Researches on Ahmad Massd — Security Bloghttps://p0peye-blog.pages.dev/categories/researches/Recent content in Researches on Ahmad Massd — Security BlogHugo -- gohugo.ioenahmad.massad.ir@gmail.com (Ahmad Massad)ahmad.massad.ir@gmail.com (Ahmad Massad)© 2026 Ahmad MassadThu, 10 Jul 2025 00:00:00 +0000The Anatomy of Phantom Stealerhttps://p0peye-blog.pages.dev/posts/phantom-stealer-analysis/Thu, 10 Jul 2025 00:00:00 +0000ahmad.massad.ir@gmail.com (Ahmad Massad)https://p0peye-blog.pages.dev/posts/phantom-stealer-analysis/<p><figure><img class="my-0 rounded-md" loading="lazy" decoding="async" fetchpriority="auto" alt="Phantom Stealer" width="1920" height="1080" src="https://p0peye-blog.pages.dev/posts/phantom-stealer-analysis/image_hu_5ce0c37a8458b04f.png" srcset="https://p0peye-blog.pages.dev/posts/phantom-stealer-analysis/image_hu_5ce0c37a8458b04f.png 800w, https://p0peye-blog.pages.dev/posts/phantom-stealer-analysis/image_hu_3c426dc241b76d8d.png 1280w" sizes="(min-width: 768px) 50vw, 65vw" data-zoom-src="https://p0peye-blog.pages.dev/posts/phantom-stealer-analysis/image.png"></figure> </p> <h2 class="relative group">Overview <div id="overview" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#overview" aria-label="Anchor">#</a> </span> </h2> <p>Analysis of a malicious VBScript file (<code>LPO_337860.vbs.bin</code>) acting as a loader for <strong>Phantom Infostealer</strong>. The script employs heavy obfuscation, environmental checks, and persistence mechanisms.</p> <p><strong>Sample Information</strong></p> <table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Filename</td> <td><code>LPO_337860.vbs.bin</code></td> </tr> <tr> <td>MD5</td> <td><code>074a04eafe704a893655025b80beffb6</code></td> </tr> <tr> <td>File Type</td> <td>VBScript</td> </tr> <tr> <td>Threat</td> <td>Phantom Infostealer Loader</td> </tr> </tbody> </table> <hr> <h2 class="relative group">Stage 0 — VBScript Loader (<code>LPO_337860.vbs.bin</code>) <div id="stage-0--vbscript-loader-lpo_337860vbsbin" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#stage-0--vbscript-loader-lpo_337860vbsbin" aria-label="Anchor">#</a> </span> </h2> <p>The initial VBScript acts as a <strong>deobfuscation and file-dropping engine</strong> in two steps:</p>