← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Technical Deconstruction of a VBScript-Based Delivery Mechanism for Phantom Stealer Leveraging ConfuserEx-Obfuscated .NET Loader
WHITE PetrP.73 2025-07-28 Modified: 2025-08-27
22
IOCs
MEDIUM VOLUME
A multi-stage malware delivery chain initiated by a VBScript dropper that fetches and executes a .NET binary obfuscated with ConfuserEx. The payload, identified as Phantom Stealer, employs layered evasion tactics including base64 encoding, reflective loading, and anti-analysis techniques. The article covers static and dynamic analysis of the VBScript, reverse engineering of the obfuscated .NET executable, and telemetry.
telegramcreateobjectopenprocesshttphttpsvirtualallocextempzip fileredlinemaliciouspowershellmalwareloaderfalsephantomvidarraccoonstrelastealerpassgenerictrojanasyncratquasarratshellcodeconfuserexmaincobalt strike
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (22)
All domain hostname URL
TYPEINDICATORDESCRIPTIONCREATED
domain yettigretrading.com 2025-07-28
hostname cdn23720755.blazingcdn.net 2025-07-28
hostname e3913.cd.akamaiedge.net 2025-07-28
hostname e8178.dsce6.akamaiedge.net 2025-07-28
hostname vqqqwrz.pa-cd.com 2025-07-28
URL http://www.yettigretrading.com 2025-07-28
URL http://yettigretrading.com/.upload/cway/qxdgjxXneyNk.zip 2025-07-28
URL https://www.yettigretrading.com 2025-07-28
URL https://yettigretrading.com/upload/newbuildtxt.txt 2025-07-28
URL https://yettigretrading.com/upload/cr.txt 2025-07-28
URL https://yettigretrading.com/upload/11.txt 2025-07-28
URL https://yettigretrading.com/panel/uploads/Xhdryvwsfnf.mp4 2025-07-28
URL https://yettigretrading.com/panel/uploads/Eqohuqnlx.pdf 2025-07-28
URL https://yettigretrading.com/panel/uploads/Dzatknt.mp4 2025-07-28
URL https://yettigretrading.com/E_ 2025-07-28
URL https://yettigretrading.com/.upload/xxxx/testi_encrypted.txt 2025-07-28
URL https://yettigretrading.com/.upload/cway/qxdgjxxneynk.zip 2025-07-28
URL https://yettigretrading.com/.upload/cway/qxdgjxXneyNk.zipB 2025-07-28
URL https://yettigretrading.com/.upload/cway/qxdgjxXneyNk.zip1 2025-07-28
URL https://yettigretrading.com/.upload/cway/qxdgjxXneyNk.zip 2025-07-28
URL https://yettigretrading.com/.upload/cway/Client_encrypted.txt 2025-07-28
URL https://yettigretrading.com/.upload/1759/1759.txt 2025-07-28
References (1)
↗ https://medium.com/@shubhandrew/analysis-of-a-vbscript-leading-to-phantom-stealer-using-confuserx-obfuscation-6e978a68cecc