Threat name:
KeyLogger, Phantom stealer, PhantomGate,
Alert
Classification:
troj.spyw.expl.evad
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Browser instances using unsafe startup parameters
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Creates processes via WMI
Excessive usage of taskkill to terminate processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving a shell, file or stream
Malicious sample detected (through community Yara rule)
Monitors registry run keys for changes
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Decrypt And Execute Base64 Data
Sigma detected: Register Wscript In Run Key
Sigma detected: Suspicious Parent Double Extension File Execution
Sigma detected: Suspicious PowerShell IEX Execution Patterns
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Uses an obfuscated file name to hide its real file extension (double extension)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Costura Assembly Loader
Yara detected Keylogger Generic
Yara detected Phantom stealer
Yara detected PhantomGate
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Strela Stealer
behaviorgraph
top1
dnsIp2
2
Behavior Graph
ID:
1900188
Sample:
Factura.PDF.js
Startdate:
17/04/2026
Architecture:
WINDOWS
Score:
100
86
shed.dual-low.part-0012.t-0009.t-msedge.net
2->86
88
shed.dual-low.part-0010.t-0009.t-msedge.net
2->88
90
14 other IPs or domains
2->90
114
Sigma detected: Register
Wscript In Run Key
2->114
116
Suricata IDS alerts
for network traffic
2->116
118
Found malware configuration
2->118
120
28 other signatures
2->120
10
powershell.exe
15
20
2->10
started
15
powershell.exe
2->15
started
17
powershell.exe
2->17
started
19
10 other processes
2->19
signatures3
process4
dnsIp5
96
banglabillboard.com
151.106.120.124, 443, 49698, 49773
PLUSSERVER-ASN1DE
Germany
10->96
98
hasteb.in
45.33.64.25, 443, 49697, 49767
LINODE-APLinodeLLCUS
United States
10->98
84
C:\ProgramData84r1.js, ASCII
10->84
dropped
138
Suspicious powershell
command line found
10->138
140
Found many strings related
to Crypto-Wallets (likely
being stolen)
10->140
142
Creates multiple autostart
registry keys
10->142
21
RegAsm.exe
6
10->21
started
24
powershell.exe
12
10->24
started
26
conhost.exe
10->26
started
144
Writes to foreign memory
regions
15->144
146
Injects a PE file into
a foreign processes
15->146
28
RegAsm.exe
15->28
started
30
powershell.exe
15->30
started
32
conhost.exe
15->32
started
34
powershell.exe
17->34
started
36
2 other processes
17->36
100
127.0.0.1
unknown
unknown
19->100
148
Wscript starts Powershell
(via cmd or directly)
19->148
150
Windows Scripting host
queries suspicious COM
object (likely to drop
second stage)
19->150
152
Suspicious execution
chain found
19->152
154
Creates processes via
WMI
19->154
38
6 other processes
19->38
file6
signatures7
process8
signatures9
122
Queries sensitive video
device information (via
WMI, Win32_VideoController,
often done to detect
virtual machines)
21->122
124
Writes to foreign memory
regions
21->124
126
Allocates memory in
foreign processes
21->126
134
2 other signatures
21->134
40
msedge.exe
21->40
started
52
6 other processes
21->52
43
cmd.exe
1
24->43
started
46
conhost.exe
24->46
started
128
Creates a thread in
another existing process
(thread injection)
28->128
130
Injects a PE file into
a foreign processes
28->130
54
10 other processes
28->54
56
2 other processes
30->56
48
cmd.exe
34->48
started
50
conhost.exe
34->50
started
132
Creates multiple autostart
registry keys
38->132
58
4 other processes
38->58
process10
dnsIp11
92
192.168.2.8, 138, 443, 49465
unknown
unknown
40->92
94
239.255.255.250
unknown
Reserved
40->94
60
msedge.exe
40->60
started
70
4 other processes
40->70
136
Excessive usage of taskkill
to terminate processes
43->136
63
taskkill.exe
1
43->63
started
72
3 other processes
43->72
74
4 other processes
48->74
66
firefox.exe
52->66
started
68
chrome.exe
54->68
started
76
4 other processes
56->76
78
4 other processes
58->78
signatures12
process13
dnsIp14
102
part-0012.t-0009.t-msedge.net
13.107.246.40, 443, 49691, 49695
MICROSOFT-CORP-MSN-AS-BLOCKUS
United States
60->102
104
ax-0001.ax-msedge.net
150.171.27.10, 443, 49727
MICROSOFT-CORP-MSN-AS-BLOCKUS
United States
60->104
112
36 other IPs or domains
60->112
156
Creates processes via
WMI
63->156
106
mozilla.map.fastly.net
151.101.1.91, 443, 49706
FASTLYUS
United States
66->106
158
Monitors registry run
keys for changes
66->158
80
firefox.exe
66->80
started
108
googlehosted.l.googleusercontent.com
142.250.72.1, 443, 49787, 49806
GOOGLEUS
United States
68->108
110
clients2.googleusercontent.com
68->110
82
setup.exe
70->82
started
signatures15
process16
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.