MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c0f5796eef37c032ba6b5712d056f9e9191f9d950b3debbdcee9728c5fd0860. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PhantomStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	6c0f5796eef37c032ba6b5712d056f9e9191f9d950b3debbdcee9728c5fd0860
SHA3-384 hash:	5e8cab148e7850fc4f4c4dcece693735c24c9c8f48dcc9259a0eb2435ee2ad2fee7ba70a4928603f6ad87ca7c8ab8e30
SHA1 hash:	0b0e06dddeccd50795d5fd7bee8bec12db7aa08b
MD5 hash:	3ffae72147348ef591eb32443902cb86
humanhash:	saturn-mockingbird-oranges-texas
File name:	ELG_RFQ_3751897.js
Download:	download sample
Signature	PhantomStealer Create hunting rule
File size:	66'495 bytes
First seen:	2026-01-26 15:10:25 UTC
Last seen:	Never
File type:	js
MIME type:	text/plain
ssdeep	192:PJw6yMfYQ8OYxDcc9BTetS7nHAZRb6DjimJH4OhCQtfb8QMh3a+fTbVZ1TlFeN2j:hrux+os1OhXdbUaeTbgc1S8feH65H
Threatray	294 similar samples on MalwareBazaar
TLSH	T1A35341713E34336ABE7BFB0093952AF0832A59161D2E2C65013957FF8A95E78E4CF491
Magika	javascript
Reporter	James_inthe_box
Tags:	exe js PhantomStealer

Intelligence

File Origin

# of uploads :

# of downloads :

120

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=697783f3bec9764f452f07ba

Tags:

xtreme shell sage

Verdict:

Malicious

Labled as:

SVM:TrojanDownloader/JS.Maloader

Link:

https://www.hybrid-analysis.com/sample/6c0f5796eef37c032ba6b5712d056f9e9191f9d950b3debbdcee9728c5fd0860

Verdict:

Malicious

File Type:

First seen:

2026-01-26T07:31:00Z UTC

Last seen:

2026-01-28T12:32:00Z UTC

Hits:

~1000

Detections:

Trojan-Downloader.PowerShell.NanoShield.sb Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic

Link:

https://opentip.kaspersky.com/6c0f5796eef37c032ba6b5712d056f9e9191f9d950b3debbdcee9728c5fd0860/results?tab=lookup

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/6c0f5796eef37c032ba6b5712d056f9e9191f9d950b3debbdcee9728c5fd0860

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6c0f5796eef37c032ba6b5712d056f9e9191f9d950b3debbdcee9728c5fd0860/

Verdict:

Malicious

Threat:

Family.REVERSELOADER

Link:

https://tip.neiki.dev/file/6c0f5796eef37c032ba6b5712d056f9e9191f9d950b3debbdcee9728c5fd0860

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2026-01-26 10:21:00 UTC

File Type:

Text (JavaScript)

AV detection:

4 of 38 (10.53%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nqhvpfxo6n6agk5gwvys2blpt2izd6ozkcz55o6452lsrrp5bbqa._file

Verdict:

malicious

Label(s):

phantomstealer

PhantomStealer

1e0bbcaa4d9b3f4c144e10dad6fb9ecbde607e3c48c2d3194195f56852ef8ffb

PhantomStealer

31d5415b69274dbdcca1e80d57d649b9c643b6fc028d0af383f5040375a45870

PhantomStealer

3e4c84d1606995d10df25a09c9b31e68a028a3c10f4e226d316d8cb5fcbbb1ee

PhantomStealer

414557952c390312ea3cafa3cd3c069ff072c40840277921391565b79c800456

PhantomStealer

652a96c9a54fba5d57371552348acbcd596293f65195b45b782eed0727fdf727

PhantomStealer

815b1ccf52d1f815f76b46b5a23f203dc80debafb39e1b6c95d9d19863a69828

PhantomStealer

9cbffe3435e4218fbfebedbbc72a2e587098bdd9eb4a4b3014a38d1d9869817b

PhantomStealer

error

PhantomStealer

+ 284 additional samples on MalwareBazaar

Result

Malware family:

phantom_stealer

Score:

10/10

Tags:

family:phantom_stealer collection defense_evasion discovery execution persistence spyware stealer

Link:

https://tria.ge/reports/260126-skcghaex2a/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Kills process with taskkill

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

outlook_office_path

outlook_win_path

Command and Scripting Interpreter: JavaScript

System Location Discovery: System Language Discovery

System Time Discovery

Drops file in Program Files directory

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

Looks up external IP address via web service

Reads user/profile data of web browsers

Badlisted process makes network request

Command and Scripting Interpreter: PowerShell

Detects PhantomStealer payload

PhantomStealer

Phantom_stealer family

Process spawned unexpected child process

Malware Config

C2 Extraction:

https://api.telegram.org/bot8517540605:AAEGEpiQE4Cvu1Rjp8NCMAO77kCxgZNVmiI/sendMessage?chat_id=8571316016

Malware family:

PhantomStealer

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6c0f5796eef3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6c0f5796eef37c032ba6b5712d056f9e9191f9d950b3debbdcee9728c5fd0860

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ClamAV_Emotet_String_Aggregate Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample