MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24f3e4903ee1885f6c51ca44146ecc279cd58b98bda41b875eb3a58fe773cfd7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhantomStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 24f3e4903ee1885f6c51ca44146ecc279cd58b98bda41b875eb3a58fe773cfd7
SHA3-384 hash: a477a7d2d7e819b105964d8fa660604b42ec225d5ddf94e951dfe777db3e402651ffdc5069272dac7020f3ad9e6c5f47
SHA1 hash: a4985d339e55259f79efafc66db35e6fea5d6597
MD5 hash: db00747c2a365d5ae27079bb0e06404f
humanhash: papa-carpet-three-football
File name:kvptoJiKEZ.vbs
Download: download sample
Signature PhantomStealer
Create hunting rule
File size:3'156'671 bytes
First seen:2026-04-14 06:45:31 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/csv
ssdeep 192:bBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBK:lcXZ/vN
TLSH T133E5D9E94D584EFC97B9FEB72C22CD0BCA9472A6C60F54C9936EA55883327C504C43E9
Magika txt
Reporter abuse_ch
Tags:PhantomStealer vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
55
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/61484/
Detection(s):
SecuriteInfo.com.VBS.Agent-106.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
N/A%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69dde68ff68adfe100399cf9
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm evasive fingerprint obfuscated powershell
Link:
https://www.filescan.io/uploads/69dde687d920e19044fb0800/reports/add2f077-7f92-40fc-8847-e1c1f510b317/overview
Verdict:
Suspicious
Labled as:
VBS/Agent.CRE
Link:
https://www.hybrid-analysis.com/sample/24f3e4903ee1885f6c51ca44146ecc279cd58b98bda41b875eb3a58fe773cfd7
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-04-13T21:01:00Z UTC
Last seen:
2026-04-14T16:55:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Script.Generic HEUR:Trojan-Downloader.Script.Generic Trojan.VBS.SAgent.sb Trojan.JS.SAgent.sb Trojan-Downloader.JS.Cryptoload.sb
Link:
https://opentip.kaspersky.com/24f3e4903ee1885f6c51ca44146ecc279cd58b98bda41b875eb3a58fe773cfd7/results?tab=lookup
Result
Threat name:
KeyLogger, Phantom stealer, Strela Steal
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1897866
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Browser instances using unsafe startup parameters
Bypasses PowerShell execution policy
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Monitors registry run keys for changes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Keylogger Generic
Yara detected Phantom stealer
Yara detected Strela Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1897866 Sample: kvptoJiKEZ.vbs Startdate: 14/04/2026 Architecture: WINDOWS Score: 100 62 vault88x.secure-efficient2.su 2->62 64 icanhazip.com 2->64 66 Mail.privateemail.com 2->66 86 Found malware configuration 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 Antivirus detection for URL or domain 2->90 92 12 other signatures 2->92 10 powershell.exe 14 15 2->10         started        14 wscript.exe 1 2 2->14         started        17 wscript.exe 1 2->17         started        19 svchost.exe 2->19         started        signatures3 process4 dnsIp5 72 vault88x.secure-efficient2.su 45.156.23.38, 443, 49681, 49687 CLOUDBACKBONERU Russian Federation 10->72 106 Found many strings related to Crypto-Wallets (likely being stolen) 10->106 108 Writes to foreign memory regions 10->108 110 Injects a PE file into a foreign processes 10->110 112 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 10->112 21 aspnet_compiler.exe 15 28 10->21         started        25 conhost.exe 10->25         started        60 C:\Users\PublicKMYAKrCRJ.vbs, CSV 14->60 dropped 114 Suspicious powershell command line found 14->114 116 Wscript starts Powershell (via cmd or directly) 14->116 118 Windows Shell Script Host drops VBS files 14->118 120 3 other signatures 14->120 27 powershell.exe 17->27         started        file6 signatures7 process8 dnsIp9 68 Mail.privateemail.com 198.54.122.135, 49757, 587 NAMECHEAP-NETUS United States 21->68 70 icanhazip.com 104.16.185.241, 49756, 80 CLOUDFLARENETUS United States 21->70 94 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->94 96 Tries to steal Mail credentials (via file / registry access) 21->96 98 Tries to harvest and steal browser information (history, passwords, etc) 21->98 104 5 other signatures 21->104 29 firefox.exe 2 21->29         started        31 msedge.exe 21->31         started        34 chrome.exe 21->34 injected 42 5 other processes 21->42 100 Writes to foreign memory regions 27->100 102 Injects a PE file into a foreign processes 27->102 36 conhost.exe 27->36         started        38 aspnet_compiler.exe 27->38         started        40 aspnet_compiler.exe 27->40         started        signatures10 process11 dnsIp12 44 firefox.exe 3 41 29->44         started        82 192.168.2.7, 138, 443, 49502 unknown unknown 31->82 84 239.255.255.250 unknown Reserved 31->84 48 msedge.exe 31->48         started        50 setup.exe 31->50         started        52 msedge.exe 31->52         started        54 msedge.exe 31->54         started        process13 dnsIp14 74 127.0.0.1 unknown unknown 44->74 122 Monitors registry run keys for changes 44->122 124 Installs a global keyboard hook 44->124 56 firefox.exe 44->56         started        76 a434.dscr.akamai.net 23.62.47.181, 443, 49695, 49699 TelefonicadelPeruSAAPE United States 48->76 78 13.107.213.40, 443, 49685, 49733 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 48->78 80 42 other IPs or domains 48->80 58 setup.exe 50->58         started        signatures15 process16
Score:
93%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/24f3e4903ee1885f6c51ca44146ecc279cd58b98bda41b875eb3a58fe773cfd7
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/24f3e4903ee1885f6c51ca44146ecc279cd58b98bda41b875eb3a58fe773cfd7/
Verdict:
Malicious
Threat:
Trojan-Downloader.JS.Cryptoload
Link:
https://tip.neiki.dev/file/24f3e4903ee1885f6c51ca44146ecc279cd58b98bda41b875eb3a58fe773cfd7
Threat name:
Script-WScript.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-04-14 07:02:36 UTC
File Type:
Binary
AV detection:
6 of 38 (15.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=etz6jeb64gef63crzjcbi3wme6onlc4yxwsbxb26wosy7z3tz7lq._file
Result
Malware family:
phantom_stealer
Create hunting rule
Score:
  10/10
Tags:
family:phantom_stealer collection discovery execution persistence stealer
Link:
https://tria.ge/reports/260414-ht3d6sdy3p/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Detects PhantomStealer written in C#
Family: PhantomStealer
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/24f3e4903ee1885f6c51ca44146ecc279cd58b98bda41b875eb3a58fe773cfd7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_tiny_vbs
Create hunting rule
Author:daniyyell
Description:Detects tiny VBS delivery technique

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/61484/

Comments