MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5fbf34544585fd88106ff326329502bc0d2d65f7d380c7cc810d076428e8a7c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



PhantomStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments

SHA256 hash: 5fbf34544585fd88106ff326329502bc0d2d65f7d380c7cc810d076428e8a7c5
SHA3-384 hash: f491b0180eb0d5709cd438e718e102e5ce57c75769b67d869074796918b4330b775988e102768cccf23ab250370bb4bb
SHA1 hash: 99f11783838f5fae87f43e1e6394464c99076134
MD5 hash: e8438d34874bf5207016c01472087b4f
humanhash: double-princess-vegan-fourteen
File name:RFQ-RFP-000000182718 PCDSB 160626- 1159.js
Download: download sample
Signature PhantomStealer
File size:30'441 bytes
First seen:2026-06-15 20:37:03 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 768:0fyVeG3wdBKimZRc5pHhpQbxQ9610l7CFJSc:QnA1ZLxQ96y7cUc
TLSH T18BD270C937D5B4644323BC3B7E6BB2E6E16D8CC8BA5C9444FBA5708AFC24708C925758
Magika javascript
Reporter abuse_ch
Tags:js PhantomStealer

Intelligence


File Origin
# of uploads :
1
# of downloads :
155
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
81.4%
Tags:
vmdetect keylog shell word
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
evasive obfuscated repaired
Verdict:
Malicious
Labled as:
SVM:TrojanDownloader/JS.Nemucod
Verdict:
Malicious
File Type:
js
First seen:
2026-06-14T23:37:00Z UTC
Last seen:
2026-06-17T16:31:00Z UTC
Hits:
~100
Detections:
Trojan-Downloader.Agent.HTTP.C&C PDM:Trojan.Win32.Generic Trojan-Downloader.JS.SLoad.sb HEUR:Trojan.Script.Generic HEUR:Trojan-Downloader.Script.Generic Trojan-PSW.Fareit.HTTP.C&C
Result
Threat name:
KeyLogger, Phantom stealer
Detection:
malicious
Classification:
evad.troj.spyw.expl
Score:
100 / 100
Signature
AI detected malicious Powershell script
Allocates memory in foreign processes
Antivirus detection for URL or domain
Browser instances using unsafe startup parameters
Bypasses PowerShell execution policy
Creates a thread in another existing process (thread injection)
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Monitors registry run keys for changes
Multi AV Scanner detection for submitted file
Potential obfuscated javascript found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
WScript reads language and country specific registry keys (likely country aware script)
Wscript starts Powershell (via cmd or directly)
Yara detected Costura Assembly Loader
Yara detected Generic JS Downloader
Yara detected Keylogger Generic
Yara detected Phantom stealer
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1928420 Sample: RFQ-RFP-000000182718 PCDSB ... Startdate: 16/06/2026 Architecture: WINDOWS Score: 100 63 mozilla.map.fastly.net 2->63 65 mail.wusb.com.my 2->65 67 29 other IPs or domains 2->67 95 Suricata IDS alerts for network traffic 2->95 97 Found malware configuration 2->97 99 Malicious sample detected (through community Yara rule) 2->99 101 14 other signatures 2->101 12 wscript.exe 1 16 2->12         started        signatures3 process4 dnsIp5 87 hikmah69.net 38.54.125.82, 443, 49745 KAOPU-HKKaopuCloudHKLimitedHK Malaysia 12->87 59 C:\Users\user\AppData\Local\...\stuba[1].ps1, ASCII 12->59 dropped 61 C:\Temp\6FFMFSGK.ps1, ASCII 12->61 dropped 117 System process connects to network (likely due to code injection or exploit) 12->117 119 JScript performs obfuscated calls to suspicious functions 12->119 121 Wscript starts Powershell (via cmd or directly) 12->121 123 4 other signatures 12->123 17 powershell.exe 16 12->17         started        file6 signatures7 process8 signatures9 91 Writes to foreign memory regions 17->91 93 Injects a PE file into a foreign processes 17->93 20 aspnet_compiler.exe 15 15 17->20         started        24 conhost.exe 17->24         started        process10 dnsIp11 69 mail.wusb.com.my 110.4.45.24, 50043, 587 EXABYTES-AS-APExaBytesNetworkSdnBhdMY Malaysia 20->69 71 icanhazip.com 104.16.184.241, 50042, 80 CLOUDFLARENET-CloudflareIncUS Canada 20->71 103 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->103 105 Tries to steal Mail credentials (via file / registry access) 20->105 107 Tries to harvest and steal browser information (history, passwords, etc) 20->107 109 7 other signatures 20->109 26 msedge.exe 20->26         started        29 chrome.exe 1 20->29         started        32 msedge.exe 20->32         started        34 20 other processes 20->34 signatures12 process13 dnsIp14 111 Monitors registry run keys for changes 26->111 113 Maps a DLL or memory area into another process 26->113 115 Installs a global keyboard hook 26->115 36 msedge.exe 26->36         started        39 msedge.exe 26->39         started        89 192.168.11.30, 138, 443, 49249 unknown unknown 29->89 41 chrome.exe 29->41         started        43 setup.exe 32->43         started        45 msedge.exe 32->45         started        47 msedge.exe 32->47         started        51 10 other processes 32->51 49 firefox.exe 34->49         started        signatures15 process16 dnsIp17 73 150.171.109.101, 443, 49961, 49976 MICROSOFT-CORP-MSN-AS-BLOCK-MicrosoftCorporationUS South Africa 36->73 75 mr-b01.tm-azurefd.net 150.171.109.184, 443, 49889 MICROSOFT-CORP-MSN-AS-BLOCK-MicrosoftCorporationUS South Africa 36->75 81 28 other IPs or domains 36->81 83 2 other IPs or domains 41->83 53 setup.exe 43->53         started        55 setup.exe 43->55         started        77 150.171.109.100, 443, 49875, 49985 MICROSOFT-CORP-MSN-AS-BLOCK-MicrosoftCorporationUS South Africa 45->77 85 26 other IPs or domains 45->85 79 127.0.0.1 unknown unknown 49->79 process18 process19 57 setup.exe 53->57         started       
Gathering data
Threat name:
Script.Trojan.Heuristic
Status:
Malicious
First seen:
2026-06-15 04:26:20 UTC
File Type:
Text (JavaScript)
AV detection:
8 of 36 (22.22%)
Threat level:
  2/5
Result
Malware family:
n/a
Score:
  3/10
Tags:
execution
Behaviour
Command and Scripting Interpreter: JavaScript
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments