MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 652a96c9a54fba5d57371552348acbcd596293f65195b45b782eed0727fdf727. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhantomStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 652a96c9a54fba5d57371552348acbcd596293f65195b45b782eed0727fdf727
SHA3-384 hash: 2ae4c3b5dfb62d52eb2295abe292a13233268e104d9811f3db23a810e244f95132de201cd5ec8925c77f4ca7a9d814ad
SHA1 hash: 206d03b487e1971642b3ff42a30161c25e5d1470
MD5 hash: 303ea469502f72c6ed278d64fc47c2b6
humanhash: butter-november-lake-queen
File name:shim.bat
Download: download sample
Signature PhantomStealer
Create hunting rule
File size:1'985'082 bytes
First seen:2026-01-19 15:02:26 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 6144:ciACCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCw:cih
Threatray 401 similar samples on MalwareBazaar
TLSH T141955C0295FA463234D629BC06DF9533B55AF7980FA46B70B4411AEF079FB0A3DD6B20
Magika batch
Reporter James_inthe_box
Tags:bat exe PhantomStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_652a96c9a54fba5d57371552348acbcd596293f65195b45b782eed0727fdf727.txt
Verdict:
Malicious activity
Analysis date:
2026-01-19 15:34:38 UTC
Tags:
loader reverseloader stego payload susp-powershell stealer
Link:
https://app.any.run/tasks/73db8b72-9e48-40d9-9994-e57af695fa8f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/49349/
Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=696e47ffbcad3327ec066cc7
Tags:
shell sage
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
cmd lolbin
Link:
https://www.filescan.io/uploads/696e47985db9ae477088f1d6/reports/65c3dab4-f2b5-441c-8dd7-160326779113/overview
Verdict:
Suspicious
Labled as:
TrojanDownloader/BAT.Netloader
Link:
https://www.hybrid-analysis.com/sample/652a96c9a54fba5d57371552348acbcd596293f65195b45b782eed0727fdf727
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-01-19T07:09:00Z UTC
Last seen:
2026-01-21T12:19:00Z UTC
Hits:
~100
Detections:
Trojan.BAT.Agent.sb PDM:Trojan.Win32.Generic HEUR:Trojan.BAT.Agent.gen
Link:
https://opentip.kaspersky.com/652a96c9a54fba5d57371552348acbcd596293f65195b45b782eed0727fdf727/results?tab=lookup
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/652a96c9a54fba5d57371552348acbcd596293f65195b45b782eed0727fdf727
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/652a96c9a54fba5d57371552348acbcd596293f65195b45b782eed0727fdf727/
Verdict:
Malicious
Threat:
Family.REVERSELOADER
Link:
https://tip.neiki.dev/file/652a96c9a54fba5d57371552348acbcd596293f65195b45b782eed0727fdf727
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-01-19 12:09:05 UTC
File Type:
Text (Batch)
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=muvjnsnfj65f2vzxcvjdjcwlzvmwfe7wkgk3iw3yf3wqoj7564tq._file
Verdict:
malicious
Label(s):
phantomstealer
Create hunting rule
Similar samples:
0661369bcc84ed31ddf3effe5165105748fa42b9d0bbfef276ed606a3093c417
PhantomStealer
2a5179a801fd80c213a1722f598fcf20e7e9b4b3a2cad768556fcdf4db110890
PhantomStealer
4127a4079f7e6e5eea6b7af83bf549afc542618cddae8d8b1003fe2baf9f7126
PhantomStealer
5d04175f03512834d01a2c611cc9dde7b5cc42e952d5a491c5223a3117e85c2e
PhantomStealer
61eeefdc2978f29228bb31d1f2531593389c7c810abc3d43a380ba523f2d3fb2
PhantomStealer
9e54fdaa81f24b388c0b4e7defc9fb0f2d1bcaf2bab5b806e879e1ac9d19deaf
PhantomStealer
a65762b80a0786fc118a3ac10cc3d3cad0b3772694e85945ef03d8adf8fefc8b
PhantomStealer
b7bb8b7264e4deecc1009400a76c2b8aa1e6c7d972f7908d9b0ab79cb6d788a1
PhantomStealer
error
PhantomStealer
+ 391 additional samples on MalwareBazaar
Result
Malware family:
phantom_stealer
Create hunting rule
Score:
  10/10
Tags:
family:phantom_stealer collection discovery execution stealer
Link:
https://tria.ge/reports/260119-set5csex6h/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Detects PhantomStealer payload
PhantomStealer
Phantom_stealer family
Malware Config
C2 Extraction:
https://api.telegram.org/bot8232669145:AAHd_z38sCx60pi6_YW7VVlVkIm8vK91n0M/sendMessage?chat_id=8359993573
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/49349/

Comments