MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 191dd7079969ccb6ce15556059be86747df67a252bf27905aebb8e0e803f9926. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhantomStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 191dd7079969ccb6ce15556059be86747df67a252bf27905aebb8e0e803f9926
SHA3-384 hash: 277379a6fa5db3c744e70f79089ffb2b4c2cdc1b34d686aa69116ba5763c495a7ce09de1fb10d431f6041f3fe17c15a5
SHA1 hash: 6024cf55c2a5fb319f88aba902bb81ed7d39fa62
MD5 hash: b8637306748bc54f6bf3a5e5c13132b9
humanhash: hot-xray-kilo-muppet
File name:z49FedexShippingDocument.bat
Download: download sample
Signature PhantomStealer
Create hunting rule
File size:1'126'242 bytes
First seen:2026-03-20 15:00:20 UTC
Last seen:2026-03-23 13:09:04 UTC
File type:Batch (bat) bat
MIME type:text/html
ssdeep 12288:KFJpa4tFsE4tp1FlQJYhzEldPt+AuYSi2yb8zCLS8tc3V3HWWx1dtjPD7dtKUaic:KFfa4XCtplhhG10xEil3xntjPVBaaguG
Threatray 3'284 similar samples on MalwareBazaar
TLSH T1BC35021249C86FB5CFAD1A1890FE161E63F09A8B4416768EEB73BD46AFF7444410B1D8
Magika batch
Reporter FXOLabs
Tags:bat PhantomStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
86
Origin country :
BR BR
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
ccec344bb7140a1983cb93ba85758e508482e4e9c498d57ef878912a08a331b2.zip
Verdict:
No threats detected
Analysis date:
2026-03-20 09:12:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e447b05e-2352-4a61-8c02-e0e117cc20b7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.VBS.Obfuscated-gen.88518566.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69bbd8a188c80c01586bf433
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
DNS request
Verdict:
Malicious
Labled as:
TR/VBS.Obfuscated
Link:
https://www.hybrid-analysis.com/sample/191dd7079969ccb6ce15556059be86747df67a252bf27905aebb8e0e803f9926
Verdict:
Malicious
File Type:
html
Detections:
HEUR:Trojan.BAT.Cobalt.gen Trojan.PowerShell.Cobalt.sb PDM:Trojan.Win32.Generic Trojan.Win32.Shellcode.sb Backdoor.MSIL.Agent.sb Trojan-PSW.Win32.Xploder.sb Trojan-PSW.Win32.Disco.sb Trojan-PSW.MSIL.Stealerium.sb Trojan-PSW.MSIL.Discord.sb Trojan-PSW.MSIL.Agent.sb Trojan.Win32.HTA.a Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Coins.sb Trojan-PSW.MSIL.Stealer.sb
Link:
https://opentip.kaspersky.com/191dd7079969ccb6ce15556059be86747df67a252bf27905aebb8e0e803f9926/results?tab=lookup
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/191dd7079969ccb6ce15556059be86747df67a252bf27905aebb8e0e803f9926
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/191dd7079969ccb6ce15556059be86747df67a252bf27905aebb8e0e803f9926/
Verdict:
Malicious
Threat:
Trojan-PSW.Win32.Discord
Link:
https://tip.neiki.dev/file/191dd7079969ccb6ce15556059be86747df67a252bf27905aebb8e0e803f9926
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-03-19 11:06:11 UTC
File Type:
Text (Batch)
AV detection:
7 of 36 (19.44%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=deo5ob4znhglntqvkvqftpugor67m6rffpzhsbnoxoha5ab7teta._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
phantomstealer
Create hunting rule
Similar samples:
31d5415b69274dbdcca1e80d57d649b9c643b6fc028d0af383f5040375a45870
PhantomStealer
642f8c0b33d47dceb61578ba4edf88f76dddd501a8bb3f9e7057d4fdb32f6365
PhantomStealer
7b0832e2efc2f1882ee21569a8e051e8558ff73128275c072167c8abb21df43a
PhantomStealer
80556f89dc73c0363733a728326aa27fab12eba80b9afe18fb7a5fb3d1c5e5f5
PhantomStealer
815b1ccf52d1f815f76b46b5a23f203dc80debafb39e1b6c95d9d19863a69828
PhantomStealer
865bedd407bf055a750c50a398e50cfcbbb7a870a19e5931ac29e81030cc5b17
PhantomStealer
b7534f156389d7a9fc56b628ca677bea08a0e6443c9b238f400120ec7c855699
PhantomStealer
c5830b1e211c745c7b6bfe70b95b1145a799b71409039f671c51bf425e4bfab3
PhantomStealer
error
PhantomStealer
fc3d9f89cc5a6b2824022593ed3ab4d94a72f71ef5f34953acc952141ad110f0
PhantomStealer
+ 3'274 additional samples on MalwareBazaar
Result
Malware family:
phantom_stealer
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:phantom_stealer collection defense_evasion discovery execution loader stealer
Link:
https://tria.ge/reports/260320-sdkjjahw8v/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
outlook_office_path
outlook_win_path
System Network Configuration Discovery: Internet Connection Discovery
System Time Discovery
Accesses Microsoft Outlook profiles
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Detects DonutLoader
Detects PhantomStealer written in C#
DonutLoader
Donutloader family
PhantomStealer
Phantom_stealer family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/191dd7079969ccb6ce15556059be86747df67a252bf27905aebb8e0e803f9926

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PhantomStealer

Batch (bat) bat 191dd7079969ccb6ce15556059be86747df67a252bf27905aebb8e0e803f9926

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/58328/

Comments