MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a20955b6e9ae2b45b06be3b7ae4db3e4b8946a18739a4d7cdad73155cd90bc4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhantomStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a20955b6e9ae2b45b06be3b7ae4db3e4b8946a18739a4d7cdad73155cd90bc4
SHA3-384 hash: 48b555c51721f71fdd6262be6febf6934600335392de9963734580a85011c2e3ca6e701873f15387b20f97ca0fe5000b
SHA1 hash: fc5fe7850b0e7a8a3f0fb3c420007275cb434c8b
MD5 hash: 818708abf1518f3c1f05d40be36e33c1
humanhash: early-oklahoma-uranus-four
File name:rUMx5WTsF60SQ2aQ.scr
Download: download sample
Signature PhantomStealer
Create hunting rule
File size:1'601'544 bytes
First seen:2026-03-31 12:00:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'854 x AgentTesla, 19'783 x Formbook, 12'304 x SnakeKeylogger)
ssdeep 24576:9hnOAShku/dLBtzi3yMITnwuq+27XZkKvjeTj87R0pBfJynJi+lwxIt:9hnFShB9i3Qhq+KnbT0pBfJ4J9iIt
Threatray 323 similar samples on MalwareBazaar
TLSH T1E67512841215EA07D5D21FB05E70E3B447B54E89BC02C3479BFAEEEBB93D64678092D2
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 00c4c4c0cccc8200 (1 x PhantomStealer, 1 x RedLineStealer)
Reporter FXOLabs
Tags:exe PhantomStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
BR BR
Vendor Threat Intelligence
Gathering data
Malware family:
n/a
ID:
1
File name:
_7a20955b6e9ae2b45b06be3b7ae4db3e4b8946a18739a4d7cdad73155cd90bc4.exe
Verdict:
Malicious activity
Analysis date:
2026-03-31 12:02:47 UTC
Tags:
auto-reg stealer phantom crypto-regex telegram evasion
Link:
https://app.any.run/tasks/1273a837-7037-4eb8-bba6-84d4ef1f0a9e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/59879/
Detection(s):
SecuriteInfo.com.Trojan.Inject6.32641.19323.25763.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69cbb7953a18a6e1ddeffec0
Tags:
injection shell micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Creating a process with a hidden window
Launching a process
Creating a file
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bitmap expired-cert invalid-signature masquerade packed packed signed stego vbnet
Link:
https://www.filescan.io/uploads/69cbb757e2df9aa488bfccde/reports/74c2165d-c4f7-4ea1-9fe8-8e70fcd220bc/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7a20955b6e9ae2b45b06be3b7ae4db3e4b8946a18739a4d7cdad73155cd90bc4
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-03-31T04:36:00Z UTC
Last seen:
2026-04-02T10:13:00Z UTC
Hits:
~1000
Detections:
Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Disco.sb Trojan-PSW.Win32.Coins.sb Trojan-PSW.MSIL.Discord.sb Trojan.Win32.Agent.sb Trojan.MSIL.Inject.sb Trojan-PSW.MSIL.Stealerium.sb PDM:Trojan.Win32.Generic HEUR:Trojan-Spy.MSIL.Noon.gen VHO:Trojan.Win32.Agent.gen
Link:
https://opentip.kaspersky.com/7a20955b6e9ae2b45b06be3b7ae4db3e4b8946a18739a4d7cdad73155cd90bc4/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0046cc90-d269-4477-8c19-676772c6c5c8
Score:
90%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7a20955b6e9ae2b45b06be3b7ae4db3e4b8946a18739a4d7cdad73155cd90bc4
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.42 Win 32 Exe x86
Link:
https://app.malva.re/file/818708abf1518f3c1f05d40be36e33c1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a20955b6e9ae2b45b06be3b7ae4db3e4b8946a18739a4d7cdad73155cd90bc4/
Verdict:
Malicious
Threat:
Family.PHANTOM
Link:
https://tip.neiki.dev/file/7a20955b6e9ae2b45b06be3b7ae4db3e4b8946a18739a4d7cdad73155cd90bc4
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2026-03-31 07:54:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
24 of 37 (64.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=piqjkw3otlrliwygxy5xvzg3hzfysrvbq442jv6nvvzrkxgzbpca._file
Verdict:
malicious
Label(s):
phantomstealer
Create hunting rule
Similar samples:
7a20955b6e9ae2b45b06be3b7ae4db3e4b8946a18739a4d7cdad73155cd90bc4
PhantomStealer
8b0fe67d4862db19d8af42c46986e6ff1750aa4eb04e2645aacf9b5a1416e84a
PhantomStealer
8bcaf5c18012ea57704cf548cc1173e10fd713712f4feba765cff7c3de7ca562
PhantomStealer
b5688e630ded6c873e5680ebac79d2fde8882ff27795a4b2b809745c58cfd173
PhantomStealer
cfd11ba39c99b6dfa239f8ae1611f2300af5a6cb6ccc01bea56780a6664ed7d4
PhantomStealer
eb39e97c5c106d34d5ac48ecd629614df3f798ff936535ba8a18b2532712590f
PhantomStealer
error
PhantomStealer
f9b5586faacc3149e8cc0cbd920bdb8f58a6e8b57bd2acbe9215f61cdd2ea3a3
PhantomStealer
+ 313 additional samples on MalwareBazaar
Result
Malware family:
phantom_stealer
Create hunting rule
Score:
  10/10
Tags:
family:phantom_stealer collection discovery execution persistence stealer
Link:
https://tria.ge/reports/260331-n6gk5acw9z/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Detects PhantomStealer written in C#
PhantomStealer
Phantom_stealer family
Malware Config
C2 Extraction:
https://api.telegram.org/bot8202433393:AAEovQFoi2aiceC8gxcdygOJu1f0GxUAYYM/sendMessage?chat_id=6283883842
Unpacked files
SH256 hash:
7a20955b6e9ae2b45b06be3b7ae4db3e4b8946a18739a4d7cdad73155cd90bc4
MD5 hash:
818708abf1518f3c1f05d40be36e33c1
SHA1 hash:
fc5fe7850b0e7a8a3f0fb3c420007275cb434c8b
Link:
https://www.unpac.me/results/0f3c40b7-f400-4d37-8a5f-b068310e3e1e/
SH256 hash:
f67ce8446bce65810792b02d56aacea9695b51f499d96c6cf671f44a56ccff03
MD5 hash:
e9fd45d1d8615cad47276a41854384f6
SHA1 hash:
58f304c03d9c420b3d03419b44156d5e9b2f91c0
Detections:
cn_utf8_windows_terminal
Create hunting rule
INDICATOR_EXE_Packed_Fody
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames
Create hunting rule
Link:
https://www.unpac.me/results/0f3c40b7-f400-4d37-8a5f-b068310e3e1e/
SH256 hash:
f39a272b37a3164a58302de1e7560b0e83692dff74801f15c4a5ccf6ccaeff91
MD5 hash:
d012aa133809916a436965b866ecfee9
SHA1 hash:
66947835d2cbcb8a573b77f46c84447f2c2d85fb
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/0f3c40b7-f400-4d37-8a5f-b068310e3e1e/
SH256 hash:
4447fe8d112e6455f2dc2764ef66df2e8b028838c99706f2c565058d08d1bac4
MD5 hash:
a12cf68b20113c7325bcdefc4dfd9fa0
SHA1 hash:
a4d8c80cfccf2e0d45299a0de1d59520a7e3ab85
Link:
https://www.unpac.me/results/0f3c40b7-f400-4d37-8a5f-b068310e3e1e/
Malware family:
PhantomStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7a20955b6e9a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a20955b6e9ae2b45b06be3b7ae4db3e4b8946a18739a4d7cdad73155cd90bc4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PhantomStealer

Executable exe 7a20955b6e9ae2b45b06be3b7ae4db3e4b8946a18739a4d7cdad73155cd90bc4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/59879/

Comments