MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 131e5a9bdeea0a91fb744d30aef33159f1cb7882d113500a26d61a79027d49df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



PhantomStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments

SHA256 hash: 131e5a9bdeea0a91fb744d30aef33159f1cb7882d113500a26d61a79027d49df
SHA3-384 hash: 90b419985b72befba991c72bddce6e37165266a962ddf7148c532e8807dff6c0f8850bc1b799a060d60ac27b4bd51743
SHA1 hash: b650ea99883b358124fd28725e52598f04243916
MD5 hash: e8b0a12fc2241c24227571a5265d40cd
humanhash: india-sink-hamper-lion
File name:062G002289.JS
Download: download sample
Signature PhantomStealer
File size:4'017'446 bytes
First seen:2026-07-14 10:13:51 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 98304:6dYYxa7FpnfQhYSnSuNLn674a9tN6XQBxp5evKiJc2A5AjOM4zT:DLPfQ+SnSuN+f6XmXf51
Threatray 487 similar samples on MalwareBazaar
TLSH T185064B1287286471B62ED32CE136AF68458E2007219DDF5D34BE0764FB56F47A78CAE3
Magika javascript
Reporter abuse_ch
Tags:js PhantomStealer

Intelligence


File Origin
# of uploads :
1
# of downloads :
137
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
81.4%
Tags:
infosteal emotet
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug dropper evasive obfuscated obfuscated packed repaired
Verdict:
Malicious
File Type:
js
First seen:
2026-07-14T06:28:00Z UTC
Last seen:
2026-07-16T08:39:00Z UTC
Hits:
~10000
Result
Threat name:
DonutLoader, Phantom stealer, chromEleva
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Signature
Allocates memory in foreign processes
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
WScript reads language and country specific registry keys (likely country aware script)
Yara detected chromElevator
Yara detected DonutLoader
Yara detected Phantom stealer
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1942076 Sample: 062G002289.JS.js Startdate: 14/07/2026 Architecture: WINDOWS Score: 100 36 release-assets.githubusercontent.com 2->36 38 github.com 2->38 40 ftp.episcenergy.com 2->40 50 Malicious sample detected (through community Yara rule) 2->50 52 Yara detected chromElevator 2->52 54 Yara detected DonutLoader 2->54 56 4 other signatures 2->56 9 wscript.exe 1 3 2->9         started        signatures3 process4 signatures5 58 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->58 60 Suspicious execution chain found 9->60 62 WScript reads language and country specific registry keys (likely country aware script) 9->62 12 EPPWRPHISNKTXUJK.PIF 15 98 9->12         started        process6 dnsIp7 42 ftp.episcenergy.com 162.0.235.190, 12070, 21, 49707 NAMECHEAP-NET-NamecheapIncUS United States 12->42 44 github.com 140.82.113.4, 443, 49704 GITHUB-GitHubIncUS United States 12->44 46 release-assets.githubusercontent.com 185.199.108.133, 443, 49705 FASTLY-FastlyIncUS United States 12->46 28 C:\Users\user\AppData\...\ZIPXYXWIOY.pdf, ASCII 12->28 dropped 30 C:\Users\user\AppData\...30WCXBPIUYI.png, ASCII 12->30 dropped 32 C:\Users\user\AppData\...\ZIPXYXWIOY.pdf, ASCII 12->32 dropped 34 2 other malicious files 12->34 dropped 64 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->64 66 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->66 68 Tries to steal Mail credentials (via file / registry access) 12->68 70 7 other signatures 12->70 17 cmd.exe 1 12->17         started        20 RegAsm.exe 2 12->20         started        22 conhost.exe 12->22         started        file8 signatures9 process10 signatures11 48 Uses schtasks.exe or at.exe to add and modify task schedules 17->48 24 schtasks.exe 1 17->24         started        26 conhost.exe 20->26         started        process12
Gathering data
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection discovery execution spyware stealer
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Downloads MZ/PE file
Malware family:
ChromElevator
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments