MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d13e31b0ff25e3ff2e564ae518a72e7cca222174565bcda0d2e15154a4ec46b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



PhantomStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash: 0d13e31b0ff25e3ff2e564ae518a72e7cca222174565bcda0d2e15154a4ec46b
SHA3-384 hash: c52098254a76c10affd6053753c018095cab9803058b14621a257babb2ca203497cf1c7a9f180c268fb8861b1d044888
SHA1 hash: ca00e4703ff791fb3fe70ef32e49065e62947f7b
MD5 hash: e6cf5f821a8bb4d771421547f6bcb83d
humanhash: lion-moon-butter-mexico
File name:0d13e31b0ff25e3ff2e564ae518a72e7cca222174565bcda0d2e15154a4ec46b
Download: download sample
Signature PhantomStealer
File size:747'336 bytes
First seen:2026-06-08 09:19:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 573bb7b41bc641bd95c0f5eec13c233b (53 x GuLoader, 31 x RemcosRAT, 22 x AgentTesla)
ssdeep 12288:b+99qAKgwu+DgQm08gOmEb/ezdlPdaHNLsUXAWohV75/wwZ:b+zqAKBhgQP8gOBKfMHN4AAWoBBZ
TLSH T13AF42315B0E9E136C487517004A578E396D7FEBF17A96E0B32801F2F6CB1999DF0D24A
TrID 50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win64 Executable (generic) (6522/11/2)
8.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 5c72e0f06464e0a8 (1 x PhantomStealer)
Reporter adrian__luca
Tags:exe PhantomStealer

Intelligence


File Origin
# of uploads :
1
# of downloads :
69
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
GuLoader NSIS
Details
Verdict:
Malicious
Score:
95.7%
Tags:
injection obfusc virus nsis
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Searching for the window
Creating a file
Delayed reading of the file
Unauthorized injection to a recently created process
Restart of the analyzed sample
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug evasive fingerprint installer installer installer-heuristic microsoft_visual_cc nsis reconnaissance
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-05-06T23:18:00Z UTC
Last seen:
2026-06-09T20:25:00Z UTC
Hits:
~1000
Gathering data
Threat name:
Win32.Trojan.Kepavll
Status:
Malicious
First seen:
2026-05-07 03:05:48 UTC
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Result
Malware family:
phantom_stealer
Score:
  10/10
Tags:
family:guloader family:phantom_stealer collection discovery downloader persistence spyware stealer
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Contacts third-party web service commonly abused for C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Detects PhantomStealer written in C#
Family: Guloader,Cloudeye
Family: PhantomStealer
Unpacked files
SH256 hash:
0d13e31b0ff25e3ff2e564ae518a72e7cca222174565bcda0d2e15154a4ec46b
MD5 hash:
e6cf5f821a8bb4d771421547f6bcb83d
SHA1 hash:
ca00e4703ff791fb3fe70ef32e49065e62947f7b
SH256 hash:
8b4c47c4cf5e76ec57dd5a050d5acd832a0d532ee875d7b44f6cdaf68f90d37c
MD5 hash:
9b38a1b07a0ebc5c7e59e63346ecc2db
SHA1 hash:
97332a2ffcf12a3e3f27e7c05213b5d7faa13735
SH256 hash:
b1350f487692057c8ffde75dcc55287a52a3272240d4d4912f24464b27551fc0
MD5 hash:
8f0e7415f33843431df308bb8e06af81
SHA1 hash:
1314272e6ad3be1985d4a1607b890a34b0bde8b5
Malware family:
PhantomStealer
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:VECT_Ransomware
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments