MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a1dbc0ffe84cdcbbfcf573609b9313cd3235ebabe66adf707c12d8b97d83568. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhantomStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a1dbc0ffe84cdcbbfcf573609b9313cd3235ebabe66adf707c12d8b97d83568
SHA3-384 hash: 22b2c6da69992741b8cf02709bc51d43fa2cd7a4471747193e9e3c5387557dff40510f681d5225a9e98cd056cc5695af
SHA1 hash: 4e1e0e1fba8ed0ea5472a5a22447757e3973fbbb
MD5 hash: a0d6cee5bbb56e8975314415d5e3e370
humanhash: wisconsin-paris-music-king
File name:NEW PO SMART CHINA.exe
Download: download sample
Signature PhantomStealer
Create hunting rule
File size:2'770'432 bytes
First seen:2025-09-16 10:18:23 UTC
Last seen:2025-10-10 06:36:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c9596ccdffde444fa435c5f9042f7548 (3 x PhantomStealer, 1 x Expiro, 1 x AgentTesla)
ssdeep 49152:YG1MzKXbv3L8X3Eb72Aason5mkAo26Q0bNiRpCw89Cgatl238:qXEEbApZ
TLSH T167D5CF16E3E805B8D527D638CA518333D6B0B8520765E58F0A9DEA192F33E909F3F316
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter cocaman
Tags:exe PhantomStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
88
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NEW PO SMART CHINA.7z
Verdict:
Suspicious activity
Analysis date:
2025-09-16 10:20:25 UTC
Tags:
arch-exec
Link:
https://app.any.run/tasks/67962620-053e-433e-9e4f-592fe229e0a9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27714/
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.66333411.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c93984d49ea3f1e4b65e87
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Searching for the window
Forced system process termination
Creating a file
Launching a tool to kill processes
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypto fingerprint hacktool microsoft_visual_cc obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/68c9398edbc6f5a29c475a85/reports/78a26422-a22a-4339-a1c8-145839921747/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/2a1dbc0ffe84cdcbbfcf573609b9313cd3235ebabe66adf707c12d8b97d83568
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-14T23:43:00Z UTC
Last seen:
2025-09-14T23:43:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/2a1dbc0ffe84cdcbbfcf573609b9313cd3235ebabe66adf707c12d8b97d83568/results?tab=lookup
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ec3cb532-31ed-4c1c-83e1-e6b69111a687
Result
Threat name:
Phantom stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1778409
Signature
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Phantom stealer
Behaviour
Behavior Graph:
Download SVG
Score:
0%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/2a1dbc0ffe84cdcbbfcf573609b9313cd3235ebabe66adf707c12d8b97d83568
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/a0d6cee5bbb56e8975314415d5e3e370
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2a1dbc0ffe84cdcbbfcf573609b9313cd3235ebabe66adf707c12d8b97d83568/
Threat name:
Win64.Trojan.GenSteal
Create hunting rule
Status:
Malicious
First seen:
2025-09-15 03:18:32 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fio3yd76qtg4xp6pk43atojrhtjsgxv2xztk35yhyewyxf6ygvua._file
Verdict:
malicious
Label(s):
xenostealer
Create hunting rule
Similar samples:
error
PhantomStealer
Result
Malware family:
phantomstealer
Create hunting rule
Score:
  10/10
Tags:
family:phantomstealer defense_evasion discovery
Link:
https://tria.ge/reports/250916-mcf7tsbm4w/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Phantomstealer family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8c01b1b0-27c3-4d64-92f7-949d16c01484
Unpacked files
SH256 hash:
2a1dbc0ffe84cdcbbfcf573609b9313cd3235ebabe66adf707c12d8b97d83568
MD5 hash:
a0d6cee5bbb56e8975314415d5e3e370
SHA1 hash:
4e1e0e1fba8ed0ea5472a5a22447757e3973fbbb
Link:
https://www.unpac.me/results/9e10a881-7666-4ace-9e8f-f234a146244f/
Malware family:
PhantomStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2a1dbc0ffe84/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2a1dbc0ffe84cdcbbfcf573609b9313cd3235ebabe66adf707c12d8b97d83568

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PhantomStealer

7z 1d181f5e6c6902c71623eb9ed0553286bc168dc57d4c76b23e76bc8264316374

PhantomStealer

Executable exe 2a1dbc0ffe84cdcbbfcf573609b9313cd3235ebabe66adf707c12d8b97d83568

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 1d181f5e6c6902c71623eb9ed0553286bc168dc57d4c76b23e76bc8264316374
Cape
Cape
https://www.capesandbox.com/analysis/27714/
  
Dropped by
MD5 699faff041697117f10c2d68813b9b82

Comments