MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08a1f9ca335c195d028e5f47b94f7e3b56945332b5f503ef60cdbba99c27998f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhantomStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 08a1f9ca335c195d028e5f47b94f7e3b56945332b5f503ef60cdbba99c27998f
SHA3-384 hash: 0d4d9ebfc4374db5831775b930173eba2de1b692c0920fe52a60c480dbaf578777430df533037fd9f12795d9cd740e15
SHA1 hash: 166cbe652138b5c0df9bf06e47c4a6640ca10a6c
MD5 hash: 573b9d51e785fdaab3d10fb590e70aa0
humanhash: pluto-coffee-avocado-batman
File name:z1Payment.exe
Download: download sample
Signature PhantomStealer
Create hunting rule
File size:1'705'992 bytes
First seen:2026-03-20 00:30:28 UTC
Last seen:2026-03-20 01:23:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'845 x AgentTesla, 19'775 x Formbook, 12'298 x SnakeKeylogger)
ssdeep 24576:Kjch15rhUMJ2RV1OjSXG2oFG+1mboHyiBBtoP/WptnynMConA9IOB9VKhYT:HJUMJ+V1OuaM+1ieVrmXW/Ktqvm9VKa
Threatray 438 similar samples on MalwareBazaar
TLSH T15B851251EB9AC813E4AA5B32C5E1E97403B0AD5AE512C24B2FE03FDB38537534E86747
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter FXOLabs
Tags:exe PhantomStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
133
Origin country :
BR BR
Vendor Threat Intelligence
Malware configuration found for:
NETReactor RoboSki
Details
NETReactor
decrypted strings
RoboSki
a decrypted ReZer0 component and possibly a decryption component
Link:
https://research.acce.ciphertechsolutions.com/results/0730a851-ee81-4db6-8b9f-63ae90386e9d/
Malware family:
n/a
ID:
1
File name:
z1Payment.exe
Verdict:
Malicious activity
Analysis date:
2026-03-20 00:32:54 UTC
Tags:
netreactor auto-startup stealer evasion phantom crypto-regex
Link:
https://app.any.run/tasks/0b2f79d6-b052-43f2-bb3e-0d90dea1b000

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.41723818.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69bc955388c80c01586c3dac
Tags:
injection autorun obfusc shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt expired-cert invalid-signature krypt masquerade net_reactor obfuscated packed packed signed unsafe vbnet
Link:
https://www.filescan.io/uploads/69bc9552493cb7d62d07d065/reports/012179bd-6235-41d8-a5d0-aa96d4ec4c2d/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/08a1f9ca335c195d028e5f47b94f7e3b56945332b5f503ef60cdbba99c27998f
Verdict:
Malicious
File Type:
exe x32
Detections:
HEUR:Trojan.WinLNK.Powecod.e PDM:Trojan.Win32.Generic Trojan.Win32.Agent.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb Trojan.MSIL.Agent.sb HEUR:Trojan.MSIL.Crypt.gen
Link:
https://opentip.kaspersky.com/08a1f9ca335c195d028e5f47b94f7e3b56945332b5f503ef60cdbba99c27998f/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0e025a92-e5b1-4bab-87ae-828ebb2122b6
Score:
85%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/08a1f9ca335c195d028e5f47b94f7e3b56945332b5f503ef60cdbba99c27998f
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/08a1f9ca335c195d028e5f47b94f7e3b56945332b5f503ef60cdbba99c27998f/
Verdict:
Malicious
Threat:
Family.PHANTOM
Link:
https://tip.neiki.dev/file/08a1f9ca335c195d028e5f47b94f7e3b56945332b5f503ef60cdbba99c27998f
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2026-03-20 00:31:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
17 of 36 (47.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bcq7tsrtlqmv2auol5d3st36hnljiuzswx2qh33azw52thbhtghq._file
Verdict:
malicious
Label(s):
phantomstealer
Create hunting rule
Similar samples:
2668463d825a3d26122620b38be9d8333c42e82f7db13287d38c3aa005d9962f
PhantomStealer
66158410eadaa76f6a183087c95b694a1404641be3a16b3b704f4cd56e53f20c
PhantomStealer
78826700c53185405a0a3897848ca8474920804a01172f987a18bd3ef9a4fc77
PhantomStealer
893179d3512d7976f223b654ad67c92a94bd10852630a14b2ee19a386212ab56
PhantomStealer
dbbb1c1ad17996d18e3e28537e0188b204657e87b8cb495e05bdb36c75cae466
PhantomStealer
dc7a11ef820d870392aed8173f3996a3218fc0b3fb7f67114f558533a7758102
PhantomStealer
ec5b91ad14060b955dec4c1fcd63be9d63d66185d463ea785e5f888eee460f0b
PhantomStealer
error
PhantomStealer
+ 428 additional samples on MalwareBazaar
Result
Malware family:
phantom_stealer
Create hunting rule
Score:
  10/10
Tags:
family:phantom_stealer collection discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/260320-at6gtsgv4s/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Detects PhantomStealer written in C#
PhantomStealer
Phantom_stealer family
Unpacked files
SH256 hash:
08a1f9ca335c195d028e5f47b94f7e3b56945332b5f503ef60cdbba99c27998f
MD5 hash:
573b9d51e785fdaab3d10fb590e70aa0
SHA1 hash:
166cbe652138b5c0df9bf06e47c4a6640ca10a6c
Link:
https://www.unpac.me/results/ad9ce002-9878-4080-9cd3-e7f01fb5957c/
SH256 hash:
7533296a55ea4f5d4e83031fa146b9110f736c1f0c758a44a24ceea2a13811f8
MD5 hash:
ea50793d6d949aca7334f3106ca16100
SHA1 hash:
4e6677c48cda6f2192e5bc408464d10e02b0b3b0
Detections:
phantom_stealer
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
INDICATOR_EXE_Packed_Fody
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames
Create hunting rule
Link:
https://www.unpac.me/results/ad9ce002-9878-4080-9cd3-e7f01fb5957c/
SH256 hash:
b9abdf181a8746c43cd3665ce5c45ff33ddb8916b400454a26b2cb3e346bc194
MD5 hash:
e29ddeebef1fd4ef69698fa2ee7b1d65
SHA1 hash:
919b0e3bfc023f595dfb4e83688a96970dc5fa2b
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/ad9ce002-9878-4080-9cd3-e7f01fb5957c/
Parent samples :
8b012d3d775bd32f503cb84a6889d786c06623eeb8c840bd8c03073971530f52
88e156291d0a765e5c9b60daa6bd53c6ad75022e63ab286effe120aa6c16c222
316fee57d6004b1838576bb178215c99b56a0bd37a012e8650cd2898041f6785
046ebdd9e30338c5c6880ca8e8c7da3c37a3fd05611e9c21310ec5989f98095a
9612b142e2991ff8c9b66b283b9727cd8d2b5afff8521e8bb8806d36dcab5c43
08a1f9ca335c195d028e5f47b94f7e3b56945332b5f503ef60cdbba99c27998f
f034f4756f307c1c27424059cec7bc7f975493377588e086ea94721b38a68999
6a3368fb5ffab1283df539c6f17cb1244b563f5a3ad94d96adcde2dcadab66ae
7c40815633530147ad907fdc252aad2761fe35088020db35c4325dcc0f4d3329
SH256 hash:
32ead95abc291294b1c6e85d239f9bad45c50077467d721d15d20cbf18baf8f9
MD5 hash:
6e519f7d52f922ded995bbf3670e621f
SHA1 hash:
9a4def667ea6817ca2a6c5d3c118b64e4e10242b
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/ad9ce002-9878-4080-9cd3-e7f01fb5957c/
Malware family:
PhantomStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/08a1f9ca335c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/08a1f9ca335c195d028e5f47b94f7e3b56945332b5f503ef60cdbba99c27998f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PhantomStealer

Executable exe 08a1f9ca335c195d028e5f47b94f7e3b56945332b5f503ef60cdbba99c27998f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/58240/

Comments