network traffic Suricata IDS: 2050806 - Severity 1 - ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2 : 192.168.2.4:49737 -> 79.137.202.152:15666
Source: Network traffic Suricata IDS: 2050807 - Severity 1 - ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP) : 192.168.2.4:49737 -> 79.137.202.152:15666
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49737 -> 79.137.202.152:15666
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 79.137.202.152 79.137.202.152
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: PSKSET-ASRU PSKSET-ASRU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.202.152
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014007C5E0 recv,recv,closesocket,WSACleanup, 1_2_000000014007C5E0
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: phantomtoolsv2.exe, 00000001.00000003.1895778572.00000210210C0000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1895814243.00000210210C4000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1725699673.00000210210B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.microsoft.t/Regi
Source: phantomtoolsv2.exe, 00000001.00000003.1896383235.000002101E9B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: phantomtoolsv2.exe, 00000001.00000003.1743029885.0000021021440000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1743029885.0000021021351000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1743933809.0000021021352000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1743619937.0000021021441000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: phantomtoolsv2.exe, 00000001.00000003.1743619937.0000021021441000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: phantomtoolsv2.exe, 00000001.00000003.1743029885.0000021021440000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1743029885.0000021021351000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1743933809.0000021021352000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1743619937.0000021021441000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: phantomtoolsv2.exe, 00000001.00000003.1743619937.0000021021441000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: phantomtoolsv2.exe String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: phantomtoolsv2.exe, 00000001.00000003.1743619937.0000021021441000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: phantomtoolsv2.exe, 00000001.00000003.1742408396.0000021021295000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1738488858.00000210215FE000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.00000210207DB000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.0000021020708000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1742843881.0000021021461000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.00000210207D3000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.000002102075C000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.0000021020754000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1742843881.0000021021469000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.0000021020700000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1742408396.0000021021209000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1742408396.0000021021211000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: phantomtoolsv2.exe, 00000001.00000003.1737482716.0000021020764000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: phantomtoolsv2.exe, 00000001.00000003.1737482716.0000021020764000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: phantomtoolsv2.exe, 00000001.00000003.1730304595.0000021021348000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: phantomtoolsv2.exe, 00000001.00000003.1730304595.00000210212D4000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1732301721.0000021021293000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1730304595.00000210212FE000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1730304595.0000021021453000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1732566332.0000021021440000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1730304595.0000021021324000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1730304595.00000210212E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: phantomtoolsv2.exe, 00000001.00000003.1730304595.0000021021348000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: phantomtoolsv2.exe, 00000001.00000003.1730304595.00000210212D4000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1732301721.0000021021293000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1730304595.00000210212FE000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1730304595.0000021021453000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1732566332.0000021021440000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1730304595.0000021021324000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1730304595.00000210212E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: phantomtoolsv2.exe, 00000001.00000003.1743619937.0000021021441000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: phantomtoolsv2.exe, 00000001.00000003.1743619937.0000021021441000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: phantomtoolsv2.exe, 00000001.00000003.1742408396.0000021021295000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1738488858.00000210215FE000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.00000210207DB000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.0000021020708000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1742843881.0000021021461000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.00000210207D3000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.000002102075C000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.0000021020754000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1742843881.0000021021469000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.0000021020700000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1742408396.0000021021209000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1742408396.0000021021211000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: phantomtoolsv2.exe, 00000001.00000003.1737482716.0000021020764000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: phantomtoolsv2.exe, 00000001.00000003.1737482716.0000021020764000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: phantomtoolsv2.exe, 00000001.00000003.1738112892.00000210214D5000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.00000210207E3000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.000002102070F000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1742408396.0000021021219000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.0000021020764000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: phantomtoolsv2.exe, 00000001.00000003.1737482716.0000021020764000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: phantomtoolsv2.exe, 00000001.00000003.1738112892.00000210214D5000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.00000210207E3000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.000002102070F000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1742408396.0000021021219000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.0000021020764000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49738 version: TLS 1.2
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014007D6E0 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SHCreateMemStream,SelectObject,DeleteDC,ReleaseDC,DeleteObject,EnterCriticalSection,LeaveCriticalSection,IStream_Size,IStream_Reset,IStream_Read,SelectObject,DeleteDC,ReleaseDC,DeleteObject, 1_2_000000014007D6E0
Contains functionality to call native functions
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 0_2_00007FF7B88046A4 CreateToolhelp32Snapshot,Process32First,Process32Next,NtClose, 0_2_00007FF7B88046A4
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 0_2_00007FF7B8803060 GetCurrentProcess,NtQueryInformationProcess,GetTempPathA,strlen,strlen,memcpy, 0_2_00007FF7B8803060
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 0_2_00007FF7B8803C70 GetCurrentProcess,NtQueryInformationProcess,GetTempPathW,wcslen,wcslen,strlen,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wcslen,LdrLoadDll,GetProcAddress,VirtualProtect,LdrUnloadDll, 0_2_00007FF7B8803C70
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_0000000140082030 RtlAcquirePebLock,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,CoInitializeEx,lstrcpyW,lstrcatW,CoGetObject,lstrcpyW,lstrcatW,CoGetObject,CoUninitialize, 1_2_0000000140082030
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00000001400D06E8 NtAllocateVirtualMemory, 1_2_00000001400D06E8
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00000001400818F0 GetModuleHandleA,GetProcAddress,OpenProcess,NtQuerySystemInformation,NtQuerySystemInformation,NtDuplicateObject,GetCurrentProcess,NtDuplicateObject,NtQueryObject,GetFinalPathNameByHandleA,CloseHandle,CloseHandle, 1_2_00000001400818F0
Detected potential crypto function
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 0_2_00007FF7B88034D0 0_2_00007FF7B88034D0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 0_2_00007FF7B8803C70 0_2_00007FF7B8803C70
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 0_2_00007FF7B88FC950 0_2_00007FF7B88FC950
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 0_2_00007FF7B8825140 0_2_00007FF7B8825140
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 0_2_00007FF7B88E7220 0_2_00007FF7B88E7220
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 0_2_00007FF7B8806A40 0_2_00007FF7B8806A40
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 0_2_00007FF7B88034D0 0_2_00007FF7B88034D0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 0_2_00007FF7B8807290 0_2_00007FF7B8807290
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 0_2_00007FF7B881DA84 0_2_00007FF7B881DA84
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 0_2_00007FF7B8815B20 0_2_00007FF7B8815B20
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 0_2_00007FF7B881D367 0_2_00007FF7B881D367
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 0_2_00007FF7B881C4A0 0_2_00007FF7B881C4A0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 0_2_00007FF7B88264F0 0_2_00007FF7B88264F0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014005F140 1_2_000000014005F140
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00000001400421C0 1_2_00000001400421C0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014007F210 1_2_000000014007F210
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014008426B 1_2_000000014008426B
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00000001400743A0 1_2_00000001400743A0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014007E3D0 1_2_000000014007E3D0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014002F650 1_2_000000014002F650
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_0000000140086680 1_2_0000000140086680
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014007D6E0 1_2_000000014007D6E0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014003B740 1_2_000000014003B740
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014003C7E0 1_2_000000014003C7E0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00000001400B67F0 1_2_00000001400B67F0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_0000000140076BA0 1_2_0000000140076BA0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014007FBA0 1_2_000000014007FBA0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014003ABE0 1_2_000000014003ABE0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014009ACF0 1_2_000000014009ACF0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_0000000140084CF0 1_2_0000000140084CF0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014007CDF0 1_2_000000014007CDF0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014003CE80 1_2_000000014003CE80
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014002EF60 1_2_000000014002EF60
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014009DFA0 1_2_000000014009DFA0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014006E000 1_2_000000014006E000
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014004E000 1_2_000000014004E000
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_0000000140082030 1_2_0000000140082030
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_0000000140036050 1_2_0000000140036050
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014006B0A0 1_2_000000014006B0A0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_0000000140092094 1_2_0000000140092094
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014007E0B0 1_2_000000014007E0B0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00000001400300C6 1_2_00000001400300C6
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014006A100 1_2_000000014006A100
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014003A110 1_2_000000014003A110
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_0000000140006180 1_2_0000000140006180
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_0000000140028200 1_2_0000000140028200
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014009E21C 1_2_000000014009E21C
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014009227C 1_2_000000014009227C
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00000001400B92E0 1_2_00000001400B92E0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00000001400532E0 1_2_00000001400532E0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_0000000140096300 1_2_0000000140096300
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_0000000140056340 1_2_0000000140056340
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_0000000140026340 1_2_0000000140026340
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_0000000140093344 1_2_0000000140093344
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_0000000140025350 1_2_0000000140025350
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_0000000140055360 1_2_0000000140055360
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_0000000140082380 1_2_0000000140082380
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014006A400 1_2_000000014006A400
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00000001400A5464 1_2_00000001400A5464
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_0000000140092464 1_2_0000000140092464
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014009C498 1_2_000000014009C498
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014006E49A 1_2_000000014006E49A
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014004C500 1_2_000000014004C500
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_0000000140062510 1_2_0000000140062510
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00000001400705A0 1_2_00000001400705A0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_0000000140006610 1_2_0000000140006610
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00000001400596B0 1_2_00000001400596B0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014006A730 1_2_000000014006A730
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_0000000140066750 1_2_0000000140066750
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00000001400907A0 1_2_00000001400907A0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014009E7A4 1_2_000000014009E7A4
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014009B968 1_2_000000014009B968
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00000001400269E0 1_2_00000001400269E0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_0000000140078A40 1_2_0000000140078A40
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014006AA50 1_2_000000014006AA50
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_0000000140092AAC 1_2_0000000140092AAC
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_0000000140037AAD 1_2_0000000140037AAD
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00000001400A6ACC 1_2_00000001400A6ACC
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00000001400BBB80 1_2_00000001400BBB80
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014006DBC0 1_2_000000014006DBC0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014002FC80 1_2_000000014002FC80
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_0000000140006D20 1_2_0000000140006D20
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014004AD30 1_2_000000014004AD30
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014006AD70 1_2_000000014006AD70
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_0000000140005DB0 1_2_0000000140005DB0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014009BE18 1_2_000000014009BE18
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014006CE40 1_2_000000014006CE40
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_0000000140075E70 1_2_0000000140075E70
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_0000000140072EC0 1_2_0000000140072EC0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014009CF18 1_2_000000014009CF18
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_0000000140038FB0 1_2_0000000140038FB0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00007FF7B88FC950 1_2_00007FF7B88FC950
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00007FF7B8806A40 1_2_00007FF7B8806A40
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00007FF7B881DA84 1_2_00007FF7B881DA84
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00007FF7B8815B20 1_2_00007FF7B8815B20
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00007FF7B8803C70 1_2_00007FF7B8803C70
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00007FF7B8825140 1_2_00007FF7B8825140
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00007FF7B88E7220 1_2_00007FF7B88E7220
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00007FF7B8807290 1_2_00007FF7B8807290
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00007FF7B881D367 1_2_00007FF7B881D367
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00007FF7B881C4A0 1_2_00007FF7B881C4A0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00007FF7B88034D0 1_2_00007FF7B88034D0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00007FF7B88264F0 1_2_00007FF7B88264F0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: String function: 00007FF7B8902CD0 appears 32 times
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: String function: 0000000140034B20 appears 41 times
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: String function: 00000001400300A0 appears 58 times
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: String function: 00007FF7B890C0A0 appears 43 times
PE file contains more sections than normal
Source: phantomtoolsv2.exe_a.dll.0.dr Static PE information: Number of sections : 11 > 10
Sample file is different than original file name gathered from version info
Source: phantomtoolsv2.exe, 00000001.00000003.1895939117.0000021021451000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs phantomtoolsv2.exe
Source: phantomtoolsv2.exe, 00000001.00000003.1884710900.000002102144D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs phantomtoolsv2.exe
Source: phantomtoolsv2.exe, 00000001.00000003.1894702858.000002102144D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs phantomtoolsv2.exe
Source: phantomtoolsv2.exe, 00000001.00000002.1898356987.0000021021451000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs phantomtoolsv2.exe
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@8/2@1/2
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00000001400835B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle, 1_2_00000001400835B0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00000001400D0008 AdjustTokenPrivileges,CredEnumerateA, 1_2_00000001400D0008
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 0_2_00007FF7B88046A4 CreateToolhelp32Snapshot,Process32First,Process32Next,NtClose, 0_2_00007FF7B88046A4
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00000001400D0730 CoCreateInstance, 1_2_00000001400D0730
Source: C:\Users\user\Desktop\phantomtoolsv2.exe File created: C:\Users\user\Desktop\phantomtoolsv2.exe:a.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Mutant created: \Sessions\1\BaseNamedObjects\Mmm-A33C734061CA11EE8C18806E6F6E6963A85413CE
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7644:120:WilError_03
Source: phantomtoolsv2.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\phantomtoolsv2.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\phantomtoolsv2.exe "C:\Users\user\Desktop\phantomtoolsv2.exe"
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Process created: C:\Users\user\Desktop\phantomtoolsv2.exe "C:\Users\user\Desktop\phantomtoolsv2.exe"
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\phantomtoolsv2.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Process created: C:\Users\user\Desktop\phantomtoolsv2.exe "C:\Users\user\Desktop\phantomtoolsv2.exe" Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\phantomtoolsv2.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000 Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: phantomtoolsv2.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: phantomtoolsv2.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: phantomtoolsv2.exe Static file information: File size 2746880 > 1048576
Source: phantomtoolsv2.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x10bc00
Source: phantomtoolsv2.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x16f600
Source: phantomtoolsv2.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 0_2_00007FF7B8803C70 GetCurrentProcess,NtQueryInformationProcess,GetTempPathW,wcslen,wcslen,strlen,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wcslen,LdrLoadDll,GetProcAddress,VirtualProtect,LdrUnloadDll, 0_2_00007FF7B8803C70
PE file contains sections with non-standard names
Source: phantomtoolsv2.exe Static PE information: section name: .xdata
Source: phantomtoolsv2.exe_a.dll.0.dr Static PE information: section name: .xdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 0_2_00007FF7B881AAF6 push rsp; retf 0_2_00007FF7B881AAF9
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 0_2_00007FF7B881D857 push rax; iretd 0_2_00007FF7B881D858
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00007FF7B881AAF6 push rsp; retf 1_2_00007FF7B881AAF9
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00007FF7B881D857 push rax; iretd 1_2_00007FF7B881D858
Drops PE files
Source: C:\Users\user\Desktop\phantomtoolsv2.exe File created: C:\Users\user\Desktop\phantomtoolsv2.exe:a.dll Jump to dropped file
Terminates after testing mutex exists (may check infected machine status)
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00000001400740C0 ExitProcess,OpenMutexA,ExitProcess,CreateMutexA,CreateMutexExA,ExitProcess,ReleaseMutex,CloseHandle, 1_2_00000001400740C0

Hooking and other Techniques for Hiding and Protection
barindex
Creates files in alternative data streams (ADS)
Source: C:\Users\user\Desktop\phantomtoolsv2.exe File created: C:\Users\user\Desktop\phantomtoolsv2.exe:a.dll Jump to behavior
Self deletion via cmd or bat file
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Process created: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\phantomtoolsv2.exe"
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Process created: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\phantomtoolsv2.exe" Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Uses ping.exe to sleep
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Dropped PE file which has not been started: C:\Users\user\Desktop\phantomtoolsv2.exe:a.dll Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\phantomtoolsv2.exe API coverage: 7.7 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00000001400B6740 FindClose,FindFirstFileExW,GetLastError, 1_2_00000001400B6740
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00000001400B67F0 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle, 1_2_00000001400B67F0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014007EF60 GetLogicalDriveStringsW, 1_2_000000014007EF60
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_0000000140094A30 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect, 1_2_0000000140094A30
Source: C:\Users\user\Desktop\phantomtoolsv2.exe File opened: D:\sources\migration\ Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe File opened: D:\sources\replacementmanifests\ Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe File opened: D:\sources\migration\wtr\ Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\ Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\ Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe File opened: D:\sources\replacementmanifests\hwvid-migration-2\ Jump to behavior
Source: phantomtoolsv2.exe, 00000001.00000003.1882946764.0000021021351000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: phantomtoolsv2.exe, 00000001.00000003.1726312341.000002101EA10000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000002.1897542352.000002101E9FA000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1896285771.000002101E9FA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWcP;0
Source: phantomtoolsv2.exe, 00000001.00000002.1897542352.000002101E9C0000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1896285771.000002101E9BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: phantomtoolsv2.exe, 00000001.00000003.1726312341.000002101EA10000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000002.1897542352.000002101E9FA000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1896285771.000002101E9FA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\phantomtoolsv2.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\phantomtoolsv2.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 0_2_00007FF7B8803C70 GetCurrentProcess,NtQueryInformationProcess,GetTempPathW,wcslen,wcslen,strlen,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wcslen,LdrLoadDll,GetProcAddress,VirtualProtect,LdrUnloadDll, 0_2_00007FF7B8803C70
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00000001400D02C8 IsDebuggerPresent, 1_2_00000001400D02C8
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00000001400B8A44 GetLastError,IsDebuggerPresent,OutputDebugStringW, 1_2_00000001400B8A44
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 0_2_00007FF7B8803C70 GetCurrentProcess,NtQueryInformationProcess,GetTempPathW,wcslen,wcslen,strlen,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wcslen,LdrLoadDll,GetProcAddress,VirtualProtect,LdrUnloadDll, 0_2_00007FF7B8803C70
Enables debug privileges
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 0_2_00007FF7B88011D9 SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy, 0_2_00007FF7B88011D9
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 0_2_00007FF7B8AA0550 SetUnhandledExceptionFilter, 0_2_00007FF7B8AA0550
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00000001400D02D8 SetUnhandledExceptionFilter, 1_2_00000001400D02D8
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014008D3D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_000000014008D3D8
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_00007FF7B88011D9 SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm, 1_2_00007FF7B88011D9

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\phantomtoolsv2.exe NtQueryInformationProcess: Indirect: 0x7FF7B8803CAD Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe NtQueryInformationProcess: Indirect: 0x7FF7B8803098 Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe NtClose: Indirect: 0x7FF7B8804830
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Memory written: C:\Users\user\Desktop\phantomtoolsv2.exe base: 140000000 value starts with: 4D5A Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Thread register set: target process: 7360 Jump to behavior
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_0000000140072EC0 ShellExecuteW, 1_2_0000000140072EC0
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Process created: C:\Users\user\Desktop\phantomtoolsv2.exe "C:\Users\user\Desktop\phantomtoolsv2.exe" Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\phantomtoolsv2.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000 Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 0_2_00007FF7B8804350 cpuid 0_2_00007FF7B8804350
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: EnumSystemLocalesW, 1_2_00000001400A409C
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: EnumSystemLocalesW, 1_2_00000001400A416C
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: EnumSystemLocalesW, 1_2_0000000140099354
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: GetLocaleInfoW, 1_2_00000001400D0390
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: GetLocaleInfoEx,FormatMessageA, 1_2_00000001400B63B0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 1_2_00000001400A45A8
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 1_2_00000001400A4784
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: GetLocaleInfoW, 1_2_0000000140099898
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 1_2_00000001400A3D50
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Queries time zone information
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation TimeZoneKeyName Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 0_2_00007FF7B881B500 GetSystemTimeAsFileTime, 0_2_00007FF7B881B500
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014007DCC0 GetUserNameW, 1_2_000000014007DCC0
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Code function: 1_2_000000014007F210 GetTimeZoneInformation,GlobalMemoryStatusEx,wcsftime,GetModuleFileNameA, 1_2_000000014007F210

Stealing of Sensitive Information
barindex
Yara detected CredGrabber
Source: Yara match File source: Process Memory Space: phantomtoolsv2.exe PID: 7360, type: MEMORYSTR
Yara detected Meduza Stealer
Source: Yara match File source: Process Memory Space: phantomtoolsv2.exe PID: 7360, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: phantomtoolsv2.exe, 00000001.00000002.1897429096.000002101E999000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Electrum-LTC\config
Source: phantomtoolsv2.exe, 00000001.00000002.1897429096.000002101E999000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ElectronCash\wallets
Source: phantomtoolsv2.exe, 00000001.00000003.1758154668.0000021023AF4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "software": "Ny1aaXAgMjMuMDEgKHg2NCkgWzIzLjAxXQpNb3ppbGxhIEZpcmVmb3ggKHg2NCBlbi1VUykgWzExOC4wLjFdCk1vemlsbGEgTWFpbnRlbmFuY2UgU2VydmljZSBbMTE4LjAuMV0KTWljcm9zb2Z0IE9mZmljZSBQcm9mZXNzaW9uYWwgUGx1cyAyMDE5IC0gZW4tdXMgWzE2LjAuMTY4MjcuMjAxMzBdCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMjIgWDY0IEFkZGl0aW9uYWwgUnVudGltZSAtIDE0LjM2LjMyNTMyIFsxNC4zNi4zMjUzMl0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBMaWNlbnNpbmcgQ29tcG9uZW50IFsxNi4wLjE2ODI3LjIwMTMwXQpPZmZpY2UgMTYgQ2xpY2stdG8tUnVuIEV4dGVuc2liaWxpdHkgQ29tcG9uZW50IDY0LWJpdCBSZWdpc3RyYXRpb24gWzE2LjAuMTY4MjcuMjAwNTZdCkFkb2JlIEFjcm9iYXQgKDY0LWJpdCkgWzIzLjAwNi4yMDMyMF0KTWljcm9zb2Z0IFZpc3VhbCBDKysgMjAyMiBYNjQgTWluaW11bSBSdW50aW1lIC0gMTQuMzYuMzI1MzIgWzE0LjM2LjMyNTMyXQpHb29nbGUgQ2hyb21lIFsxMTcuMC41OTM4LjEzMl0KTWljcm9zb2Z0IEVkZ2UgWzExNy4wLjIwNDUuNDddCk1pY3Jvc29mdCBFZGdlIFVwZGF0ZSBbMS4zLjE3Ny4xMV0KTWljcm9zb2Z0IEVkZ2UgV2ViVmlldzIgUnVudGltZSBbMTE3LjAuMjA0NS40N10KSmF2YSBBdXRvIFVwZGF0ZXIgWzIuOC4zODEuOV0KSmF2YSA4IFVwZGF0ZSAzODEgWzguMC4zODEwLjldCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMTUtMjAyMiBSZWRpc3RyaWJ1dGFibGUgKHg2NCkgLSAxNC4zNi4zMjUzMiBbMTQuMzYuMzI1MzIuMF0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBFeHRlbnNpYmlsaXR5IENvbXBvbmVudCBbMTYuMC4xNjgyNy4yMDEzMF0K",
Source: phantomtoolsv2.exe, 00000001.00000002.1897429096.000002101E999000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Exodus\exodus.wallet
Source: phantomtoolsv2.exe, 00000001.00000002.1897429096.000002101E999000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Ethereum\keystore
Source: phantomtoolsv2.exe, 00000001.00000002.1897429096.000002101E999000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Ethereum\keystore
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\phantomtoolsv2.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCK Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001 Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\phantomtoolsv2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\phantomtoolsv2.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior

Remote Access Functionality
barindex
Yara detected CredGrabber
Source: Yara match File source: Process Memory Space: phantomtoolsv2.exe PID: 7360, type: MEMORYSTR
Yara detected Meduza Stealer
Source: Yara match File source: Process Memory Space: phantomtoolsv2.exe PID: 7360, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1532357 Sample: phantomtoolsv2.exe Startdate: 13/10/2024 Architecture: WINDOWS Score: 100 26 api.ipify.org 2->26 36 Suricata IDS alerts for network traffic 2->36 38 Found malware configuration 2->38 40 Antivirus detection for dropped file 2->40 42 5 other signatures 2->42 9 phantomtoolsv2.exe 1 2->9         started        signatures3 process4 file5 24 C:\Users\user\...\phantomtoolsv2.exe:a.dll, PE32+ 9->24 dropped 44 Creates files in alternative data streams (ADS) 9->44 46 Self deletion via cmd or bat file 9->46 48 Modifies the context of a thread in another process (thread injection) 9->48 50 2 other signatures 9->50 13 phantomtoolsv2.exe 5 7 9->13         started        signatures6 process7 dnsIp8 28 79.137.202.152, 15666, 49737 PSKSET-ASRU Russian Federation 13->28 30 api.ipify.org 104.26.13.205, 443, 49738 CLOUDFLARENETUS United States 13->30 52 Tries to steal Mail credentials (via file / registry access) 13->52 54 Found many strings related to Crypto-Wallets (likely being stolen) 13->54 56 Self deletion via cmd or bat file 13->56 58 2 other signatures 13->58 17 cmd.exe 1 13->17         started        signatures9 process10 signatures11 32 Uses ping.exe to sleep 17->32 34 Uses ping.exe to check the status of other devices and networks 17->34 20 conhost.exe 17->20         started        22 PING.EXE 1 17->22         started        process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
79.137.202.152
 unknown Russian Federation
42569 PSKSET-ASRU true
104.26.13.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
api.ipify.org 104.26.13.205 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
  • URL Reputation: safe
 unknown