MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2bd02c2ddd712c2af81fa3f0526907bb01a8ec1095b0f0b09e5269302082ba94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhantomStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2bd02c2ddd712c2af81fa3f0526907bb01a8ec1095b0f0b09e5269302082ba94
SHA3-384 hash: 3ad86c648c9a66fd6a732fd2894e1dc26a3aa8c4a01b9a5d6f63bbd69e9be5f6765b55639d26405322c7aa6dcf769dc9
SHA1 hash: 53aa5831208356eabb8022f960b846e9eca5c272
MD5 hash: e893aebfc77429dbfce5e0fd2a312f0d
humanhash: friend-diet-december-bluebird
File name:KAI-057 25 FOR CMP CHARGES INVOICE.7z
Download: download sample
Signature PhantomStealer
Create hunting rule
File size:1'174'413 bytes
First seen:2025-09-25 08:05:31 UTC
Last seen:Never
File type: 7z
MIME type:application/x-7z-compressed
ssdeep 24576:rziE6Xd3QZJ8cAHX537XglH5sU8c03q8cerkznzvPUsJvKA:f6XmZJT0UV03qFnzL
TLSH T11F453373A4506351F0D3F55DE664972E08F6EBB48183A1EF2D62CE6618CAC00ABF5D4E
TrID 57.1% (.7Z) 7-Zip compressed archive (v0.4) (8000/1)
42.8% (.7Z) 7-Zip compressed archive (gen) (6000/1)
Magika sevenzip
Reporter cocaman
Tags:7z INVOICE PhantomStealer


Avatar
cocaman
Malicious email (T1566.001)
From: "minmin khing <minminkhing78@gmail.com>" (likely spoofed)
Received: "from [196.251.85.89] (192-200-158-132.phx.as13926.net [192.200.158.132]) "
Date: "24 Sep 2025 16:13:41 -0700"
Subject: "PO KAI-057/ 25 FOR CMP CHARGES"
Attachment: "KAI-057 25 FOR CMP CHARGES INVOICE.7z"

Intelligence

File Origin
# of uploads :
1
# of downloads :
35
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:KAI-057 25 FOR CMP CHARGES INVOICE.exe
File size:1'304'584 bytes
SHA256 hash: b5e1c67dee17674abd3bb018b8cc80fc8c7524261f905a24ee38f341a382adba
MD5 hash: d3748f7cb99d9d8ad8bda106fa6c6523
MIME type:application/x-dosexec
Signature PhantomStealer
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d54e41cc9425144151df77
Tags:
infosteal redline emotet
Result
Verdict:
Malicious
File Type:
PE File
Link:
https://app.docguard.net/2bd02c2ddd712c2af81fa3f0526907bb01a8ec1095b0f0b09e5269302082ba94/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 bitmap expired-cert invalid-signature lolbin masquerade msbuild obfuscated packed packed reconnaissance regsvcs rezer0 roboski schtasks signed stego telegram vbc
Link:
https://www.filescan.io/uploads/68d4f87374e5a28989928ba9/reports/c75a8e72-90cb-46e2-8f91-769e68bb295f/overview
Verdict:
Suspicious
Labled as:
Mal/Drod7zip
Link:
https://www.hybrid-analysis.com/sample/2bd02c2ddd712c2af81fa3f0526907bb01a8ec1095b0f0b09e5269302082ba94
Verdict:
Malicious
File Type:
7z
First seen:
2025-09-24T10:52:00Z UTC
Last seen:
2025-09-24T10:52:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/2bd02c2ddd712c2af81fa3f0526907bb01a8ec1095b0f0b09e5269302082ba94/results?tab=lookup
Score:
93%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/2bd02c2ddd712c2af81fa3f0526907bb01a8ec1095b0f0b09e5269302082ba94
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
.Net 7z Archive Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SFX 7z SOS: 0.16
Link:
https://app.malva.re/file/e893aebfc77429dbfce5e0fd2a312f0d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2bd02c2ddd712c2af81fa3f0526907bb01a8ec1095b0f0b09e5269302082ba94/
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2025-09-25 08:05:34 UTC
File Type:
Binary (Archive)
Extracted files:
34
AV detection:
26 of 37 (70.27%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fpicylo5oewcv6a7upyfe2ihxma2r3aqswypbme6kjutaiecxkka._file
Result
Malware family:
phantomstealer
Create hunting rule
Score:
  10/10
Tags:
family:phantomstealer collection defense_evasion discovery execution persistence spyware stealer trojan
Link:
https://tria.ge/reports/250925-j1cyjatxev/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Phantomstealer family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/2bd02c2ddd712c2af81fa3f0526907bb01a8ec1095b0f0b09e5269302082ba94

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win32_dotnet_form_obfuscate
Create hunting rule
Author:Reedus0
Description:Rule for detecting .NET form obfuscate malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PhantomStealer

7z 2bd02c2ddd712c2af81fa3f0526907bb01a8ec1095b0f0b09e5269302082ba94

(this sample)

PhantomStealer

Executable exe b5e1c67dee17674abd3bb018b8cc80fc8c7524261f905a24ee38f341a382adba

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 b5e1c67dee17674abd3bb018b8cc80fc8c7524261f905a24ee38f341a382adba
  
Dropping
MD5 d3748f7cb99d9d8ad8bda106fa6c6523

Comments