MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69346d2b7d476208653f58962bda327b95e7dcf3c033b983071538bfb3f2ced6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



PhantomStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments

SHA256 hash: 69346d2b7d476208653f58962bda327b95e7dcf3c033b983071538bfb3f2ced6
SHA3-384 hash: 485872d32fed28432bf29e482b20f71d25a40c0a52e040de172ffe98947ba96367d61120d0205926a62d26d0ffd56477
SHA1 hash: 8162620a28100d4731ab252428c3b898d60ad340
MD5 hash: 1f4592236b79ab34050769f725387de2
humanhash: football-connecticut-mountain-social
File name:rPO738518.exe
Download: download sample
Signature PhantomStealer
File size:1'338'368 bytes
First seen:2026-07-13 06:00:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'116 x AgentTesla, 20'118 x Formbook, 12'357 x SnakeKeylogger)
ssdeep 24576:CV/Yyx4CIS4i1KYy0OElpwIKQf1GthMC4AuLHpW/nCicWsL/tOM5d1zQ:D24CIS4i7y0L2IKJLQAuA6iPa/oM
Threatray 195 similar samples on MalwareBazaar
TLSH T1105512503254E612D599637809B4F37A23F84DDEB412DB829FECACEF7D32F1249146A2
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon e09a981c04820182 (1 x PhantomStealer, 1 x njrat)
Reporter FXOLabs
Tags:exe PhantomStealer

Intelligence


File Origin
# of uploads :
1
# of downloads :
186
Origin country :
BR BR
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
agenttesla explorer formbook lolbin packed vbnet
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-07-12T23:45:00Z UTC
Last seen:
2026-07-14T23:14:00Z UTC
Hits:
~100
Verdict:
inconclusive
YARA:
6 match(es)
Tags:
.Net Executable Html Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.30 Win 32 Exe x86
Threat name:
Win32.Backdoor.FormBook
Status:
Malicious
First seen:
2026-07-13 02:43:53 UTC
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
69346d2b7d476208653f58962bda327b95e7dcf3c033b983071538bfb3f2ced6
MD5 hash:
1f4592236b79ab34050769f725387de2
SHA1 hash:
8162620a28100d4731ab252428c3b898d60ad340
SH256 hash:
7a09d4c71af5d34d449fc0ba91c8993492828bc5d6a1a3300c3f27df63c56e28
MD5 hash:
acbdef84097e8e77e2fa56219b88e479
SHA1 hash:
1d0de023f006931d010e601ff392b6621279ddba
SH256 hash:
13f6da0ee81dcd32d7f44baeb521948206d66ba80859e71817e4a7febe8914b1
MD5 hash:
a47bd909fb64e06cfebde507da32a67e
SHA1 hash:
7905d5c241c92fcc7cdbbe9302ca9d7b2000d7cb
Detections:
triage_net_infostealer_wsh triage_vidar_infostealer
SH256 hash:
eabb6f81b23ede6e3660217fed54d8fc5d45059051d1e9b271b89bf7ea4f8986
MD5 hash:
6799cece162266645180697a02ef35d7
SHA1 hash:
e1c7916e754536802e15afbdfca1ae0be57ca597
Malware family:
PhantomStealer
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Author:malware-lu
Rule name:NETexecutableMicrosoft
Author:malware-lu
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:test_rule_vldslv

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PhantomStealer

Executable exe 69346d2b7d476208653f58962bda327b95e7dcf3c033b983071538bfb3f2ced6

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments