MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e0bbcaa4d9b3f4c144e10dad6fb9ecbde607e3c48c2d3194195f56852ef8ffb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhantomStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e0bbcaa4d9b3f4c144e10dad6fb9ecbde607e3c48c2d3194195f56852ef8ffb
SHA3-384 hash: e2fd30e3c0cf85ed6bd90b5c08357fa6054f982260de75afdaf9862b70df82f5a202b92e1083efecaefa1e9a296c9d99
SHA1 hash: 8d9efed87dcaebd914928d2904d15361d39a509c
MD5 hash: 89d4d7ec62b1cb493ccbea52a358adc3
humanhash: oranges-uranus-romeo-magnesium
File name:KAREN FOOD AND CHEMICAL GROUP CO.,LTD.bat
Download: download sample
Signature PhantomStealer
Create hunting rule
File size:1'569'792 bytes
First seen:2026-01-19 15:06:00 UTC
Last seen:2026-01-26 08:39:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'656 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 24576:4u2m4TKKOCMtvvAXxpr0vP3x4nIHYZ5wbn5ihaboCuSVbnPgIqreL0p9/y:4Hm4TKKOCMtvoX70x4xZ5wr5ihqoCnb6
Threatray 293 similar samples on MalwareBazaar
TLSH T1517522553688DF13E8D613F41A70E77213796D99FA30D2038DFA6DAB3830F18A94478A
TrID 35.4% (.EXE) Win64 Executable (generic) (10522/11/4)
22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.1% (.EXE) Win32 Executable (generic) (4504/4/1)
6.9% (.ICL) Windows Icons Library (generic) (2059/9)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter adrian__luca
Tags:exe PhantomStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
94
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/ae12cbf9-9357-4bed-9e59-f27754b4b520/
Malware family:
n/a
ID:
1
File name:
KAREN FOOD AND CHEMICAL GROUP CO.,LTD.bat
Verdict:
Malicious activity
Analysis date:
2026-01-19 15:57:07 UTC
Tags:
auto-startup susp-lnk auto-reg crypto-regex phantom stealer ims-api generic telegram exfiltration evasion
Link:
https://app.any.run/tasks/8b7b6c49-0571-4cc0-8fba-5cac368a0afd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/49405/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.2172.30406.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=696e49f4f3cf908ba50663a1
Tags:
autorun shell msil sage
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade obfuscated packed
Link:
https://www.filescan.io/uploads/696e48c6607e8377fadcfc8d/reports/51c9849a-c80f-49f1-925e-b51f7667f5d4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1e0bbcaa4d9b3f4c144e10dad6fb9ecbde607e3c48c2d3194195f56852ef8ffb
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-19T05:00:00Z UTC
Last seen:
2026-01-21T07:04:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/1e0bbcaa4d9b3f4c144e10dad6fb9ecbde607e3c48c2d3194195f56852ef8ffb/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/5172bc33-03ec-417a-aeac-39ddc50302c0
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1e0bbcaa4d9b3f4c144e10dad6fb9ecbde607e3c48c2d3194195f56852ef8ffb
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.45 Win 32 Exe x86
Link:
https://app.malva.re/file/89d4d7ec62b1cb493ccbea52a358adc3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e0bbcaa4d9b3f4c144e10dad6fb9ecbde607e3c48c2d3194195f56852ef8ffb/
Threat name:
ByteCode-MSIL.Trojan.PureLogStealer
Create hunting rule
Status:
Malicious
First seen:
2026-01-19 11:44:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dyf3zksntm7uyfcocdnnn646zppga7r4jdbnggkbsx2wquxpr75q._file
Verdict:
malicious
Label(s):
phantomstealer
Create hunting rule
Similar samples:
0daa3fc7e8c657b4e98fbd3be6b56c2c8950224945c5d0d3c10c2e4967637dce
PhantomStealer
31d5415b69274dbdcca1e80d57d649b9c643b6fc028d0af383f5040375a45870
PhantomStealer
652a96c9a54fba5d57371552348acbcd596293f65195b45b782eed0727fdf727
PhantomStealer
815b1ccf52d1f815f76b46b5a23f203dc80debafb39e1b6c95d9d19863a69828
PhantomStealer
895ac52424ffd4290f510f68bcca67e4cefdb3243cefe2d2b88bb11160e41695
PhantomStealer
9cbffe3435e4218fbfebedbbc72a2e587098bdd9eb4a4b3014a38d1d9869817b
PhantomStealer
db4ba887fbffce0421ef201fd572c3ce93e4d6ecdbd1c13e2707d1d02b2c4f65
PhantomStealer
dc60b3a787e014b5ed9ef2a3eb0d7b7d93ed800d0524a10d0eb8447d47b43926
PhantomStealer
error
PhantomStealer
fa4a8617c2f42af34d02ae881916a128ac30549f3c848fb4e72d37c8ee55aeb1
PhantomStealer
+ 283 additional samples on MalwareBazaar
Result
Malware family:
phantom_stealer
Create hunting rule
Score:
  10/10
Tags:
family:phantom_stealer collection discovery execution persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/260119-sj6nysfs2b/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Wi-Fi Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Detects PhantomStealer payload
PhantomStealer
Phantom_stealer family
Malware Config
C2 Extraction:
https://api.telegram.org/bot8543844154:AAHYWoX50E14-68H75x5WHE4-wBEFiwLXlM/sendMessage?chat_id=7551105888
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d5d62510-d1b5-4061-9db7-177acd78307b
Unpacked files
SH256 hash:
1e0bbcaa4d9b3f4c144e10dad6fb9ecbde607e3c48c2d3194195f56852ef8ffb
MD5 hash:
89d4d7ec62b1cb493ccbea52a358adc3
SHA1 hash:
8d9efed87dcaebd914928d2904d15361d39a509c
Link:
https://www.unpac.me/results/661e0d28-3ceb-44cc-bb75-ab470b2546bc/
SH256 hash:
5dd7f41c2da3727b5a57bdd459fa97b434f117393e78c37b4a027105ee65d8be
MD5 hash:
4d407d9302593919153a4da8d90a8e11
SHA1 hash:
68d1db5660666b363038cf380caab328f0b7525f
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/661e0d28-3ceb-44cc-bb75-ab470b2546bc/
Parent samples :
d2ba4ff2e0b28f327c3990bcc6b214c214f89197dd5eac02641431e6c1d88f1c
be2142e2818d4df10efca8b223a823dae8dbcc0679e8e19a94fa9ae729c34273
1e0bbcaa4d9b3f4c144e10dad6fb9ecbde607e3c48c2d3194195f56852ef8ffb
3e4a68bdf48f606bad0af48e31d1776d5f5b82574d39cc320445f862d463a063
SH256 hash:
c9b626d1a698c62f0e817999c163c48cf03817621013a83a80afacaa0d980d4a
MD5 hash:
b2d41b9b418269f46ca5391f903d7c14
SHA1 hash:
7553a9a407417a23441a0097b8d4a741733e16b2
Detections:
phantom_stealer
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
INDICATOR_EXE_Packed_Fody
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames
Create hunting rule
Link:
https://www.unpac.me/results/661e0d28-3ceb-44cc-bb75-ab470b2546bc/
SH256 hash:
54a40120f669bab0e911ecbfe757304bf43e44bfa8cd445105fa3dc08983b0f0
MD5 hash:
76e4d41099a18615d9268fbe34d3b891
SHA1 hash:
c05a760bf682e2781b343aa693463da4c9e4b045
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/661e0d28-3ceb-44cc-bb75-ab470b2546bc/
Malware family:
PhantomStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1e0bbcaa4d9b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PhantomStealer

Executable exe 1e0bbcaa4d9b3f4c144e10dad6fb9ecbde607e3c48c2d3194195f56852ef8ffb

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/49405/

Comments