MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54887612a8a297607916955b89d19e2d50dbbdcec96352804d005166e63d8be8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhoenixStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 54887612a8a297607916955b89d19e2d50dbbdcec96352804d005166e63d8be8
SHA3-384 hash: dd8ac0f00cee716bbf1b51bf53279034c512eca0de39e7ecb7f8b02cac77656bf775ba5cf7972bce9790f4e12b7c6112
SHA1 hash: 9633e4bdd852c00c2d692a7b36fe5f27f313a01d
MD5 hash: e1c509bb8843553cf09c2af31446a0f8
humanhash: finch-florida-magnesium-seven
File name:Purchase Order Number 4500013967.js
Download: download sample
Signature PhoenixStealer
Create hunting rule
File size:882'816 bytes
First seen:2026-06-08 09:09:20 UTC
Last seen:2026-06-08 10:50:03 UTC
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 3072:X4tUvlBuJrm9vVW0Ae84SuzxqD+1ynO+LmB2lAa2fXcOdgGinxdq6Sd99NqUXEkI:hHvVg
Threatray 122 similar samples on MalwareBazaar
TLSH T19315F72EDC64423EF032C51CC596481FF896698B532CEE5721C2278F5EA384677D27AE
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika javascript
Reporter lowmal3
Tags:js PhoenixStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
65
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Rogue.0hr.20260608-0237.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a2686da3e9eff6a6b68b71d
Tags:
infosteal rapid
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
conhost masquerade obfuscated powershell repaired
Link:
https://www.filescan.io/uploads/6a2686cd8161ac6cb55ca6c0/reports/a5626652-d7d9-4dc0-91a0-07dd8e5984b6/overview
Verdict:
Malicious
Labled as:
JS/Agent.URO trojan
Link:
https://www.hybrid-analysis.com/sample/54887612a8a297607916955b89d19e2d50dbbdcec96352804d005166e63d8be8
Verdict:
Malicious
File Type:
js
First seen:
2026-06-07T21:19:00Z UTC
Last seen:
2026-06-08T05:58:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/54887612a8a297607916955b89d19e2d50dbbdcec96352804d005166e63d8be8/results?tab=lookup
Result
Threat name:
RDPWrap Tool, Clipboard Hijacker, Phoeni
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1924320
Signature
Contains functionality to hide user accounts
Contains functionality to start a terminal service
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Deletes shadow drive data (may be related to ransomware)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Tries to access browser extension known for cryptocurrency wallets
Tries to harvest and steal browser information (history, passwords, etc)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
WScript reads language and country specific registry keys (likely country aware script)
Yara detected AntiVM3
Yara detected Clipboard Hijacker
Yara detected Generic Stealer
Yara detected Phoenix Stealer
Yara detected RDPWrap Tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1924320 Sample: Purchase Order Number 45000... Startdate: 08/06/2026 Architecture: WINDOWS Score: 100 30 ip-api.com 2->30 32 i.postimg.cc 2->32 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Yara detected Generic Stealer 2->52 54 6 other signatures 2->54 10 wscript.exe 1 1 2->10         started        signatures3 process4 signatures5 56 JScript performs obfuscated calls to suspicious functions 10->56 58 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->58 60 Suspicious execution chain found 10->60 62 WScript reads language and country specific registry keys (likely country aware script) 10->62 13 conhost.exe 10->13         started        process6 process7 15 powershell.exe 15 33 13->15         started        dnsIp8 34 2.27.62.140, 4449, 49728 VPSLAB-NETWORKSID Germany 15->34 36 ip-api.com 208.95.112.1, 49727, 80 TUT-AS-TotalUptimeTechnologiesLLCUS United States 15->36 38 i.postimg.cc 162.251.63.43, 443, 49715, 49722 AS-GLOBALTELEHOST-GTHostUS United States 15->38 26 C:\Users\user\AppData\...\places.sqlite-shm, data 15->26 dropped 28 C:\Users\user\AppData\...\cookies.sqlite-shm, data 15->28 dropped 40 Creates an undocumented autostart registry key 15->40 42 Contains functionality to start a terminal service 15->42 44 Contains functionality to hide user accounts 15->44 46 7 other signatures 15->46 20 chrome.exe 1 15->20         started        22 msedge.exe 3 15->22         started        file9 signatures10 process11 process12 24 chrome.exe 20->24         started       
Score:
72%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/54887612a8a297607916955b89d19e2d50dbbdcec96352804d005166e63d8be8
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/54887612a8a297607916955b89d19e2d50dbbdcec96352804d005166e63d8be8/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ksehmeviuklwa6iwsvnytum6fvinxpoozfrvfacnabiwnzr5rpua._file
Verdict:
malicious
Label(s):
stubrunner
Create hunting rule
Similar samples:
03b9d024bbfa55f9e7dd65afab96792effe79f17b1b642b4b88ddeb07a824339
PhoenixStealer
0de6482c69377a127b91aa9c28d24981b656be44a9181a83c5b014a933987216
PhoenixStealer
2d7b52fa15022f97a866b631885d8789f4014cb254e5aa5e2711c8b6bfffe90b
PhoenixStealer
5f28446e9b5e1b6b8320defead4656909251cece99359838f1f094f6bd593944
PhoenixStealer
856c1fe349ab6a3cee2782f02b18e38c56e12b9c32778356d31efd2a52b4945b
PhoenixStealer
8765a68285521845c3c82b3ed49cd5fcec5fa099f557dd735f231c9f2c7af410
PhoenixStealer
ea56213fa9cddb08dae3b254c36665d44991f57dace4afe578c1c8f0079187af
PhoenixStealer
eba13078dea9e803b9120a45cd0dfad589f1defdf0f86fe84ae77fe63fff5300
PhoenixStealer
error
PhoenixStealer
+ 112 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection discovery execution persistence
Link:
https://tria.ge/reports/260608-k4rfrsbx3t/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Command and Scripting Interpreter: JavaScript
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Time Discovery
Drops file in Windows directory
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Registers new Windows logon scripts automatically executed at logon.
Badlisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/54887612a8a297607916955b89d19e2d50dbbdcec96352804d005166e63d8be8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PhoenixStealer

Java Script (JS) js 54887612a8a297607916955b89d19e2d50dbbdcec96352804d005166e63d8be8

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments