MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09c564be2f8f5bf7b36d789215e94124c85adb340ceae9cf818e2912ed6c8a31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



PhantomStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments

SHA256 hash: 09c564be2f8f5bf7b36d789215e94124c85adb340ceae9cf818e2912ed6c8a31
SHA3-384 hash: b54aa149ead658d76c40d71617ae78e0a261bb96d386de51bf3a479d4594533ff00342ae673c0cfc552d5c10d48ed9e3
SHA1 hash: 0b0d6abe4b03e22f3cb30f5d8ec343a1519300ac
MD5 hash: 774ca41497a8c16052553bfcab2d0ceb
humanhash: bravo-pasta-rugby-autumn
File name:PURCHASE ORDER DOCUMENT23062026.js
Download: download sample
Signature PhantomStealer
File size:4'626'623 bytes
First seen:2026-06-22 15:18:28 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 49152:MzwcPf7rpPll05cNZUiETcqyMU87KFaVKUnel6IrzB:U
TLSH T10226021189C42FB5CFAC5A1C90FE160EE3E14A8F5416798AEB33FD46AFE7504460B1B9
Magika javascript
Reporter abuse_ch
Tags:js PhantomStealer

Intelligence


File Origin
# of uploads :
1
# of downloads :
127
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
90.2%
Tags:
vmdetect spam
Verdict:
Malicious
File Type:
js
First seen:
2026-06-22T06:49:00Z UTC
Last seen:
2026-06-23T23:46:00Z UTC
Hits:
~10
Detections:
Trojan-PSW.MSIL.Stealerium.sb Trojan-PSW.MSIL.Stealer.sb Trojan-PSW.MSIL.Discord.sb HEUR:Trojan.Script.Generic Trojan.Win32.InjectorNetT.s PDM:Trojan.Win32.Generic Trojan.JS.SAgent.sb Trojan-PSW.Win32.Coins.sb Trojan-PSW.MSIL.Agent.sb HEUR:Worm.Script.Generic Trojan-Dropper.JS.SDrop.sb Trojan.MSIL.DOTHETUK.sb Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Disco.sb
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad.spyw.expl
Score:
100 / 100
Signature
AI detected malicious Powershell script
Allocates memory in foreign processes
Browser instances using unsafe startup parameters
Bypasses PowerShell execution policy
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
JavaScript file contains suspicious strings
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Monitors registry run keys for changes
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
WScript reads language and country specific registry keys (likely country aware script)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1931975 Sample: PURCHASE ORDER DOCUMENT2306... Startdate: 22/06/2026 Architecture: WINDOWS Score: 100 70 telemetry-incoming.r53-2.services.mozilla.com 2->70 72 teams-mrc-ww-acdcatm.trafficmanager.net 2->72 74 26 other IPs or domains 2->74 104 Malicious sample detected (through community Yara rule) 2->104 106 Multi AV Scanner detection for submitted file 2->106 108 Yara detected Powershell decode and execute 2->108 110 4 other signatures 2->110 12 wscript.exe 3 2->12         started        signatures3 process4 file5 64 C:\Temp\ps_VqpZgXDpqZqL_1782150644064.ps1, ASCII 12->64 dropped 126 Suspicious powershell command line found 12->126 128 Wscript starts Powershell (via cmd or directly) 12->128 130 Bypasses PowerShell execution policy 12->130 132 3 other signatures 12->132 16 powershell.exe 16 12->16         started        signatures6 process7 signatures8 100 Writes to foreign memory regions 16->100 102 Injects a PE file into a foreign processes 16->102 19 aspnet_compiler.exe 15 9 16->19         started        23 aspnet_compiler.exe 16->23         started        25 conhost.exe 16->25         started        27 4 other processes 16->27 process9 dnsIp10 76 icanhazip.com 104.16.185.241, 53832, 80 CLOUDFLARENET-CloudflareIncUS Canada 19->76 78 mail.factorycolchon.es 86.109.171.70, 53833, 587 ABANSYS_AND_HOSTYTEC-ASCCharlesRobertDarwin11ES Spain 19->78 112 Tries to steal Mail credentials (via file / registry access) 19->112 114 Tries to harvest and steal browser information (history, passwords, etc) 19->114 116 Writes to foreign memory regions 19->116 124 3 other signatures 19->124 29 msedge.exe 19->29         started        34 firefox.exe 2 19->34         started        36 chrome.exe 1 19->36         started        38 17 other processes 19->38 118 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->118 120 Browser instances using unsafe startup parameters 23->120 122 Switches to a custom stack to bypass stack traces 23->122 signatures11 process12 dnsIp13 94 mr-b01.tm-azurefd.net 150.171.109.184, 443, 59457 MICROSOFT-CORP-MSN-AS-BLOCK-MicrosoftCorporationUS South Africa 29->94 96 239.255.255.250, 1900 unknown ZZ 29->96 66 C:\Users\user\AppData\...\download_cache, COM 29->66 dropped 68 C:\Users\user\AppData\Local\Temp\...\cache, COM 29->68 dropped 134 Monitors registry run keys for changes 29->134 136 Maps a DLL or memory area into another process 29->136 40 msedge.exe 29->40         started        42 msedge.exe 29->42         started        44 msedge.exe 29->44         started        52 3 other processes 29->52 47 firefox.exe 3 105 34->47         started        98 192.168.11.20, 137, 138, 1900 unknown unknown 36->98 50 chrome.exe 36->50         started        file14 signatures15 process16 dnsIp17 54 cookie_exporter.exe 40->54         started        56 cookie_exporter.exe 42->56         started        80 svc.ms-acdc-teams.office.com 52.123.251.71, 443, 64167 MICROSOFT-CORP-MSN-AS-BLOCK-MicrosoftCorporationUS United States 44->80 88 2 other IPs or domains 44->88 82 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 49726, 49728, 80 GOOGLE-CLOUD-PLATFORM-GoogleLLCUS United States 47->82 90 5 other IPs or domains 47->90 138 Monitors registry run keys for changes 47->138 58 firefox.exe 47->58         started        84 www.google.com 142.251.157.119, 443, 49709 GOOGLE-GoogleLLCUS United States 50->84 86 googlehosted.l.googleusercontent.com 142.251.211.65, 443, 49711, 49712 GOOGLE-GoogleLLCUS United States 50->86 92 3 other IPs or domains 50->92 signatures18 process19 process20 60 WerFault.exe 54->60         started        62 WerFault.exe 56->62         started       
Gathering data
Threat name:
Script-JS.Trojan.Heuristic
Status:
Malicious
First seen:
2026-06-22 15:22:39 UTC
File Type:
Text (JavaScript)
AV detection:
12 of 38 (31.58%)
Threat level:
  2/5
Result
Malware family:
phantom_stealer
Score:
  10/10
Tags:
family:phantom_stealer collection defense_evasion discovery execution persistence stealer
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Command and Scripting Interpreter: PowerShell
Detects PhantomStealer written in C#
Family: PhantomStealer
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Rule name:Cerberus
Author:Jean-Philippe Teissier / @Jipe_
Description:Cerberus
Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:SUSP_obfuscated_JS_obfuscatorio
Author:@imp0rtp3
Description:Detect JS obfuscation done by the js obfuscator (often malicious)
Reference:https://obfuscator.io
Rule name:telebot_framework
Author:vietdx.mb
Rule name:vmdetect
Author:nex
Description:Possibly employs anti-virtualization techniques

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments