MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59f27a81af2fcc95b2253835b2cb2341719fa850dcb158caf741b05ab4fa18e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



PhantomStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments

SHA256 hash: 59f27a81af2fcc95b2253835b2cb2341719fa850dcb158caf741b05ab4fa18e4
SHA3-384 hash: faf988ec869530f78dd111c0bd866d177b5810e5b28385ca04ab5e75577da78ed1a68b1b7c4e1ab10527e97925f5118c
SHA1 hash: 5455a36ad582b33e855e5aa7dedca07eca278302
MD5 hash: c5d19dd5fb7f162c206ca78481bd1182
humanhash: michigan-maine-utah-video
File name:59f27a81af2fcc95b2253835b2cb2341719fa850dcb158caf741b05ab4fa18e4
Download: download sample
Signature PhantomStealer
File size:1'521'152 bytes
First seen:2026-05-08 12:43:21 UTC
Last seen:2026-06-08 08:51:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'116 x AgentTesla, 20'118 x Formbook, 12'357 x SnakeKeylogger)
ssdeep 24576:y8+v9jEXQ5oM+TDhi2s9MrXQVGLO941y2LxLA5UqGJN2J+gvcfkOUVAM:IvuXx51agQb4Y2LZA5U12Jv2P
Threatray 591 similar samples on MalwareBazaar
TLSH T1A8652214369CDA12E9A517F04AA5E77013B49C89A512C317CEFEBCFB7832B5A290C747
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:exe PhantomStealer

Intelligence


File Origin
# of uploads :
3
# of downloads :
71
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6980cac7ac51d96a5f8b396805d483246ff18a140da95589b3a43a095378a73f.zip
Verdict:
Malicious activity
Analysis date:
2026-04-08 11:32:15 UTC
Tags:
arch-exec auto-startup stealer phantom crypto-regex evasion

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
91.7%
Tags:
redline emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
DNS request
Connection attempt
Sending an HTTP GET request
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypt packed vbnet
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-04-08T04:31:00Z UTC
Last seen:
2026-05-10T10:02:00Z UTC
Hits:
~1000
Gathering data
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Status:
Malicious
First seen:
2026-04-08 10:10:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
24 of 36 (66.67%)
Threat level:
  5/5
Result
Malware family:
phantom_stealer
Score:
  10/10
Tags:
family:phantom_stealer collection discovery persistence stealer
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Drops startup file
Detects PhantomStealer written in C#
Family: PhantomStealer
Unpacked files
SH256 hash:
59f27a81af2fcc95b2253835b2cb2341719fa850dcb158caf741b05ab4fa18e4
MD5 hash:
c5d19dd5fb7f162c206ca78481bd1182
SHA1 hash:
5455a36ad582b33e855e5aa7dedca07eca278302
SH256 hash:
5aa4f0275dcabc77a16c8d5e92bfe0ae51eb1c42a72387b224032da8e06649b4
MD5 hash:
68c7b60e7344728d710f6f94d7331618
SHA1 hash:
31ecaada304bd6e71c7bc1966bdb7b6aad556a34
SH256 hash:
8edbb28bdd121f23e0432e65d2412cb93e276816bc3b634e78d14ab0931b58e6
MD5 hash:
b21240dda9368aebe4fdd0e03df43503
SHA1 hash:
9802050d6d6ddbcfdc6dd02d9c8a9e1e1763ab0e
Malware family:
PhantomStealer
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Author:malware-lu
Rule name:NETexecutableMicrosoft
Author:malware-lu
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments