MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74a7b0a30846e3b670be3f9fd0ba2fda1f0d682d1dae1006b36b3781ec521153. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhantomStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 74a7b0a30846e3b670be3f9fd0ba2fda1f0d682d1dae1006b36b3781ec521153
SHA3-384 hash: 61dc7649efa323a44000905c393dacf878c0ccea25368c231e992ca930e4dc88fc7f7009ae5d3f30c8da36d624bcb330
SHA1 hash: 7fb6d6231244351f2b9b8727a50481b7f3a5d1f0
MD5 hash: 715870da3de6f967137a0a28b1a1189b
humanhash: tennessee-washington-west-montana
File name:REQUESTING FOR QUOTATION.exe
Download: download sample
Signature PhantomStealer
Create hunting rule
File size:1'569'792 bytes
First seen:2026-02-09 05:00:40 UTC
Last seen:2026-02-09 10:29:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'818 x AgentTesla, 19'742 x Formbook, 12'286 x SnakeKeylogger)
ssdeep 24576:YY4bKjyGGwn6IFRgXmmug6qfSIsNUa+EA+3D07OGgfNVMD9aNxl0w:Z4bKePwHFRS1ugTfENvxA+IJgfTMkNY
Threatray 226 similar samples on MalwareBazaar
TLSH T18875F1C13B257726DD6D8971A526DDB993B63CA87001F6E62CCC378735BE202AD09F06
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:exe PhantomStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
134
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/12968e34-6fef-483d-85f0-c112d8c77218/
Malware family:
n/a
ID:
1
File name:
REQUESTING FOR QUOTATION.exe
Verdict:
Malicious activity
Analysis date:
2026-02-09 05:02:19 UTC
Tags:
auto-startup susp-lnk auto-reg stealer phantom crypto-regex evasion
Link:
https://app.any.run/tasks/463e3295-01c6-45eb-b039-accfbef6ba7b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/52713/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.8571.28254.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69896a2342fd65534ccdbd36
Tags:
agenttesla autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
DNS request
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook krypt packed vbnet
Link:
https://www.filescan.io/uploads/69896a20930564ff3c933733/reports/c7ed82f9-4362-4c62-8e74-fd9d8ed39a99/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/74a7b0a30846e3b670be3f9fd0ba2fda1f0d682d1dae1006b36b3781ec521153
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-02-08T21:35:00Z UTC
Last seen:
2026-02-11T03:35:00Z UTC
Hits:
~1000
Detections:
UDS:DangerousObject.Multi.Generic PDM:Trojan.Win32.Generic Trojan.Win32.Agent.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb Trojan.MSIL.Agent.sb HEUR:Trojan.WinLNK.Powecod.e Trojan-PSW.Win32.Disco.sb Trojan-PSW.MSIL.Stealerium.sb VHO:Trojan-PSW.Win32.Convagent.gen Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Coins.sb HEUR:Trojan-Spy.MSIL.Noon.gen
Link:
https://opentip.kaspersky.com/74a7b0a30846e3b670be3f9fd0ba2fda1f0d682d1dae1006b36b3781ec521153/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/69bb4aa8-c93f-4693-a99e-4b0b855686d8
Result
Threat name:
KeyLogger, Phantom stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1865851
Signature
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows shortcut file (LNK) contains suspicious command line arguments
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Keylogger Generic
Yara detected Phantom stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1865851 Sample: REQUESTING FOR QUOTATION.exe Startdate: 09/02/2026 Architecture: WINDOWS Score: 100 75 ftp.henfruit.ro 2->75 77 youtube-ui.l.google.com 2->77 79 70 other IPs or domains 2->79 91 Found malware configuration 2->91 93 Multi AV Scanner detection for dropped file 2->93 95 Multi AV Scanner detection for submitted file 2->95 97 20 other signatures 2->97 9 REQUESTING FOR QUOTATION.exe 7 2->9         started        13 powershell.exe 2->13         started        15 REQUESTING FOR QUOTATION.exe 2->15         started        17 4 other processes 2->17 signatures3 process4 file5 69 C:\Users\user\AppData\Roaming69yyEVKzI.exe, PE32 9->69 dropped 71 C:\Users\...71yyEVKzI.exe:Zone.Identifier, ASCII 9->71 dropped 73 C:\Users\...\REQUESTING FOR QUOTATION.exe.log, ASCII 9->73 dropped 115 Found many strings related to Crypto-Wallets (likely being stolen) 9->115 117 Adds a directory exclusion to Windows Defender 9->117 119 Injects a PE file into a foreign processes 9->119 19 REQUESTING FOR QUOTATION.exe 26 15 9->19         started        24 powershell.exe 23 9->24         started        26 NyyEVKzI.exe 13->26         started        28 conhost.exe 13->28         started        30 REQUESTING FOR QUOTATION.exe 15->30         started        32 firefox.exe 3 410 17->32         started        34 msedge.exe 17->34         started        36 REQUESTING FOR QUOTATION.exe 17->36         started        38 firefox.exe 17->38         started        signatures6 process7 dnsIp8 81 ftp.henfruit.ro 91.213.188.9, 21, 49707, 49708 TBM-ASRU United Kingdom 19->81 83 icanhazip.com 104.16.184.241, 49730, 80 CLOUDFLARENETUS United States 19->83 61 C:\Users\...\REQUESTING FOR QUOTATION.exe, PE32 19->61 dropped 63 REQUESTING FOR QUO...exe:Zone.Identifier, ASCII 19->63 dropped 99 Tries to steal Mail credentials (via file / registry access) 19->99 101 Tries to harvest and steal browser information (history, passwords, etc) 19->101 103 Writes to foreign memory regions 19->103 111 2 other signatures 19->111 40 msedge.exe 19->40         started        43 chrome.exe 19->43 injected 45 firefox.exe 1 19->45         started        55 2 other processes 19->55 105 Loading BitLocker PowerShell Module 24->105 47 conhost.exe 24->47         started        107 Multi AV Scanner detection for dropped file 26->107 109 Injects a PE file into a foreign processes 26->109 57 2 other processes 26->57 85 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 49703, 49711, 49767 GOOGLEUS United States 32->85 87 push.services.mozilla.com 34.107.243.93, 443, 49740, 49741 GOOGLEUS United States 32->87 89 9 other IPs or domains 32->89 65 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 32->65 dropped 67 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 32->67 dropped 49 firefox.exe 32->49         started        51 firefox.exe 32->51         started        53 firefox.exe 32->53         started        file9 signatures10 process11 signatures12 113 Monitors registry run keys for changes 40->113 59 msedge.exe 40->59         started        process13
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/74a7b0a30846e3b670be3f9fd0ba2fda1f0d682d1dae1006b36b3781ec521153
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.33 Win 32 Exe x86
Link:
https://app.malva.re/file/715870da3de6f967137a0a28b1a1189b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/74a7b0a30846e3b670be3f9fd0ba2fda1f0d682d1dae1006b36b3781ec521153/
Verdict:
Malicious
Threat:
Family.PHANTOM
Link:
https://tip.neiki.dev/file/74a7b0a30846e3b670be3f9fd0ba2fda1f0d682d1dae1006b36b3781ec521153
Threat name:
ByteCode-MSIL.Infostealer.Browsstl
Create hunting rule
Status:
Malicious
First seen:
2026-02-09 01:50:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ost3biyii3r3m4f6h6p5borp3ipq22bndwxbabvtnm3yd3cscfjq._file
Verdict:
malicious
Label(s):
phantomstealer
Create hunting rule
Similar samples:
071a363ec38e71da9d074123c50ea594969d28878da8e754a6b6f7684940e809
PhantomStealer
1e0bbcaa4d9b3f4c144e10dad6fb9ecbde607e3c48c2d3194195f56852ef8ffb
PhantomStealer
3e24bc53a54d730bc18f29a09e5bcbca55fa332d67a983a62bb39b12b4514f62
PhantomStealer
414557952c390312ea3cafa3cd3c069ff072c40840277921391565b79c800456
PhantomStealer
63658745db86950d8f70f2cb1739f142b4d42d24153608e500fbcb5225065fd9
PhantomStealer
764892433fc11dc14ec10608d16131c178f7750b4fc9f8075a94d3824687162f
PhantomStealer
c612385efecaca9ec7446fdc629d871a12fbcfca9ed45c653faf20361d3105c5
PhantomStealer
dbbb1c1ad17996d18e3e28537e0188b204657e87b8cb495e05bdb36c75cae466
PhantomStealer
+ 216 additional samples on MalwareBazaar
Result
Malware family:
phantom_stealer
Create hunting rule
Score:
  10/10
Tags:
family:phantom_stealer collection discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/260209-fnpvsact7a/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Detects PhantomStealer payload
PhantomStealer
Phantom_stealer family
Unpacked files
SH256 hash:
74a7b0a30846e3b670be3f9fd0ba2fda1f0d682d1dae1006b36b3781ec521153
MD5 hash:
715870da3de6f967137a0a28b1a1189b
SHA1 hash:
7fb6d6231244351f2b9b8727a50481b7f3a5d1f0
Link:
https://www.unpac.me/results/936e7dc7-d662-4c25-bebd-e0748da24251/
SH256 hash:
993655b7b15370d8c09874c2cf9c6dc96f622bd84f06c06f6ee8befb5815c0ad
MD5 hash:
ca43b6b9b7805cc50c3d46bad61f1fcc
SHA1 hash:
56413c731e40e371f98fee4651d5c83cc36845d2
Detections:
phantom_stealer
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
INDICATOR_EXE_Packed_Fody
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames
Create hunting rule
Link:
https://www.unpac.me/results/936e7dc7-d662-4c25-bebd-e0748da24251/
Parent samples :
74a7b0a30846e3b670be3f9fd0ba2fda1f0d682d1dae1006b36b3781ec521153
e37c838dc5eaa1b302ffbd8721c6a5f52a068e8f78bbec63b19b950462fe6cf8
b5688e630ded6c873e5680ebac79d2fde8882ff27795a4b2b809745c58cfd173
SH256 hash:
75746b68694e7fc3a1384f4ddafb36b675516d1855b4d0eb4a37fefd0c80a32c
MD5 hash:
15cdde426009768935494d7131fe4f0a
SHA1 hash:
81f0fcd13c62d614bb866388c69d643327397880
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/936e7dc7-d662-4c25-bebd-e0748da24251/
Parent samples :
74a7b0a30846e3b670be3f9fd0ba2fda1f0d682d1dae1006b36b3781ec521153
7efba5bdd57a190663d38a52ff71b525874b832cce859895adf688e9d5c41d7e
SH256 hash:
f4003172942b40d908d739c03ede389ba920579eadf02d7d3afcba06e472a58c
MD5 hash:
e920f043686fa268a991edd0e74c0b7e
SHA1 hash:
f95abbd0aa79c69b41aab18c1e28439a19270a62
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/936e7dc7-d662-4c25-bebd-e0748da24251/
Malware family:
PhantomStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/74a7b0a30846/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/74a7b0a30846e3b670be3f9fd0ba2fda1f0d682d1dae1006b36b3781ec521153

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PhantomStealer

Executable exe 74a7b0a30846e3b670be3f9fd0ba2fda1f0d682d1dae1006b36b3781ec521153

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/52713/

Comments