MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a6f536464eef282d604d18eee6668b26334ed06642969ea1f959a076f542401. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PhantomStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 5 File information Comments

SHA256 hash:	6a6f536464eef282d604d18eee6668b26334ed06642969ea1f959a076f542401
SHA3-384 hash:	dc6809eae54f9179ee360a1282f7e16bc08319c9247583453d7f6113502f348c3ce27b1b06a47047fac2b4753fddc783
SHA1 hash:	339870a33cce6bd08c5c3c27e8302f4ef377f0a1
MD5 hash:	db1eceb37ae239e0a0471425551f31a4
humanhash:	six-three-king-arkansas
File name:	Orden_de_Compra_WHFarm_26587.pdf.exe
Download:	download sample
Signature	PhantomStealer Create hunting rule
File size:	1'858'560 bytes
First seen:	2026-02-09 10:17:19 UTC
Last seen:	2026-02-09 11:25:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'818 x AgentTesla, 19'741 x Formbook, 12'286 x SnakeKeylogger)
ssdeep	24576:TEst1d5R43L6c/rWQs3/eBo9BqV8qIIvQDEp//ndkRb80k:lt1d5OBWD/4HVhIZDAn69
Threatray	348 similar samples on MalwareBazaar
TLSH	T17C85F11153E86A6CF9BF9B3C0679445443F1B94ACB32DF2E799D809D1821F93DAA1323
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10522/11/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
Reporter	adrian__luca
Tags:	exe PhantomStealer

Intelligence

File Origin

# of uploads :

# of downloads :

110

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

Orden_de_Compra_WHFarm_26587.pdf.exe

Verdict:

Malicious activity

Analysis date:

2026-02-09 10:28:51 UTC

Tags:

stealer phantom netreactor crypto-regex

Link:

https://app.any.run/tasks/8dd08907-6455-479a-b5c5-693ee2fc81d3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/52759/

Detection(s):

SecuriteInfo.com.Trojan.Siggen32.22503.31253.25083.UNOFFICIAL

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6989b46542fd65534ccdd39f

Tags:

underscore extens micro remo

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Running batch commands

Creating a process with a hidden window

Verdict:

Malicious

Labled as:

Trojan.MSIL.Basic.8

Link:

https://www.hybrid-analysis.com/sample/6a6f536464eef282d604d18eee6668b26334ed06642969ea1f959a076f542401

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-02-03T13:21:00Z UTC

Last seen:

2026-02-11T07:10:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/6a6f536464eef282d604d18eee6668b26334ed06642969ea1f959a076f542401/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/cb853f3e-4fa2-47d4-ba02-044cc2fa2ad6

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/6a6f536464eef282d604d18eee6668b26334ed06642969ea1f959a076f542401

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6a6f536464eef282d604d18eee6668b26334ed06642969ea1f959a076f542401/

Verdict:

Malicious

Threat:

Family.PHANTOM

Link:

https://tip.neiki.dev/file/6a6f536464eef282d604d18eee6668b26334ed06642969ea1f959a076f542401

Threat name:

ByteCode-MSIL.Trojan.Generic

Status:

Suspicious

First seen:

2026-02-03 18:26:12 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=njxvgzde53zifvqe2gho4ztiwjrtj3igmquwt2q7swnao32ueqaq._file

Verdict:

malicious

Label(s):

covenantc2

phantomstealer

PhantomStealer

4abd169c2e8280b1e13b34af291b91138473bafd4b996ce020363f52371d77b6

PhantomStealer

4c3ae6b27ff6c7003f1d58a9c09f69c6a877f5db5b285abe919ff41e1654c6bc

PhantomStealer

6314c3c82acb165b93aa922ff379754ea29c321d7a757a5d55d72e537072d9c7

PhantomStealer

9cbffe3435e4218fbfebedbbc72a2e587098bdd9eb4a4b3014a38d1d9869817b

PhantomStealer

+ 338 additional samples on MalwareBazaar

Result

Malware family:

phantom_stealer

Score:

10/10

Tags:

family:phantom_stealer defense_evasion discovery stealer

Link:

https://tria.ge/reports/260209-mbnkhsax9c/

Behaviour

Delays execution with timeout.exe

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

.NET Reactor proctector

Checks computer location settings

Detects PhantomStealer payload

PhantomStealer

Phantom_stealer family

Unpacked files

SH256 hash:

6a6f536464eef282d604d18eee6668b26334ed06642969ea1f959a076f542401

MD5 hash:

db1eceb37ae239e0a0471425551f31a4

SHA1 hash:

339870a33cce6bd08c5c3c27e8302f4ef377f0a1

Link:

https://www.unpac.me/results/7cc6d8a1-5c5e-4183-a680-d298ddca9dc2/

SH256 hash:

0a9b687ac6b45c7d0998de90d9a5ec5729f1e4e12b7ff89b5395b5f1a7d84d77

MD5 hash:

18f498e57874733aa1ff756cdf973aaa

SHA1 hash:

1eabb5bb5fda74d4fdcfbc60c1469b6806f1d3a4

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

INDICATOR_EXE_Packed_DotNetReactor

Link:

https://www.unpac.me/results/7cc6d8a1-5c5e-4183-a680-d298ddca9dc2/

Parent samples :

4c3ae6b27ff6c7003f1d58a9c09f69c6a877f5db5b285abe919ff41e1654c6bc
6bb2a5678ada801137ea6f5f6b032ca4154de5df7d8f240ee4d7ed2febe5ddcd
a72181561540f1c1d48dd8f33fe4b502fe8b1fdf27a908b035296276638af564
1f9188b926fd1bf32c8731d981cbd0be675b10cc1376f0544f01b99486f56e3a
6a6f536464eef282d604d18eee6668b26334ed06642969ea1f959a076f542401
20beaec4ad8341161ef0a36de86a02923cb904d438823f86fd7dce0682429922
a2909324ee9763d9c6b48ed73d2bb082d622eebd35d22641da2894d9cf94cea9

SH256 hash:

9976ed54f994789692e18c2a8eacd7c2ce1ce8c0383a860dffc1c9193ed65498

MD5 hash:

b8582a188a123bf1de8751ee80bbac99

SHA1 hash:

20fc86ad86fdacc734edc357650e99567ce9596f

Link:

https://www.unpac.me/results/7cc6d8a1-5c5e-4183-a680-d298ddca9dc2/

SH256 hash:

0a6ac08588c53614fed6ba426538e61780f317043012d9c6a494a3928bcee60b

MD5 hash:

e60549f2b47215990b99d310c519be9d

SHA1 hash:

41b67ce513b25f99b1f74edba5e5a98ce50c7423

Detections:

phantom_stealer

cn_utf8_windows_terminal

INDICATOR_EXE_Packed_Fody

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon

INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames

Link:

https://www.unpac.me/results/7cc6d8a1-5c5e-4183-a680-d298ddca9dc2/

SH256 hash:

2e2f25768cec84ccd81685559716668748904769d5218d90d06a1addc1070b6d

MD5 hash:

1597653402d0c418c2e41c0445c10be0

SHA1 hash:

aade294fdb871d814576319be544166f70938286

Link:

https://www.unpac.me/results/7cc6d8a1-5c5e-4183-a680-d298ddca9dc2/

SH256 hash:

e5834290dd0606fb0aa3c0faa2295faf56f3a49ea3d17ed3d85f61309c46cec9

MD5 hash:

a3d8fe35a64a964044e6d83805064ec3

SHA1 hash:

f9d105d2ce3ff38e15597ee90ff8f1c14a02219d

Link:

https://www.unpac.me/results/7cc6d8a1-5c5e-4183-a680-d298ddca9dc2/

Malware family:

PhantomStealer

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6a6f536464ee/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6a6f536464eef282d604d18eee6668b26334ed06642969ea1f959a076f542401

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PhantomStealer

exe 6a6f536464eef282d604d18eee6668b26334ed06642969ea1f959a076f542401

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/52759/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample