MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6449bd456e9c56bb907670260049c1eae3b3a8e01913839f168bbdfcc1883e43. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhantomStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6449bd456e9c56bb907670260049c1eae3b3a8e01913839f168bbdfcc1883e43
SHA3-384 hash: db5db39535b1177013726a5c16585493f7b9f8a4225c79b728db92b9f1099d556ecd785f62cd921608a9c99cb361678c
SHA1 hash: 26761fa22163fbc940246a9ab654f3158896669b
MD5 hash: 50f3dc2a904d9b18ea1ae944d3a2d200
humanhash: skylark-spring-autumn-uranus
File name:Payment Copy of US$ 75,162.57,.bat
Download: download sample
Signature PhantomStealer
Create hunting rule
File size:418'828 bytes
First seen:2026-02-04 01:03:31 UTC
Last seen:2026-02-04 01:22:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (541 x GuLoader, 115 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 6144:fQ606xV8H+lc7SGd7UQVk8ffdC7UpfqjQWNOLAw1q/OXpgKhWyjE8K8boaql:UecGGRUik8ffdCCw2k/IPWX8KHaw
TLSH T15B94E1003281E947CEED06B449AF82FE4EB6AE7B99828F57F280F75E7C752C57924144
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter threatcat_ch
Tags:exe PhantomStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
123
Origin country :
CH CH
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/36d1a3f0-465d-4917-89b9-ec42053cd8d9/
Malware family:
n/a
ID:
1
File name:
_6449bd456e9c56bb907670260049c1eae3b3a8e01913839f168bbdfcc1883e43.exe
Verdict:
Malicious activity
Analysis date:
2026-02-04 01:05:04 UTC
Tags:
phantom stealer crypto-regex auto-reg ims-api generic telegram evasion
Link:
https://app.any.run/tasks/11c841bf-3b52-467f-82db-9bf6391371d3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/51592/
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69829b109a60ec70d92c9876
Tags:
injection obfusc virus nsis
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Delayed reading of the file
Unauthorized injection to a recently created process
Restart of the analyzed sample
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Verdict:
Malicious
Labled as:
Trojan.VTYZ
Link:
https://www.hybrid-analysis.com/sample/6449bd456e9c56bb907670260049c1eae3b3a8e01913839f168bbdfcc1883e43
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-02-04T00:59:00Z UTC
Last seen:
2026-02-04T23:13:00Z UTC
Hits:
~1000
Detections:
Trojan-PSW.Win32.Stealer.sb Trojan-Dropper.Win32.Injector.sb Trojan-Downloader.Win32.Minix.sb Trojan.Win32.Guloader.sb Trojan.NSIS.Makoob.sbb Trojan.NSIS.Makoob.sba HEUR:Trojan.NSIS.GuLoader.gen HEUR:Trojan.Win32.Makoob.gen Trojan-PSW.Win32.Stelega.sb Trojan-PSW.Win32.Disco.sb Trojan-PSW.Win32.Coins.sb Trojan-PSW.MSIL.Stealerium.sb HEUR:Trojan.Win32.GuLoader.gen
Link:
https://opentip.kaspersky.com/6449bd456e9c56bb907670260049c1eae3b3a8e01913839f168bbdfcc1883e43/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/07be3ace-1be6-44b4-ada9-0f5e31d6f415
Result
Threat name:
GuLoader, Phantom stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1862938
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Downloads suspicious files via Chrome
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious ZIP file
Hijacks the control flow in another process
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites Mozilla Firefox settings
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: Suspicious Executable File Creation
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected GuLoader
Yara detected Phantom stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1862938 Sample: Payment Copy of US$ 75,162.... Startdate: 04/02/2026 Architecture: WINDOWS Score: 100 78 api.telegram.org 2->78 80 youtube-ui.l.google.com 2->80 82 54 other IPs or domains 2->82 110 Suricata IDS alerts for network traffic 2->110 112 Multi AV Scanner detection for dropped file 2->112 114 Multi AV Scanner detection for submitted file 2->114 118 13 other signatures 2->118 9 Payment Copy of US$ 75,162.57,.bat.exe 1 33 2->9         started        13 Payment Copy of US$ 75,162.57,.bat.exe 23 2->13         started        15 msedge.exe 2->15         started        18 2 other processes 2->18 signatures3 116 Uses the Telegram API (likely for C&C communication) 78->116 process4 dnsIp5 68 C:\Users\user\AppData\Local\...\System.dll, PE32 9->68 dropped 132 Hijacks the control flow in another process 9->132 134 Found direct / indirect Syscall (likely to bypass EDR) 9->134 20 Payment Copy of US$ 75,162.57,.bat.exe 21 20 9->20         started        25 Payment Copy of US$ 75,162.57,.bat.exe 9->25         started        70 C:\Users\user\AppData\Local\...\System.dll, PE32 13->70 dropped 27 Payment Copy of US$ 75,162.57,.bat.exe 13->27         started        29 Payment Copy of US$ 75,162.57,.bat.exe 13->29         started        106 part-0012.t-0009.t-msedge.net 13.107.213.40, 443, 49781, 50974 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 15->106 108 239.255.255.250, 1900 unknown Reserved 15->108 72 C:\Users\user\AppData\...\Microsoft Edge.lnk, MS 15->72 dropped 31 msedge.exe 15->31         started        33 msedge.exe 15->33         started        35 msedge.exe 15->35         started        39 5 other processes 15->39 37 firefox.exe 18->37         started        file6 signatures7 process8 dnsIp9 84 api.telegram.org 149.154.166.110, 443, 52467, 52472 TELEGRAMRU United Kingdom 20->84 86 drive.google.com 142.250.190.238, 443, 49765, 49779 GOOGLEUS United States 20->86 92 2 other IPs or domains 20->92 62 C:\...\Payment Copy of US$ 75,162.57,.bat.exe, PE32 20->62 dropped 64 Payment Copy of US...exe:Zone.Identifier, ASCII 20->64 dropped 120 Tries to steal Mail credentials (via file / registry access) 20->120 122 Creates autostart registry keys with suspicious names 20->122 124 Tries to harvest and steal browser information (history, passwords, etc) 20->124 130 4 other signatures 20->130 41 chrome.exe 1 20->41         started        44 msedge.exe 20->44         started        47 chrome.exe 20->47 injected 55 7 other processes 20->55 66 Payment Copy of US...162.57,.bat.exe.log, ASCII 27->66 dropped 126 Found direct / indirect Syscall (likely to bypass EDR) 27->126 49 Payment Copy of US$ 75,162.57,.bat.exe 27->49         started        88 dns.quad9.net 149.112.112.112, 443, 49364, 58734 QUAD9-AS-1US United States 31->88 90 104.46.162.225, 443, 58020 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->90 94 17 other IPs or domains 31->94 128 Overwrites Mozilla Firefox settings 31->128 51 cookie_exporter.exe 33->51         started        96 9 other IPs or domains 37->96 53 firefox.exe 37->53         started        file10 signatures11 process12 dnsIp13 98 192.168.11.20, 137, 1900, 443 unknown unknown 41->98 57 chrome.exe 41->57         started        74 C:\Users\user\AppData\...\download_cache, COM 44->74 dropped 76 C:\Users\user\AppData\Local\Temp\...\cache, COM 44->76 dropped 60 msedge.exe 44->60         started        file14 process15 dnsIp16 100 googlehosted.l.googleusercontent.com 142.250.191.1, 443, 49775 GOOGLEUS United States 57->100 102 142.250.80.78, 443, 49768, 49770 GOOGLEUS United States 57->102 104 clients2.googleusercontent.com 57->104
Score:
56%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/6449bd456e9c56bb907670260049c1eae3b3a8e01913839f168bbdfcc1883e43
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/50f3dc2a904d9b18ea1ae944d3a2d200
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6449bd456e9c56bb907670260049c1eae3b3a8e01913839f168bbdfcc1883e43/
Verdict:
Malicious
Threat:
Family.PHANTOM
Link:
https://tip.neiki.dev/file/6449bd456e9c56bb907670260049c1eae3b3a8e01913839f168bbdfcc1883e43
Threat name:
Win32.Trojan.Nemesis
Create hunting rule
Status:
Malicious
First seen:
2026-02-04 00:18:03 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
10 of 36 (27.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mre32rlotrllxedwoataasob5lr3hkhadejyhhywro67zqmihzbq._file
Result
Malware family:
phantom_stealer
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:phantom_stealer collection discovery downloader persistence spyware stealer
Link:
https://tria.ge/reports/260204-be148sf16g/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Adds Run key to start application
Contacts third-party web service commonly abused for C2
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Detects PhantomStealer payload
Guloader family
Guloader,Cloudeye
PhantomStealer
Phantom_stealer family
Malware Config
C2 Extraction:
https://api.telegram.org/bot7970721019:AAHM9KxJJMDOIuY8HXauYe-y3wAZg5o25yI/sendMessage?chat_id=7822650362
Unpacked files
SH256 hash:
6449bd456e9c56bb907670260049c1eae3b3a8e01913839f168bbdfcc1883e43
MD5 hash:
50f3dc2a904d9b18ea1ae944d3a2d200
SHA1 hash:
26761fa22163fbc940246a9ab654f3158896669b
Link:
https://www.unpac.me/results/1ba287dc-e422-46d2-8eb9-125f1e317819/
SH256 hash:
86c8ee210e6611383a634dcb8c60455063ddae3d7adccbeacf3adf7bf2a46676
MD5 hash:
d2e45dd852a659e11897df573832f381
SHA1 hash:
19990ee627c95b6c18d3b5c5f0ec5c24791d0af5
Link:
https://www.unpac.me/results/1ba287dc-e422-46d2-8eb9-125f1e317819/
SH256 hash:
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
MD5 hash:
9625d5b1754bc4ff29281d415d27a0fd
SHA1 hash:
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
Link:
https://www.unpac.me/results/1ba287dc-e422-46d2-8eb9-125f1e317819/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6449bd456e9c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6449bd456e9c56bb907670260049c1eae3b3a8e01913839f168bbdfcc1883e43

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PhantomStealer

Executable exe 6449bd456e9c56bb907670260049c1eae3b3a8e01913839f168bbdfcc1883e43

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/51592/

Comments