MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f7d170b16f656a4bd09f5e1b8606eab8b8a5381a1230e2a716a01cc837c73f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PhantomStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	4f7d170b16f656a4bd09f5e1b8606eab8b8a5381a1230e2a716a01cc837c73f6
SHA3-384 hash:	c0a7e03460c589412bfbc6cf55ad3b0a48cec814c16ea140c52255b7ffbf518ae33ef99eaf43ed6dcdaa81130df444a1
SHA1 hash:	9fbc359d8cf4d07c86c3b809d01c4c4d7802b639
MD5 hash:	f5612d481fc9e8c4a2b7ee7eb70c4dbb
humanhash:	eighteen-rugby-lake-paris
File name:	rail.ps1
Download:	download sample
Signature	PhantomStealer Create hunting rule
File size:	1'044'963 bytes
First seen:	2026-04-23 02:46:37 UTC
Last seen:	Never
File type:	ps1
MIME type:	text/plain
ssdeep	24576:rD0/VEeDQaxRbYV+aBJsIpjW+yaZYxb/NYdHpFWDoGeW:grlaBjQXyWopk
Threatray	492 similar samples on MalwareBazaar
TLSH	T1C72523508C082D7E476C8318783F3B7BEF66A751B44A978E95ECF86A213DB507A4352C
Magika	powershell
Reporter	BastianHein
Tags:	PhantomStealer ps1

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69e988414aed15d0792f4f77

Tags:

emotet spam

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

aes base64 crypto encrypted obfuscated powershell

Link:

https://www.filescan.io/uploads/69e9883e8a82359247ad8eab/reports/90c7f0a9-c451-4b86-b047-4c694010c62e/overview

Verdict:

Suspicious

Labled as:

PowerShell/TrojanDropper.Agent

Link:

https://www.hybrid-analysis.com/sample/4f7d170b16f656a4bd09f5e1b8606eab8b8a5381a1230e2a716a01cc837c73f6

Verdict:

Clean

File Type:

ps1

First seen:

2026-04-20T01:07:00Z UTC

Last seen:

2026-04-23T04:49:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/4f7d170b16f656a4bd09f5e1b8606eab8b8a5381a1230e2a716a01cc837c73f6/results?tab=lookup

Score:

92%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/4f7d170b16f656a4bd09f5e1b8606eab8b8a5381a1230e2a716a01cc837c73f6

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4f7d170b16f656a4bd09f5e1b8606eab8b8a5381a1230e2a716a01cc837c73f6/

Verdict:

Malicious

Threat:

Family.DONUTLOADER

Link:

https://tip.neiki.dev/file/4f7d170b16f656a4bd09f5e1b8606eab8b8a5381a1230e2a716a01cc837c73f6

Threat name:

Script-PowerShell.Trojan.Qwexlafiba

Status:

Malicious

First seen:

2026-04-23 02:47:33 UTC

File Type:

Text (PowerShell)

AV detection:

9 of 24 (37.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=j56rocyw6zlkjpij6xq3qydovofyuu4buerq4ktrnia4za34op3a._file

Verdict:

malicious

Label(s):

donutloader

phantomstealer

PhantomStealer

31586b671da3dcc7ffe05d33b4b64880a6f37cf24c238f3bd3f7664363d7d473

PhantomStealer

414557952c390312ea3cafa3cd3c069ff072c40840277921391565b79c800456

PhantomStealer

642f8c0b33d47dceb61578ba4edf88f76dddd501a8bb3f9e7057d4fdb32f6365

PhantomStealer

6e077e8b2d9fc9a2e9ea4f10a541d43835a0db3951061b32975ffa0ef064554f

PhantomStealer

80556f89dc73c0363733a728326aa27fab12eba80b9afe18fb7a5fb3d1c5e5f5

PhantomStealer

c5830b1e211c745c7b6bfe70b95b1145a799b71409039f671c51bf425e4bfab3

PhantomStealer

c93d148643e65e890a5a65c214927c7e8278fbb176da22b408f29909a7564514

PhantomStealer

dbbb1c1ad17996d18e3e28537e0188b204657e87b8cb495e05bdb36c75cae466

PhantomStealer

error

PhantomStealer

fc3d9f89cc5a6b2824022593ed3ab4d94a72f71ef5f34953acc952141ad110f0

PhantomStealer

+ 482 additional samples on MalwareBazaar

Result

Malware family:

phantom_stealer

Score:

10/10

Tags:

family:donutloader family:phantom_stealer collection discovery execution loader stealer

Link:

https://tria.ge/reports/260423-c9186ahs2w/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Command and Scripting Interpreter: PowerShell

System Time Discovery

Drops file in Windows directory

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Detects DonutLoader

Detects PhantomStealer written in C#

Family: DonutLoader

Family: PhantomStealer

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4f7d170b16f656a4bd09f5e1b8606eab8b8a5381a1230e2a716a01cc837c73f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	detect_powershell Create hunting rule
Author:	daniyyell
Description:	Detects suspicious PowerShell activity related to malware execution

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample