MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1fe20f1ffd40e292837f4401f094e9d830874ae46f7a036ec66d5e720edf18a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



PhantomStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments

SHA256 hash: 1fe20f1ffd40e292837f4401f094e9d830874ae46f7a036ec66d5e720edf18a9
SHA3-384 hash: 52a33d49862e0c53cab91c9d04946bab2788b667d776287bf3a88c8afe56a3f14ed7210c0b03c512586aeaadc3c41d19
SHA1 hash: 63dfc5458f99bb43dfeaef8a85c604cc2a6c6d11
MD5 hash: edefb837396016425b7d44db6ad54658
humanhash: cardinal-vermont-idaho-uniform
File name:FİYAT TEKLİF _Ramadan PO_NETES Mühendislik ve Dış Tic. A.Ş_P1.bat
Download: download sample
Signature PhantomStealer
File size:1'499'136 bytes
First seen:2026-06-04 14:38:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'081 x AgentTesla, 20'056 x Formbook, 12'353 x SnakeKeylogger)
ssdeep 24576:E15pHJqGicVY6NyzBU189M4cBKvFQQ/Z+H9pbBnLijVJS8qxYJhjK9WyiWXxQP:EtpqGMeGSyS4cBiWQ/Z8vVOjVIuJhjKK
Threatray 488 similar samples on MalwareBazaar
TLSH T1FA65235C02299107E9F61B304713E2B067376EEEA911E42B9BE93EBFB65B6F51121301
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 74fcc4c4ccd4f0d4 (1 x PhantomStealer, 1 x PureLogsStealer)
Reporter abuse_ch
Tags:bat exe geo PhantomStealer TUR

Intelligence


File Origin
# of uploads :
1
# of downloads :
150
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FYATTEKLF_RamadanPO_NETESMhendislikveDTic.A._P1.bat.exe
Verdict:
Malicious activity
Analysis date:
2026-06-04 14:41:37 UTC
Tags:
auto-reg phantom stealer ip-check evasion

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Tags:
micro spam msil sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-03T03:01:00Z UTC
Last seen:
2026-06-06T01:45:00Z UTC
Hits:
~100
Detections:
PDM:Trojan.Win32.Generic Trojan.Win32.Agent.sb Trojan.MSIL.Inject.sb HEUR:Trojan.MSIL.PowerShell.gen
Result
Threat name:
KeyLogger, Phantom stealer
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
AI detected malicious Powershell script
Allocates memory in foreign processes
Antivirus detection for URL or domain
Browser instances using unsafe startup parameters
Bypasses PowerShell execution policy
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Executable File Creation
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Windows Restart Manager Abuse for Browser Credential File unlocking
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Keylogger Generic
Yara detected Phantom stealer
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1923060 Sample: F#U0130YAT TEKL#U0130F _Ram... Startdate: 04/06/2026 Architecture: WINDOWS Score: 100 77 mail.prensiptur.com 2->77 79 youtube-ui.l.google.com 2->79 81 77 other IPs or domains 2->81 93 Suricata IDS alerts for network traffic 2->93 95 Found malware configuration 2->95 97 Antivirus detection for URL or domain 2->97 99 27 other signatures 2->99 9 F#U0130YAT TEKL#U0130F _Ramadan PO_NETES M#U00fchendislik ve D#U0131#U015f Tic. A.#U015e_P1.bat.exe 1 7 2->9         started        13 powershell.exe 2->13         started        15 firefox.exe 1 2->15         started        17 6 other processes 2->17 signatures3 process4 file5 69 C:\Users\user\AppData\Roaming\HHyVXvtJA.exe, PE32 9->69 dropped 71 C:\Users\...\HHyVXvtJA.exe:Zone.Identifier, ASCII 9->71 dropped 73 C:\Users\user\AppData\...\feaesccx2tf.ps1, ASCII 9->73 dropped 75 F#U0130YAT TEKL#U0...015e_P1.bat.exe.log, ASCII 9->75 dropped 119 Found many strings related to Crypto-Wallets (likely being stolen) 9->119 121 Creates autostart registry keys with suspicious values (likely registry only malware) 9->121 123 Creates multiple autostart registry keys 9->123 127 2 other signatures 9->127 19 F#U0130YAT TEKL#U0130F _Ramadan PO_NETES M#U00fchendislik ve D#U0131#U015f Tic. A.#U015e_P1.bat.exe 26 14 9->19         started        24 powershell.exe 23 9->24         started        26 HHyVXvtJA.exe 13->26         started        28 conhost.exe 13->28         started        30 firefox.exe 3 431 15->30         started        125 Injects a PE file into a foreign processes 17->125 32 HHyVXvtJA.exe 17->32         started        34 msedge.exe 17->34         started        36 F#U0130YAT TEKL#U0130F _Ramadan PO_NETES M#U00fchendislik ve D#U0131#U015f Tic. A.#U015e_P1.bat.exe 17->36         started        38 3 other processes 17->38 signatures6 process7 dnsIp8 83 mail.prensiptur.com 37.247.114.169, 49702, 587 BKVG-ASDE Turkey 19->83 85 icanhazip.com 104.16.185.241, 49701, 80 CLOUDFLARENET-CloudflareIncUS Canada 19->85 61 F#U0130YAT TEKL#U0...A.#U015e_P1.bat.exe, PE32 19->61 dropped 63 F#U0130YAT TEKL#U0...exe:Zone.Identifier, ASCII 19->63 dropped 101 Tries to steal Mail credentials (via file / registry access) 19->101 103 Creates autostart registry keys with suspicious names 19->103 105 Creates multiple autostart registry keys 19->105 113 6 other signatures 19->113 40 msedge.exe 19->40         started        43 chrome.exe 19->43 injected 45 firefox.exe 1 19->45         started        55 2 other processes 19->55 107 Loading BitLocker PowerShell Module 24->107 47 conhost.exe 24->47         started        109 Multi AV Scanner detection for dropped file 26->109 111 Injects a PE file into a foreign processes 26->111 49 HHyVXvtJA.exe 26->49         started        87 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 49699, 49700, 49706 GOOGLE-CLOUD-PLATFORM-GoogleLLCUS United States 30->87 89 push.services.mozilla.com 34.107.243.93, 443, 49724, 49729 GOOGLE-CLOUD-PLATFORM-GoogleLLCUS United States 30->89 91 11 other IPs or domains 30->91 65 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 30->65 dropped 67 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 30->67 dropped 51 firefox.exe 30->51         started        57 4 other processes 30->57 53 HHyVXvtJA.exe 32->53         started        file9 signatures10 process11 signatures12 115 Monitors registry run keys for changes 40->115 117 Installs a global keyboard hook 40->117 59 msedge.exe 40->59         started        process13
Gathering data
Threat name:
ByteCode-MSIL.Trojan.MassLogger
Status:
Malicious
First seen:
2026-06-03 12:47:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
21 of 36 (58.33%)
Threat level:
  5/5
Result
Malware family:
phantom_stealer
Score:
  10/10
Tags:
family:phantom_stealer collection discovery execution persistence spyware stealer
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Detects PhantomStealer written in C#
Family: PhantomStealer
Unpacked files
SH256 hash:
1fe20f1ffd40e292837f4401f094e9d830874ae46f7a036ec66d5e720edf18a9
MD5 hash:
edefb837396016425b7d44db6ad54658
SHA1 hash:
63dfc5458f99bb43dfeaef8a85c604cc2a6c6d11
SH256 hash:
ba3bb5433b151b315f96c185fb6852b05b9b20ae4830eea30b03634c23d2fc43
MD5 hash:
80293bac25f15448e295846f33dbb318
SHA1 hash:
c46a01a66f02f49c2919ee5980facb626ab17535
SH256 hash:
1250b55a35a1e7ec8ea25b97c05629000152fd1802200801ed44819547f4b403
MD5 hash:
256abb82e81c31c9d2ff51ce8aeaddbf
SHA1 hash:
c5fd41631088f1a7701793fac986f8a0e9dd6940
Malware family:
PhantomStealer
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Author:malware-lu
Rule name:NETexecutableMicrosoft
Author:malware-lu
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments