MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04c53eb6c67558ecfb59da6f38498776405570a4f1a99f61934a53173a40a36a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhantomStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04c53eb6c67558ecfb59da6f38498776405570a4f1a99f61934a53173a40a36a
SHA3-384 hash: 2458bc70fa17a5c554dacce3cbbb5809971205fcabc2a59cceb4ec6f2a69fa03ab290dae136c33be006969493bb31dd2
SHA1 hash: dd7f08cf28ec363324112ce9647549622ec18961
MD5 hash: 5c534ece45f3999364dcb6a4d0f4df33
humanhash: foxtrot-nebraska-island-cup
File name:Andenbehandl.bat
Download: download sample
Signature PhantomStealer
Create hunting rule
File size:436'101 bytes
First seen:2026-02-03 03:45:48 UTC
Last seen:2026-02-03 14:44:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (541 x GuLoader, 115 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 6144:fQ606xV8H+lc7SGd7UP6Vk8YT1D2rxj85F75hvMMutRZYj2sEWIYlw7ZwjTtxrl2:UecGGRUok8lkkMKZ1spIYe7ZgTTl2
TLSH T1E994F1023782E54BCDEC0AB445AF92EF4E76AE7769868A53F2C0F75E7C752C57918200
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter threatcat_ch
Tags:exe PhantomStealer

Intelligence

File Origin
# of uploads :
4
# of downloads :
113
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
GuLoader NSIS
Details
GuLoader
an XOR decryption key and an extracted component
GuLoader
a c2 URL, a useragent string, and a string XOR key
NSIS
extracted archive contents
Link:
https://research.acce.ciphertechsolutions.com/results/9d1e6f54-5fcf-40c4-aa71-680a0757cedf/
Malware family:
n/a
ID:
1
File name:
Andenbehandl.bat
Verdict:
Malicious activity
Analysis date:
2026-02-03 03:46:48 UTC
Tags:
phantom stealer crypto-regex auto-reg evasion smtp
Link:
https://app.any.run/tasks/b624159e-1bd0-4296-9f83-b67662ee2855

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/51397/
Detection(s):
SecuriteInfo.com.W32.Trojan.VTYZ-6100.26647.16985.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69816f9a4cec271dd7054c63
Tags:
injection virus nsis
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Delayed reading of the file
DNS request
Connection attempt
Unauthorized injection to a recently created process
Restart of the analyzed sample
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug blackhole installer installer installer-heuristic masquerade microsoft_visual_cc nsis soft-404 unsafe
Link:
https://www.filescan.io/uploads/69816f932ffccda097668cb9/reports/f840faa0-e1d5-4718-b89f-d643525188bb/overview
Verdict:
Malicious
Labled as:
Trojan_Win32_Sonbokli_A_cl
Link:
https://www.hybrid-analysis.com/sample/04c53eb6c67558ecfb59da6f38498776405570a4f1a99f61934a53173a40a36a
Verdict:
Malicious
File Type:
exe x32
Detections:
Trojan-Spy.Agent.SMTP.C&C PDM:Trojan.Win32.Generic HEUR:Trojan.Win32.Guloader.gen Trojan-Downloader.Win32.Minix.sb Trojan.Win32.Guloader.sb Trojan.NSIS.Makoob.sbb Trojan.NSIS.Makoob.sba HEUR:Trojan.NSIS.GuLoader.gen
Link:
https://opentip.kaspersky.com/04c53eb6c67558ecfb59da6f38498776405570a4f1a99f61934a53173a40a36a/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c4fde7f6-1785-4ba0-ab43-f71b186973d1
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1862136
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Downloads suspicious files via Chrome
Found suspicious ZIP file
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Executable File Creation
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1862136 Sample: Andenbehandl.bat.exe Startdate: 03/02/2026 Architecture: WINDOWS Score: 100 78 youtube-ui.l.google.com 2->78 80 www.youtube.com 2->80 82 57 other IPs or domains 2->82 110 Multi AV Scanner detection for submitted file 2->110 112 Yara detected GuLoader 2->112 114 .NET source code contains potential unpacker 2->114 116 5 other signatures 2->116 9 Andenbehandl.bat.exe 1 34 2->9         started        13 Andenbehandl.bat.exe 24 2->13         started        15 msedge.exe 2->15         started        18 2 other processes 2->18 signatures3 process4 dnsIp5 68 C:\Users\user\AppData\Local\...\System.dll, PE32 9->68 dropped 126 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->126 128 Tries to detect virtualization through RDTSC time measurements 9->128 130 Unusual module load detection (module proxying) 9->130 20 Andenbehandl.bat.exe 26 20 9->20         started        25 Andenbehandl.bat.exe 9->25         started        70 C:\Users\user\AppData\Local\...\System.dll, PE32 13->70 dropped 132 Multi AV Scanner detection for dropped file 13->132 134 Switches to a custom stack to bypass stack traces 13->134 27 Andenbehandl.bat.exe 13->27         started        29 Andenbehandl.bat.exe 13->29         started        106 part-0012.t-0009.fb-t-msedge.net 13.107.226.40, 443, 65296 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 15->106 108 239.255.255.250, 1900 unknown Reserved 15->108 72 C:\Users\user\AppData\...\Microsoft Edge.lnk, MS 15->72 dropped 31 msedge.exe 15->31         started        33 msedge.exe 15->33         started        35 msedge.exe 15->35         started        39 5 other processes 15->39 37 firefox.exe 18->37         started        file6 signatures7 process8 dnsIp9 84 lodenrandmarines.com 162.251.85.153, 54800, 587 PUBLIC-DOMAIN-REGISTRYUS United States 20->84 86 drive.usercontent.google.com 142.250.188.1, 443, 49751, 49770 GOOGLEUS United States 20->86 92 2 other IPs or domains 20->92 62 C:\Users\user\...\Andenbehandl.bat.exe, PE32 20->62 dropped 64 C:\...\Andenbehandl.bat.exe:Zone.Identifier, ASCII 20->64 dropped 118 Tries to steal Mail credentials (via file / registry access) 20->118 120 Tries to harvest and steal browser information (history, passwords, etc) 20->120 122 Writes to foreign memory regions 20->122 124 3 other signatures 20->124 41 chrome.exe 1 20->41         started        44 msedge.exe 20->44         started        47 chrome.exe 20->47 injected 55 12 other processes 20->55 66 C:\Users\user\...\Andenbehandl.bat.exe.log, ASCII 27->66 dropped 49 Andenbehandl.bat.exe 27->49         started        88 dns.quad9.net 149.112.112.112, 443, 51141, 51641 QUAD9-AS-1US United States 31->88 90 13.107.253.40, 443, 60636 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->90 94 15 other IPs or domains 31->94 51 cookie_exporter.exe 33->51         started        96 9 other IPs or domains 37->96 53 firefox.exe 37->53         started        file10 signatures11 process12 dnsIp13 98 192.168.11.20, 137, 138, 1900 unknown unknown 41->98 57 chrome.exe 41->57         started        74 C:\Users\user\AppData\...\download_cache, COM 44->74 dropped 76 C:\Users\user\AppData\Local\Temp\...\cache, COM 44->76 dropped 60 msedge.exe 44->60         started        file14 process15 dnsIp16 100 142.251.210.46, 443, 49752, 49755 GOOGLEUS United States 57->100 102 googlehosted.l.googleusercontent.com 142.251.41.161, 443, 49759, 49760 GOOGLEUS United States 57->102 104 2 other IPs or domains 57->104
Score:
54%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/04c53eb6c67558ecfb59da6f38498776405570a4f1a99f61934a53173a40a36a
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/5c534ece45f3999364dcb6a4d0f4df33
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/04c53eb6c67558ecfb59da6f38498776405570a4f1a99f61934a53173a40a36a/
Verdict:
Malicious
Threat:
Family.PHANTOM
Link:
https://tip.neiki.dev/file/04c53eb6c67558ecfb59da6f38498776405570a4f1a99f61934a53173a40a36a
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=atct5nwgovmoz62z3jxtqsmhozafk4fe6guz6ymtjjjroosaunva._file
Result
Malware family:
phantom_stealer
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:phantom_stealer collection discovery downloader persistence spyware stealer
Link:
https://tria.ge/reports/260203-ebvptshv6g/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Adds Run key to start application
Contacts third-party web service commonly abused for C2
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Detects PhantomStealer payload
Guloader family
Guloader,Cloudeye
PhantomStealer
Phantom_stealer family
Unpacked files
SH256 hash:
04c53eb6c67558ecfb59da6f38498776405570a4f1a99f61934a53173a40a36a
MD5 hash:
5c534ece45f3999364dcb6a4d0f4df33
SHA1 hash:
dd7f08cf28ec363324112ce9647549622ec18961
Link:
https://www.unpac.me/results/d289a6bf-e781-487c-902f-38e16fe90bf0/
SH256 hash:
86c8ee210e6611383a634dcb8c60455063ddae3d7adccbeacf3adf7bf2a46676
MD5 hash:
d2e45dd852a659e11897df573832f381
SHA1 hash:
19990ee627c95b6c18d3b5c5f0ec5c24791d0af5
Link:
https://www.unpac.me/results/d289a6bf-e781-487c-902f-38e16fe90bf0/
SH256 hash:
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
MD5 hash:
9625d5b1754bc4ff29281d415d27a0fd
SHA1 hash:
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
Link:
https://www.unpac.me/results/d289a6bf-e781-487c-902f-38e16fe90bf0/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/04c53eb6c675/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.99
Link:
https://yomi.yoroi.company/submissions/04c53eb6c67558ecfb59da6f38498776405570a4f1a99f61934a53173a40a36a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PhantomStealer

Executable exe 04c53eb6c67558ecfb59da6f38498776405570a4f1a99f61934a53173a40a36a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/51397/

Comments