MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c65e34c3bd83ea0263a134f897629d7c19a4566bfd109a41ff33ada43dc2584. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



PhantomStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 28 File information Comments

SHA256 hash: 2c65e34c3bd83ea0263a134f897629d7c19a4566bfd109a41ff33ada43dc2584
SHA3-384 hash: 0778650a8c7498981ad0975f1b37b77054a5e220aa00dc8a08395f9233b9af854ca26c10413dadf6b3b80b9d3e94bd1f
SHA1 hash: e580684906d8419e0ae7fe4616a43461a22aea39
MD5 hash: 846d5ca31c478f213b03229cbe3df74d
humanhash: nine-failed-robin-delta
File name:2c65e34c3bd83ea0263a134f897629d7c19a4566bfd109a41ff33ada43dc2584
Download: download sample
Signature PhantomStealer
File size:763'904 bytes
First seen:2026-07-15 13:57:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'116 x AgentTesla, 20'118 x Formbook, 12'357 x SnakeKeylogger)
ssdeep 12288:X9CU0fce5KCjMppy3OzQdyBxjbCFroh3l+C6E0+:X9CFTJMpy3OzQdyXbCFQl+CN0+
TLSH T1CFF47C28B3F405A4F1FF9B75D4B18522CA71B84B9A34CB8F1598829E0E737919D34B63
TrID 60.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
13.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.4% (.EXE) Win64 Executable (generic) (6522/11/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter JAMESWT_WT
Tags:exe PhantomStealer studiogioeli-it

Intelligence


File Origin
# of uploads :
1
# of downloads :
165
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.9%
Tags:
ransomware dropper emotet smtp
Verdict:
Malicious
Labled as:
Dump:Generic.Trojan.TangoStealer.Marte.A
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-07-15T01:27:00Z UTC
Last seen:
2026-07-15T02:01:00Z UTC
Hits:
~10
Gathering data
Threat name:
ByteCode-MSIL.Trojan.DmpBrowserSec
Status:
Malicious
First seen:
2026-07-15 13:59:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
27 of 36 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
phantomstealer
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection credential_access discovery spyware stealer
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
Browser Information Discovery
Accesses Microsoft Outlook profiles
Contacts third-party web service commonly abused for C2
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Uses browser remote debugging
Unpacked files
SH256 hash:
2c65e34c3bd83ea0263a134f897629d7c19a4566bfd109a41ff33ada43dc2584
MD5 hash:
846d5ca31c478f213b03229cbe3df74d
SHA1 hash:
e580684906d8419e0ae7fe4616a43461a22aea39
Detections:
triage_net_infostealer_wsh triage_vidar_infostealer
SH256 hash:
c934a2db58a1a64ee245a7627843508c6c517fcb06ea6855d26a72b41ae6753b
MD5 hash:
0e51138ef195ac755f052babb761a1e7
SHA1 hash:
3c7bbeabc56110d3463e6002cd0ff5c9a168d64b
SH256 hash:
b0935270bc8ed6d31c5352c49a8f5d7cbe62457133fe1cf7effeeeb1440e9ce0
MD5 hash:
f8c81aac564cf5834e602553a19c17a0
SHA1 hash:
bee29ea3fe90c45bab11b2bf941fbbcbc6acbbf9
Malware family:
PhantomStealer
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames
Author:ditekSHen
Description:Detects executables containing possible sandbox analysis VM names
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
Author:ditekSHen
Description:Detects executables containing possible sandbox analysis VM usernames
Rule name:Macos_Infostealer_Wallets_8e469ea0
Author:Elastic Security
Rule name:malware_PhantomStealer
Author:JPCERT/CC Incident Response Group
Description:phantom stealer
Rule name:NETexecutableMicrosoft
Author:malware-lu
Rule name:pe_imphash
Rule name:RANSOMWARE
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Author:vietdx.mb
Rule name:TelegramAPIMalware_PowerShell_EXE
Author:@polygonben
Description:Hunting for pwsh malware using Telegram for C2
Rule name:telegram_bot_api
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:ThreadControl__Context
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:VECT_Ransomware
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments