MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5dc5cb5f9bcaf3e517af1fd381c30fa2f924ea373d69a8eced85f0214a10f2cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5dc5cb5f9bcaf3e517af1fd381c30fa2f924ea373d69a8eced85f0214a10f2cc
SHA3-384 hash: 01829870180403f06f8dd661f1df3cb7a5995d46c12d0adcd3ec5c0da834e3f2cc418b99619b8a61ca9bb6c7adb1bb00
SHA1 hash: 09bcdc093fccc4a7b4c3894185199de2a9115789
MD5 hash: aee13aea3840a82bc25890b5d92b7d90
humanhash: football-nine-bacon-texas
File name:PhantomHack 2.0.0.exe
Download: download sample
File size:90'255'360 bytes
First seen:2026-03-16 20:46:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9bf3f5698d1c8e5d8bbe8d194ac5d544 (1 x ScarfaceStealer)
ssdeep 786432:vAZqtFi3zQzwBs6vNtcZY5Dfw3pgPVlcmXW:vAZui3zQz2jOZKft
TLSH T18B187D03B3A705D5E8F7DA3196E65223A932BC066F3085DF324C17262F73AE05A76B51
TrID 51.9% (.EXE) Win64 Executable (generic) (6522/11/2)
16.1% (.EXE) OS/2 Executable (generic) (2029/13)
15.9% (.EXE) Generic Win/DOS Executable (2002/3)
15.9% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
Reporter burger
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
2'485
Origin country :
NL NL
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/05bc5134-4960-43f2-a631-ee0e1d0620ef/
Malware family:
n/a
ID:
1
File name:
PhantomHack2.0.0.exe
Verdict:
Suspicious activity
Analysis date:
2026-03-16 20:45:47 UTC
Tags:
susp-powershell
Link:
https://app.any.run/tasks/a6638ec2-3292-4715-80e2-316d0afeb932

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Clean
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b86c0993b644ca466abb8e
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Restart of the analyzed sample
Creating a process with a hidden window
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Connection attempt to an infection source
Creating a file in the %temp% subdirectories
Query of malicious DNS domain
Sending a TCP request to an infection source
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Win64.Downloader.oa
Link:
https://www.hybrid-analysis.com/sample/5dc5cb5f9bcaf3e517af1fd381c30fa2f924ea373d69a8eced85f0214a10f2cc
Verdict:
Malicious
File Type:
exe x64
Detections:
Trojan-Downloader.Win32.Paph.pho PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/5dc5cb5f9bcaf3e517af1fd381c30fa2f924ea373d69a8eced85f0214a10f2cc/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1884568
Signature
Encrypted powershell cmdline option found
Joe Sandbox ML detected suspicious sample
Suspicious powershell command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1884568 Sample: PhantomHack 2.0.0.exe Startdate: 16/03/2026 Architecture: WINDOWS Score: 52 21 Suspicious powershell command line found 2->21 23 Encrypted powershell cmdline option found 2->23 25 Joe Sandbox ML detected suspicious sample 2->25 8 PhantomHack 2.0.0.exe 1 2->8         started        process3 process4 10 PhantomHack 2.0.0.exe 8->10         started        13 conhost.exe 8->13         started        signatures5 27 Suspicious powershell command line found 10->27 29 Encrypted powershell cmdline option found 10->29 15 tasklist.exe 1 10->15         started        17 powershell.exe 4 10->17         started        process6 process7 19 conhost.exe 15->19         started       
Score:
0%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/5dc5cb5f9bcaf3e517af1fd381c30fa2f924ea373d69a8eced85f0214a10f2cc
Gathering data
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/5dc5cb5f9bcaf3e517af1fd381c30fa2f924ea373d69a8eced85f0214a10f2cc
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lxc4wx43zlz6kf5pd7jydqypul4sj2rxhvu2r3hnqxyccsqq6lga._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/260316-zk1yescw8r/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments