Malware

Phantom Stealer

IoCs CSV 1 YARA rule

According to Proofpoint, this is a fork of Stealerium that has high overlap with its originating codebase.

Indicators of Compromise 12

YARA Detection Rules

Phantom_Stealer_YARA_Detection
yara ai_generated
rule Phantom_Stealer_Detection {
    meta:
        description = "Detects Phantom Stealer malware based on known file names, hashes, and behavioral indicators"
        author = "AI Generated"

    strings:
        $s1 = "VID001.exe" ascii
        $s2 = "f_000cd7.html" ascii
        $s3 = "SECOH-QAD.exe" ascii
        $s4 = "u992574.dll" ascii
        $s5 = "PhantomStealer" ascii wide
        $s6 = "config.json" ascii wide
        $s7 = "decrypt_passwords" ascii wide
        $s8 = "get_browser_data" ascii wide
        $s9 = "send_to_c2" ascii wide
        $s10 = "temp\\AppData\\" ascii wide
        $s11 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide
        $s12 = "Chrome\\User Data\\Default\\Login Data" ascii wide
        $s13 = "AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies" ascii wide
        $s14 = "svchost -k" ascii wide
        $s15 = "rundll32.exe" ascii wide

        $h1 = { 9F 1F 11 A7 08 D3 93 E0 A4 10 9A E1 89 BC 64 F1 F3 E3 12 65 3D CF 31 7A 2B D4 06 F1 8F FC C5 07 }
        $h2 = { C0 AD 49 44 57 DC D9 E9 64 37 87 60 FB 6A CA 86 A2 36 22 04 5B CA 85 1D 8F 3A B4 9E C3 39 78 FE }
        $h3 = { 98 96 A6 FC B9 BB 5A C1 EC 52 97 B4 A6 5B E3 F6 47 58 9A DF 7C 37 B4 5F 3F 74 66 DE CD 6A 4A 7F }
        $h4 = { E6 0A B9 9D A1 05 EE 27 EE 09 EA 64 ED 8E B4 6D 8E DC 92 EE 37 F0 39 DB C3 E2 BB 9F 58 7A 33 BA }

    condition:
        uint16(0) == 0x5A4D and 
        (1 of ($s*) or 1 of ($h*))
}

Rules are AI-generated and unvalidated. Test in a safe environment before production use.

Source Articles