MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06bc4fd02eabf732a7ff79be72f328089b3df38884db3e71382a2145eef0a841. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PhantomStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 9 File information Comments

SHA256 hash:	06bc4fd02eabf732a7ff79be72f328089b3df38884db3e71382a2145eef0a841
SHA3-384 hash:	a96bbea1130a3902600274053f7803db861ae43e8623fc89ea14179b7b73278b0faa0b597034798ccae0335c3882f696
SHA1 hash:	20ba0f1a65a906fb444b68ec7efc7ab1a5d35bf2
MD5 hash:	f53b9b542a1f34a50e7fde104b634249
humanhash:	ink-emma-sodium-maine
File name:	PO] G_24370-24396_SI2_S25_8658.tar
Download:	download sample
Signature	PhantomStealer Create hunting rule
File size:	1'262'592 bytes
First seen:	2025-09-26 13:33:21 UTC
Last seen:	Never
File type:	tar
MIME type:	application/x-tar
ssdeep	24576:CeAjDugyRwSJ3CydXcksCYPvU8liOTTOJiFNZ+FeNbhX0Wyfw1:Cpnug3SJ3VdXcQZ8liOWJOOUNbhX0Vf
TLSH	T13845124223AAEA03D4B76BF019B0C7B557716DC97921D3834EEA7CDFB834740A981693
TrID	62.9% (.TAR/GTAR) TAR - Tape ARchive (GNU) (17/3) 37.0% (.TAR) TAR - Tape ARchive (file) (10/3)
Magika	tar
Reporter	cocaman
Tags:	PhantomStealer tar

cocaman

Malicious email (T1566.001)
From: "IMX_SPW/Hanna <imx-spw@intermaxco.com>" (likely spoofed)
Received: "from intermaxco.com (216-131-112-239.ams.as62651.net [216.131.112.239]) "
Date: "26 Sep 2025 06:32:10 -0700"
Subject: "=?UTF-8?B?UkU6IOWbnuWkjTogW01QT10gR18yNDM3MC0yNDM5Nl9TSTJfUzI1Xzg2NTg=?="
Attachment: "PO] G_24370-24396_SI2_S25_8658.tar"

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	PO] G_24370-24396_SI2_S25_8658.exe
File size:	1'260'552 bytes
SHA256 hash:	36a306d0643b19d103ba849a2c3bac0c27053db99acd33e30d11e7be889cf3c4
MD5 hash:	1d6593d1823c86c9fbd6d611ff30bc3d
MIME type:	application/x-dosexec
Signature	PhantomStealer

Vendor Threat Intelligence

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68d69634fb8bc5050e4f12ab

Tags:

keylog spawn word

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

expired-cert invalid-signature packed signed vbnet

Link:

https://www.filescan.io/uploads/68d69630674d5fd6aa0da314/reports/bb250887-f1aa-41a7-b633-4e6e6998f635/overview

Verdict:

Suspicious

Labled as:

Mal/DrodTar

Link:

https://www.hybrid-analysis.com/sample/06bc4fd02eabf732a7ff79be72f328089b3df38884db3e71382a2145eef0a841

Verdict:

Malicious

File Type:

tar

First seen:

2025-09-26T04:05:00Z UTC

Last seen:

2025-09-26T04:05:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/06bc4fd02eabf732a7ff79be72f328089b3df38884db3e71382a2145eef0a841/results?tab=lookup

Score:

94%

Verdict:

Malware

File Type:

Result

Malware family:

phantomstealer

Score:

10/10

Tags:

family:phantomstealer collection discovery execution persistence spyware stealer

Link:

https://tria.ge/reports/250926-q6cnaaysg1/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

outlook_office_path

outlook_win_path

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

Phantomstealer family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/06bc4fd02eabf732a7ff79be72f328089b3df38884db3e71382a2145eef0a841

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win32_dotnet_form_obfuscate Create hunting rule
Author:	Reedus0
Description:	Rule for detecting .NET form obfuscate malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PhantomStealer

tar 06bc4fd02eabf732a7ff79be72f328089b3df38884db3e71382a2145eef0a841

(this sample)

PhantomStealer

exe 36a306d0643b19d103ba849a2c3bac0c27053db99acd33e30d11e7be889cf3c4

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 36a306d0643b19d103ba849a2c3bac0c27053db99acd33e30d11e7be889cf3c4

Dropping

MD5 1d6593d1823c86c9fbd6d611ff30bc3d

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample