MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17ced68461c9666597e1de5d3a69a219ada895e35c382eae83bd3a41918cad78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhantomStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 17ced68461c9666597e1de5d3a69a219ada895e35c382eae83bd3a41918cad78
SHA3-384 hash: cb7059b28f2306e592250a4dd48ec727067ef1b3593f09f080be05b2e8f2635131faa49ab0337d4da9f2a0d1b1f8c222
SHA1 hash: 2cfd3e39c09c261af20a3ce43f1640048bd39834
MD5 hash: 6c59d9536a058f2f0560c90d2f9a187b
humanhash: cardinal-butter-nebraska-mississippi
File name:Order_PO2144R.js
Download: download sample
Signature PhantomStealer
Create hunting rule
File size:4'268'315 bytes
First seen:2025-10-22 06:10:19 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 768:kjRXa/tGAKj4117Y5SqspVa/gG+Z95bS3Jn3WzBPmPfTWpeHnQi6RDomt92s+QcR:sJaujkj6+ZjErWpIoDomt03R
Threatray 420 similar samples on MalwareBazaar
TLSH T13F16028C078D11D77A3113AC1F3BC639A72945BFAC670D0ABD39E8D94F171E874AAA50
Magika javascript
Reporter lowmal3
Tags:js PhantomStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27200.JsHeur.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.JS.Downloader-24.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.JS.Downloader-23.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f875ad3edd081eba40a0d8
Tags:
obfuscate xtreme spawn
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 evasive fingerprint masquerade obfuscated obfuscated overlay powershell
Link:
https://www.filescan.io/uploads/68f876303a79800405f03b5c/reports/1471a0a7-23c9-4d57-800e-94f3b5dce5fe/overview
Verdict:
Malicious
Labled as:
Trojan.Cryxos.JS
Link:
https://www.hybrid-analysis.com/sample/17ced68461c9666597e1de5d3a69a219ada895e35c382eae83bd3a41918cad78
Verdict:
Malicious
File Type:
js
First seen:
2025-10-21T23:43:00Z UTC
Last seen:
2025-10-24T04:13:00Z UTC
Hits:
~1000
Detections:
Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/17ced68461c9666597e1de5d3a69a219ada895e35c382eae83bd3a41918cad78/results?tab=lookup
Result
Threat name:
Phantom stealer, Strela Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1799579
Signature
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Injects a PE file into a foreign processes
JavaScript file contains suspicious strings
JavaScript source code contains functionality to generate code involving a shell, file or stream
Malicious sample detected (through community Yara rule)
Monitors registry run keys for changes
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Costura Assembly Loader
Yara detected Phantom stealer
Yara detected Powershell download and execute
Yara detected Strela Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1799579 Sample: Order_PO2144R.js Startdate: 22/10/2025 Architecture: WINDOWS Score: 100 58 sxcvxzxcvcxz.lovestoblog.com 2->58 60 ia601007.us.archive.org 2->60 62 7 other IPs or domains 2->62 90 Suricata IDS alerts for network traffic 2->90 92 Found malware configuration 2->92 94 Malicious sample detected (through community Yara rule) 2->94 96 17 other signatures 2->96 11 wscript.exe 1 2->11         started        14 svchost.exe 1 1 2->14         started        signatures3 process4 dnsIp5 106 Suspicious powershell command line found 11->106 108 Wscript starts Powershell (via cmd or directly) 11->108 110 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->110 112 2 other signatures 11->112 17 powershell.exe 14 15 11->17         started        80 127.0.0.1 unknown unknown 14->80 signatures6 process7 dnsIp8 52 sxcvxzxcvcxz.lovestoblog.com 185.27.134.231, 49697, 80 WILDCARD-ASWildcardUKLimitedGB United Kingdom 17->52 54 ia601007.us.archive.org 207.241.227.37, 49693, 80 INTERNET-ARCHIVEUS United States 17->54 56 archive.org 207.241.224.2, 49692, 80 INTERNET-ARCHIVEUS United States 17->56 82 Found many strings related to Crypto-Wallets (likely being stolen) 17->82 84 Found Tor onion address 17->84 86 Writes to foreign memory regions 17->86 88 Injects a PE file into a foreign processes 17->88 21 AddInProcess32.exe 15 12 17->21         started        25 conhost.exe 17->25         started        signatures9 process10 dnsIp11 72 exczx.com 185.38.151.11, 49764, 587 BANDWIDTH-ASGB United Kingdom 21->72 74 icanhazip.com 104.16.184.241, 49763, 80 CLOUDFLARENETUS United States 21->74 98 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->98 100 Tries to steal Mail credentials (via file / registry access) 21->100 102 Tries to harvest and steal browser information (history, passwords, etc) 21->102 104 5 other signatures 21->104 27 msedge.exe 109 752 21->27         started        30 firefox.exe 1 21->30         started        32 chrome.exe 21->32 injected 34 8 other processes 21->34 signatures12 process13 dnsIp14 76 192.168.2.8, 138, 443, 49343 unknown unknown 27->76 78 239.255.255.250 unknown Reserved 27->78 36 msedge.exe 27->36         started        39 setup.exe 27->39         started        41 msedge.exe 27->41         started        43 msedge.exe 27->43         started        45 firefox.exe 3 43 30->45         started        process15 dnsIp16 64 part-0013.t-0009.t-msedge.net 13.107.246.41, 443, 49727, 49737 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 36->64 66 ln-0007.ln-msedge.net 150.171.22.17, 443, 49711 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 36->66 70 31 other IPs or domains 36->70 48 setup.exe 39->48         started        68 prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216, 443, 49707 GOOGLEUS United States 45->68 114 Monitors registry run keys for changes 45->114 50 firefox.exe 1 45->50         started        signatures17 process18
Score:
9%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/17ced68461c9666597e1de5d3a69a219ada895e35c382eae83bd3a41918cad78
Verdict:
inconclusive
YARA:
2 match(es)
Tags:
PowerShell
Link:
https://app.malva.re/file/6c59d9536a058f2f0560c90d2f9a187b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/17ced68461c9666597e1de5d3a69a219ada895e35c382eae83bd3a41918cad78/
Verdict:
Malicious
Threat:
Trojan.JS.SAgent
Link:
https://tip.neiki.dev/file/17ced68461c9666597e1de5d3a69a219ada895e35c382eae83bd3a41918cad78
Threat name:
Script-JS.Trojan.Cryxos
Create hunting rule
Status:
Malicious
First seen:
2025-10-22 06:11:52 UTC
File Type:
Binary
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c7hnnbdbzftglf7b3zotu2ncdgw2rfpdlq4c5ludxu5edemmvv4a._file
Verdict:
malicious
Label(s):
xenostealer
Create hunting rule
Similar samples:
0462d2a890595de741f9a29fb99102e43ce72cfe000aff7afbc749771c8bd819
PhantomStealer
0ca7ce88b276ce6eba7b63afc93dc0176c0a58b1869097d0902713903d82a927
PhantomStealer
3975996e48050e31858381e0a8adacd0eb43f7417af5d344323e4b4c22045052
PhantomStealer
5c7e1748a2ae4b30582415c1d9ca76542871c68ebc9e21f8772259d365675dfb
PhantomStealer
9acd0901461dd314c6c2eb2d5f4e9dd8867d3bdadd50cd696a4ee809e346ca71
PhantomStealer
db4ba887fbffce0421ef201fd572c3ce93e4d6ecdbd1c13e2707d1d02b2c4f65
PhantomStealer
dc60b3a787e014b5ed9ef2a3eb0d7b7d93ed800d0524a10d0eb8447d47b43926
PhantomStealer
error
PhantomStealer
fa4a8617c2f42af34d02ae881916a128ac30549f3c848fb4e72d37c8ee55aeb1
PhantomStealer
+ 410 additional samples on MalwareBazaar
Result
Malware family:
phantomstealer
Create hunting rule
Score:
  10/10
Tags:
family:phantomstealer collection discovery execution persistence
Link:
https://tria.ge/reports/251022-gyzcmshs7a/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Command and Scripting Interpreter: JavaScript
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Command and Scripting Interpreter: PowerShell
Badlisted process makes network request
Phantomstealer family
Process spawned unexpected child process
Malware Config
Dropper Extraction:
http://archive.org/download/msi-pro-with-b-64_20251021_1736/MSI_PRO_with_b64.png
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/17ced68461c9666597e1de5d3a69a219ada895e35c382eae83bd3a41918cad78

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PhantomStealer

Java Script (JS) js 17ced68461c9666597e1de5d3a69a219ada895e35c382eae83bd3a41918cad78

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments