MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67de6fb5afc5af13a1c7d7eec47738efbea3366de56263d56f929f9a195ce082. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhantomStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 67de6fb5afc5af13a1c7d7eec47738efbea3366de56263d56f929f9a195ce082
SHA3-384 hash: 0a9f93cd02fab5696fd0b30382c63f457422c01cef03350abd892504150cd14d2c352eeba97b807a1b5a55c5962907be
SHA1 hash: 2f17cd222950f850cfb23e79049dffb8ef14586e
MD5 hash: b399c368bd6e11c5c317db8fd3bbebbb
humanhash: quebec-eight-lemon-three
File name:New Purchase Order 28142.exe
Download: download sample
Signature PhantomStealer
Create hunting rule
File size:1'632'256 bytes
First seen:2025-09-19 09:57:49 UTC
Last seen:2025-10-09 14:04:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 24576:hwMQtnruvK0Pz+t3T/fr2KA1SNg+xkNut0AurZrOq8VJvLqNbUARgAhPiSyr+:hGnr0sCKA1+g+xDsyP7LqBgARiSyr+
Threatray 3 similar samples on MalwareBazaar
TLSH T14775330909FD2DFFCD12C4BAE8776A851B24B3472046D6FDED7B71A94D63203A89481E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter cocaman
Tags:exe PhantomStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
75
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New Purchase Order 28142.exe
Verdict:
Malicious activity
Analysis date:
2025-09-19 08:37:47 UTC
Tags:
netreactor purecrypter stealer evasion phantom crypto-regex smtp
Link:
https://app.any.run/tasks/22c5815b-79c0-4bda-b69f-798f21934337

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28316/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68cd2954246a2631bd31057e
Tags:
redline emotet
Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade net_reactor obfuscated obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/68cd2a14254431b688d4e7b9/reports/87573d7d-80a4-4ec7-a357-bc34b7ac5ebe/overview
Verdict:
Malicious
Labled as:
MSIL.Androm.Generic
Link:
https://www.hybrid-analysis.com/sample/67de6fb5afc5af13a1c7d7eec47738efbea3366de56263d56f929f9a195ce082
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-17T19:21:00Z UTC
Last seen:
2025-09-17T19:21:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/67de6fb5afc5af13a1c7d7eec47738efbea3366de56263d56f929f9a195ce082/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/0a5041d7-1d5f-4494-9b99-b2c493740fd4
Result
Threat name:
Phantom stealer, PureLog Stealer, Resolv
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1780649
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Drops VBS files to the startup folder
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Phantom stealer
Yara detected PureLog Stealer
Yara detected ResolverRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1780649 Sample: New Purchase Order 28142.exe Startdate: 19/09/2025 Architecture: WINDOWS Score: 100 64 mail.sos-docteur.tv 2->64 66 telemetry-incoming.r53-2.services.mozilla.com 2->66 68 15 other IPs or domains 2->68 90 Found malware configuration 2->90 92 Antivirus / Scanner detection for submitted sample 2->92 94 Multi AV Scanner detection for submitted file 2->94 96 16 other signatures 2->96 9 New Purchase Order 28142.exe 5 2->9         started        13 wscript.exe 2->13         started        15 msedge.exe 2->15         started        18 firefox.exe 1 2->18         started        signatures3 process4 dnsIp5 60 C:\Users\user\AppData\Roaming\TypeId.exe, PE32 9->60 dropped 62 C:\Users\user\AppData\Roaming\...\TypeId.vbs, ASCII 9->62 dropped 112 Found many strings related to Crypto-Wallets (likely being stolen) 9->112 114 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->114 20 InstallUtil.exe 25 13 9->20         started        116 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->116 24 TypeId.exe 13->24         started        84 192.168.2.10 unknown unknown 15->84 86 192.168.2.4, 138, 443, 49564 unknown unknown 15->86 88 3 other IPs or domains 15->88 118 Maps a DLL or memory area into another process 15->118 26 msedge.exe 15->26         started        28 setup.exe 15->28         started        30 msedge.exe 15->30         started        35 5 other processes 15->35 32 firefox.exe 3 159 18->32         started        file6 signatures7 process8 dnsIp9 70 mail.sos-docteur.tv 69.72.248.46, 49769, 587 FORTRESSITXUS United States 20->70 72 icanhazip.com 104.16.184.241, 49767, 80 CLOUDFLARENETUS United States 20->72 98 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->98 100 Tries to steal Mail credentials (via file / registry access) 20->100 102 Found many strings related to Crypto-Wallets (likely being stolen) 20->102 108 4 other signatures 20->108 37 msedge.exe 20->37         started        40 firefox.exe 1 20->40         started        42 chrome.exe 20->42         started        52 3 other processes 20->52 104 Multi AV Scanner detection for dropped file 24->104 106 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 24->106 44 InstallUtil.exe 24->44         started        74 a434.dscr.akamai.net 23.213.34.177, 443, 49725, 58823 NTT-COMMUNICATIONS-2914US United States 26->74 76 a1666.dscr.akamai.net 23.213.34.199, 443, 49732, 49733 NTT-COMMUNICATIONS-2914US United States 26->76 80 32 other IPs or domains 26->80 46 setup.exe 28->46         started        78 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 49794, 49795, 80 GOOGLEUS United States 32->78 82 7 other IPs or domains 32->82 56 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 32->56 dropped 58 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 32->58 dropped 48 firefox.exe 32->48         started        50 firefox.exe 32->50         started        file10 signatures11 process12 signatures13 110 Monitors registry run keys for changes 37->110 54 msedge.exe 37->54         started        process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/67de6fb5afc5af13a1c7d7eec47738efbea3366de56263d56f929f9a195ce082
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.92 Win 32 Exe x86
Link:
https://app.malva.re/file/b399c368bd6e11c5c317db8fd3bbebbb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/67de6fb5afc5af13a1c7d7eec47738efbea3366de56263d56f929f9a195ce082/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2025-09-18 01:21:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m7pg7nnpywxrhioh27xmi5zy567kgntn4vrghvlpskpzugk44cba._file
Verdict:
malicious
Label(s):
purecrypter
Create hunting rule
Similar samples:
8e816a746cd915a18613ab27dd955a1e608bae28286ee188a81f89e5a93ba608
PhantomStealer
d1bc4e42ecce35e89268c590d57779b243c1c9726468aebe52f286c309d26d5d
PhantomStealer
error
PhantomStealer
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection discovery persistence
Link:
https://tria.ge/reports/250919-l2dbsssm12/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Drops startup file
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/70c6b331-672e-41aa-a339-d187485799fb
Unpacked files
SH256 hash:
67de6fb5afc5af13a1c7d7eec47738efbea3366de56263d56f929f9a195ce082
MD5 hash:
b399c368bd6e11c5c317db8fd3bbebbb
SHA1 hash:
2f17cd222950f850cfb23e79049dffb8ef14586e
Link:
https://www.unpac.me/results/1018917d-2838-4889-83ed-723e2442affe/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/67de6fb5afc5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/67de6fb5afc5af13a1c7d7eec47738efbea3366de56263d56f929f9a195ce082

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Windows_Generic_Threat_f57e5e2a
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PhantomStealer

rar fce76c1633b57695febf2c9f495e13cd719fcd5663bb18b3d5254350a808aada

PhantomStealer

Executable exe 67de6fb5afc5af13a1c7d7eec47738efbea3366de56263d56f929f9a195ce082

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 fce76c1633b57695febf2c9f495e13cd719fcd5663bb18b3d5254350a808aada
  
Dropped by
MD5 685e8920787dc82d276c887b48638515
Cape
Cape
https://www.capesandbox.com/analysis/28316/

Comments