MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e90b8d114e99fb4e25f93f81120e8f22c848438201bfb4ecda57ec61e09883e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhantomStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e90b8d114e99fb4e25f93f81120e8f22c848438201bfb4ecda57ec61e09883e
SHA3-384 hash: cf30d261f46ae5ecab22920fc0d1bb14edd9b6599f615d17cbd06d9ecb42717d421d7b5213250d668825691ce838e92b
SHA1 hash: 9437ae17a7500f3cbc541576b7dd8b62c69073c4
MD5 hash: c3e5dc1843662f0bc5e41b16f3fa052c
humanhash: delaware-yellow-nevada-kilo
File name:PR 1008710334 SDX700E.exe
Download: download sample
Signature PhantomStealer
Create hunting rule
File size:67'584 bytes
First seen:2025-10-20 22:09:21 UTC
Last seen:2025-11-06 10:58:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 1536:rXtLE3+q3tsOjfy8qcyEAWchPfnhC+3i:rNcXy8qcyEADhxH3i
Threatray 157 similar samples on MalwareBazaar
TLSH T160632B29A7ACCE2FEB9E467041721501C770D2473613EB0BDE9890B9F82378916126FB
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter threatcat_ch
Tags:exe PhantomStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
140
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
78bb8cdc4495a8b1d121e1d52a25c8908da661192bfb9ecaaaafd6ebbf2424b8.zip
Verdict:
Malicious activity
Analysis date:
2025-10-20 22:10:57 UTC
Tags:
arch-exec purecrypter netreactor auto-startup stealer phantom crypto-regex evasion
Link:
https://app.any.run/tasks/c2d2fd9e-07d4-493c-8a38-87261bc313b0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/33537/
Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f6b3223edd081eba4028d7
Tags:
autorun virus overt micro
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/68f6b373fd2d7e012f4ba093/reports/f75c464a-9ceb-4ee7-906c-444437604cb6/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/1e90b8d114e99fb4e25f93f81120e8f22c848438201bfb4ecda57ec61e09883e
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-20T06:34:00Z UTC
Last seen:
2025-10-21T20:03:00Z UTC
Hits:
~1000
Detections:
Trojan-PSW.MSIL.PureLogs.sb HEUR:Trojan-PSW.MSIL.PureLogs.gen
Link:
https://opentip.kaspersky.com/1e90b8d114e99fb4e25f93f81120e8f22c848438201bfb4ecda57ec61e09883e/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c181dae7-0281-4754-aa92-166fbfb5aa02
Result
Threat name:
Phantom stealer, PureLog Stealer, Resolv
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1798716
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Drops VBS files to the startup folder
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Phantom stealer
Yara detected PureLog Stealer
Yara detected ResolverRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1798716 Sample: PR 1008710334 SDX700E.exe Startdate: 21/10/2025 Architecture: WINDOWS Score: 100 64 telemetry-incoming.r53-2.services.mozilla.com 2->64 66 services.addons.mozilla.org 2->66 68 14 other IPs or domains 2->68 90 Found malware configuration 2->90 92 Multi AV Scanner detection for submitted file 2->92 94 Yara detected Phantom stealer 2->94 96 17 other signatures 2->96 9 PR 1008710334 SDX700E.exe 15 5 2->9         started        14 wscript.exe 2->14         started        16 firefox.exe 1 2->16         started        18 msedge.exe 2->18         started        signatures3 process4 dnsIp5 84 kg5n.com 176.117.76.20, 443, 49719, 49767 LURENET-ASUA Ukraine 9->84 56 C:\Users\user\AppData\Roaming\DATAID.exe, PE32 9->56 dropped 58 C:\Users\user\AppData\Roaming\...\DATAID.vbs, ASCII 9->58 dropped 110 Found many strings related to Crypto-Wallets (likely being stolen) 9->110 112 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->112 114 Injects a PE file into a foreign processes 9->114 20 PR 1008710334 SDX700E.exe 10 13 9->20         started        116 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->116 24 DATAID.exe 14->24         started        26 firefox.exe 3 158 16->26         started        86 192.168.2.4, 138, 443, 49336 unknown unknown 18->86 88 239.255.255.250 unknown Reserved 18->88 118 Maps a DLL or memory area into another process 18->118 29 msedge.exe 18->29         started        31 setup.exe 18->31         started        33 msedge.exe 18->33         started        35 5 other processes 18->35 file6 signatures7 process8 dnsIp9 70 mail.taikei-rmc-co.biz 103.253.42.215, 49777, 587 TELE-ASTeleAsiaLimitedHK Hong Kong 20->70 72 icanhazip.com 104.16.185.241, 49775, 80 CLOUDFLARENETUS United States 20->72 98 Tries to steal Mail credentials (via file / registry access) 20->98 100 Tries to harvest and steal browser information (history, passwords, etc) 20->100 102 Writes to foreign memory regions 20->102 106 3 other signatures 20->106 37 msedge.exe 20->37         started        40 chrome.exe 20->40 injected 42 firefox.exe 1 20->42         started        52 2 other processes 20->52 104 Multi AV Scanner detection for dropped file 24->104 44 DATAID.exe 24->44         started        74 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 49800, 49801, 80 GOOGLEUS United States 26->74 80 5 other IPs or domains 26->80 60 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 26->60 dropped 62 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 26->62 dropped 46 firefox.exe 26->46         started        48 firefox.exe 26->48         started        76 13.107.246.41, 443, 49768, 49769 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->76 78 part-0013.t-0009.fb-t-msedge.net 13.107.253.41, 443, 49746 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->78 82 35 other IPs or domains 29->82 50 setup.exe 31->50         started        file10 signatures11 process12 signatures13 108 Monitors registry run keys for changes 37->108 54 msedge.exe 37->54         started        process14
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1e90b8d114e99fb4e25f93f81120e8f22c848438201bfb4ecda57ec61e09883e
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.26 Win 32 Exe x86
Link:
https://app.malva.re/file/c3e5dc1843662f0bc5e41b16f3fa052c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e90b8d114e99fb4e25f93f81120e8f22c848438201bfb4ecda57ec61e09883e/
Verdict:
Malicious
Threat:
Family.PHANTOMSTEALER
Link:
https://tip.neiki.dev/file/1e90b8d114e99fb4e25f93f81120e8f22c848438201bfb4ecda57ec61e09883e
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2025-10-20 10:10:10 UTC
AV detection:
8 of 38 (21.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d2ilruiu5gp3jys7sp4bcihi6iwijbbyean7wtwnuv7mmhqjra7a._file
Verdict:
malicious
Label(s):
unc_loader_078
Create hunting rule
xenostealer
Create hunting rule
Similar samples:
167ff01b07259dbeeeee93d62e0836b60c51b8dfdc7898d507a25ab33acf4b60
PhantomStealer
39521ec09367a85986a7ed76a5c4010581a410531bd4a7db14ff9cc05b61cd99
PhantomStealer
78312d494163f791db289103a4cfbc4a072a0226e40c5825e3a9beb83f5d41b1
PhantomStealer
870bf76d2d0b8d4e3ebdcb71d15104343c2b4fdcefdb493e48bf6f9676fcdf05
PhantomStealer
979c210790a888cc219a2f44ddf6ec4ada7f1ddf527ce6e70fb1e96fc8f73508
PhantomStealer
error
PhantomStealer
f1cec63b046372dedf586d066be1dfe15fb07e3e6f40db03705e18f45d11b706
PhantomStealer
+ 147 additional samples on MalwareBazaar
Result
Malware family:
phantomstealer
Create hunting rule
Score:
  10/10
Tags:
family:phantomstealer collection discovery persistence spyware stealer
Link:
https://tria.ge/reports/251020-123n1sem4v/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Drops startup file
Reads user/profile data of web browsers
Phantomstealer family
Unpacked files
SH256 hash:
1e90b8d114e99fb4e25f93f81120e8f22c848438201bfb4ecda57ec61e09883e
MD5 hash:
c3e5dc1843662f0bc5e41b16f3fa052c
SHA1 hash:
9437ae17a7500f3cbc541576b7dd8b62c69073c4
Detections:
PureCrypter_Stage1
Create hunting rule
Link:
https://www.unpac.me/results/508de85f-3884-4fa6-9050-8c12c9e31ef4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1e90b8d114e99fb4e25f93f81120e8f22c848438201bfb4ecda57ec61e09883e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PhantomStealer

Executable exe 1e90b8d114e99fb4e25f93f81120e8f22c848438201bfb4ecda57ec61e09883e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/33537/

Comments