Threat name:
KeyLogger, Phantom stealer
Alert
Classification:
spre.troj.spyw.expl.evad
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for URL or domain
Browser instances using unsafe startup parameters
Bypasses PowerShell execution policy
Contains functionality to capture screen (.Net source)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected large data written to user environment variables, potentially indicating payload staging for fileless execution
Drops script or batch files to the startup folder
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Monitors registry run keys for changes
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: MSBuild connects to smtp port
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious Environment Variable Has Been Registered
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Costura Assembly Loader
Yara detected Keylogger Generic
Yara detected Phantom stealer
behaviorgraph
top1
dnsIp2
2
Behavior Graph
ID:
1942901
Sample:
FedEx64759937599.js
Startdate:
15/07/2026
Architecture:
WINDOWS
Score:
100
70
gimas.bg
2->70
72
resc.cloudinary.com.cdn.cloudflare.net
2->72
74
7 other IPs or domains
2->74
102
Suricata IDS alerts
for network traffic
2->102
104
Found malware configuration
2->104
106
Malicious sample detected
(through community Yara
rule)
2->106
108
22 other signatures
2->108
11
wscript.exe
1
2->11
started
13
wscript.exe
13
3
2->13
started
signatures3
process4
file5
17
powershell.exe
14
15
11->17
started
21
powershell.exe
11->21
started
62
C:\...\FedEx64759937599.js:Zone.Identifier, ASCII
13->62
dropped
64
C:\Users\user\AppData\...\FedEx64759937599.js, Unicode
13->64
dropped
118
Suspicious powershell
command line found
13->118
120
Wscript starts Powershell
(via cmd or directly)
13->120
122
Drops script or batch
files to the startup
folder
13->122
124
5 other signatures
13->124
signatures6
process7
dnsIp8
66
cloudinary.map.fastly.net
151.101.65.137, 443, 49747
FASTLY-FastlyIncUS
Canada
17->66
94
Found many strings related
to Crypto-Wallets (likely
being stolen)
17->94
96
Writes to foreign memory
regions
17->96
98
Injects a PE file into
a foreign processes
17->98
100
Contains functionality
to check if a debugger
is running (CheckRemoteDebuggerPresent)
17->100
23
MSBuild.exe
15
12
17->23
started
27
conhost.exe
17->27
started
68
resc.cloudinary.com.cdn.cloudflare.net
104.16.79.6, 443, 49753
CLOUDFLARENET-CloudflareIncUS
Canada
21->68
29
conhost.exe
21->29
started
31
MSBuild.exe
21->31
started
33
MSBuild.exe
21->33
started
35
MSBuild.exe
21->35
started
signatures9
process10
dnsIp11
76
gimas.bg
195.191.149.33, 49799, 587
SUPERHOSTING_ASBG
Bulgaria
23->76
78
icanhazip.com
104.16.185.241, 49798, 80
CLOUDFLARENET-CloudflareIncUS
Canada
23->78
110
Queries sensitive video
device information (via
WMI, Win32_VideoController,
often done to detect
virtual machines)
23->110
112
Tries to steal Mail
credentials (via file
/ registry access)
23->112
114
Tries to harvest and
steal browser information
(history, passwords,
etc)
23->114
116
6 other signatures
23->116
37
firefox.exe
1
23->37
started
39
msedge.exe
23->39
started
42
chrome.exe
23->42
injected
44
10 other processes
23->44
signatures12
process13
dnsIp14
46
firefox.exe
2
42
37->46
started
80
192.168.2.5, 443, 49214, 49736
unknown
unknown
39->80
82
239.255.255.250
unknown
ZZ
39->82
50
msedge.exe
39->50
started
52
setup.exe
39->52
started
54
msedge.exe
39->54
started
56
msedge.exe
39->56
started
process15
dnsIp16
84
mozilla.map.fastly.net
151.101.1.91, 443, 49752
FASTLY-FastlyIncUS
Canada
46->84
86
127.0.0.1
unknown
unknown
46->86
126
Monitors registry run
keys for changes
46->126
58
firefox.exe
1
46->58
started
88
150.171.109.183, 443, 49791, 49792
MICROSOFT-CORP-MSN-AS-BLOCK-MicrosoftCorporationUS
South Africa
50->88
90
mr-b01.tm-azurefd.net
150.171.109.73, 443, 49768
MICROSOFT-CORP-MSN-AS-BLOCK-MicrosoftCorporationUS
South Africa
50->90
92
32 other IPs or domains
50->92
60
setup.exe
52->60
started
signatures17
process18
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.