Malware
Phantom Stealer
IoCs CSV
1 YARA rule
According to Proofpoint, this is a fork of Stealerium that has high overlap with its originating codebase.
Indicators of Compromise 12
Filename SECOH-QAD.exe Filename VID001.exe Filename f_000cd7.html Filename u992574.dll MD5 2915b3f8b703eb744fc54c81f4a9c67f MD5 38de5b216c33833af710e88f7f64fc98 MD5 bf9672ec85283fdf002d83662f0b08b7 MD5 dbd8dbecaa80795c135137d69921fdba SHA-256 9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f SHA-256 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 SHA-256 c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe SHA-256 e60ab99da105ee27ee09ea64ed8eb46d8edc92ee37f039dbc3e2bb9f587a33ba
YARA Detection Rules
Phantom_Stealer_YARA_Detection
yara ai_generated
rule Phantom_Stealer_Detection {
meta:
description = "Detects Phantom Stealer malware based on known file names, hashes, and behavioral indicators"
author = "AI Generated"
strings:
$s1 = "VID001.exe" ascii
$s2 = "f_000cd7.html" ascii
$s3 = "SECOH-QAD.exe" ascii
$s4 = "u992574.dll" ascii
$s5 = "PhantomStealer" ascii wide
$s6 = "config.json" ascii wide
$s7 = "decrypt_passwords" ascii wide
$s8 = "get_browser_data" ascii wide
$s9 = "send_to_c2" ascii wide
$s10 = "temp\\AppData\\" ascii wide
$s11 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide
$s12 = "Chrome\\User Data\\Default\\Login Data" ascii wide
$s13 = "AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies" ascii wide
$s14 = "svchost -k" ascii wide
$s15 = "rundll32.exe" ascii wide
$h1 = { 9F 1F 11 A7 08 D3 93 E0 A4 10 9A E1 89 BC 64 F1 F3 E3 12 65 3D CF 31 7A 2B D4 06 F1 8F FC C5 07 }
$h2 = { C0 AD 49 44 57 DC D9 E9 64 37 87 60 FB 6A CA 86 A2 36 22 04 5B CA 85 1D 8F 3A B4 9E C3 39 78 FE }
$h3 = { 98 96 A6 FC B9 BB 5A C1 EC 52 97 B4 A6 5B E3 F6 47 58 9A DF 7C 37 B4 5F 3F 74 66 DE CD 6A 4A 7F }
$h4 = { E6 0A B9 9D A1 05 EE 27 EE 09 EA 64 ED 8E B4 6D 8E DC 92 EE 37 F0 39 DB C3 E2 BB 9F 58 7A 33 BA }
condition:
uint16(0) == 0x5A4D and
(1 of ($s*) or 1 of ($h*))
} ⚠ Rules are AI-generated and unvalidated. Test in a safe environment before production use.