MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b0832e2efc2f1882ee21569a8e051e8558ff73128275c072167c8abb21df43a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhantomStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b0832e2efc2f1882ee21569a8e051e8558ff73128275c072167c8abb21df43a
SHA3-384 hash: 2e3adfbd457f5b33dd29c6d66d99781482293788d4c64ef4fd7139b6f22c23d31d709f8ac294ac1135682a542c667173
SHA1 hash: 063df69ae992acdf6f38701292cf6e8b45edd0a2
MD5 hash: 8168d0317ce9abe4202d5124f3591fbf
humanhash: winter-failed-fix-fillet
File name:PURCHASE ORDER-SKMB Contract Campell.js
Download: download sample
Signature PhantomStealer
Create hunting rule
File size:147'502 bytes
First seen:2026-02-23 11:49:55 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 3072:GDvoByi08zCjphcPHMX+Tg6B5/4rLNS0ydMZXA:GDAByixzUpiIt6BF4rLkoQ
Threatray 123 similar samples on MalwareBazaar
TLSH T169E312318EB7A7F98F82AE5AD9A47E1C4DFD28029230B550B7552CC27C75160B2E7C8D
Magika powershell
Reporter abuse_ch
Tags:js PhantomStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=699c3f118fffa866e3b10af1
Tags:
obfuscate xtreme shell
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade obfuscated repaired
Link:
https://www.filescan.io/uploads/699c3f0310e80629d4ee4938/reports/7124147d-6733-468d-b23a-e57dc8ad3acb/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/7b0832e2efc2f1882ee21569a8e051e8558ff73128275c072167c8abb21df43a
Verdict:
Malicious
File Type:
js
Detections:
Backdoor.MSIL.Agent.sb Trojan.JS.SAgent.sb HEUR:Trojan.Script.SAgent.gen Trojan-PSW.Win32.Stelega.sb Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Disco.sb Trojan-PSW.MSIL.Discord.sb Trojan-PSW.MSIL.Agent.sb HEUR:Trojan-PSW.MSIL.Stealer.gen HEUR:Trojan.Win32.Generic Trojan-PSW.Win32.Coins.sb Trojan-PSW.MSIL.Stealerium.sb Trojan-PSW.MSIL.Stealer.sb Trojan.MSIL.Agent.sb
Link:
https://opentip.kaspersky.com/7b0832e2efc2f1882ee21569a8e051e8558ff73128275c072167c8abb21df43a/results?tab=lookup
Result
Threat name:
KeyLogger, Phantom stealer, Strela Steal
Create hunting rule
Detection:
malicious
Classification:
evad.troj.spyw.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1873358
Signature
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Installs a global keyboard hook
JavaScript file contains suspicious strings
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Monitors registry run keys for changes
Multiple Browser Instances Using Unsafe Startup Parameters
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample has a suspicious name (potential lure to open the executable)
Sample uses string decryption to hide its real strings
Sigma detected: Control Panel Items
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses the Telegram API (likely for C&C communication)
Uses the Windows Restart Manager Abuse for Browser Credential File unlocking
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
WScript reads language and country specific registry keys (likely country aware script)
Wscript starts Powershell (via cmd or directly)
Yara detected Costura Assembly Loader
Yara detected Keylogger Generic
Yara detected Phantom stealer
Yara detected Powershell decode and execute
Yara detected Strela Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1873358 Sample: PURCHASE ORDER-SKMB Contrac... Startdate: 23/02/2026 Architecture: WINDOWS Score: 100 55 api.telegram.org 2->55 57 mozilla.map.fastly.net 2->57 59 icanhazip.com 2->59 65 Suricata IDS alerts for network traffic 2->65 67 Found malware configuration 2->67 69 Yara detected Phantom stealer 2->69 73 17 other signatures 2->73 11 wscript.exe 1 2->11         started        signatures3 71 Uses the Telegram API (likely for C&C communication) 55->71 process4 signatures5 87 JScript performs obfuscated calls to suspicious functions 11->87 89 Wscript starts Powershell (via cmd or directly) 11->89 91 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->91 93 3 other signatures 11->93 14 cmd.exe 1 11->14         started        process6 signatures7 97 Suspicious powershell command line found 14->97 99 Wscript starts Powershell (via cmd or directly) 14->99 17 powershell.exe 24 139 14->17         started        22 cmd.exe 1 14->22         started        24 conhost.exe 14->24         started        process8 dnsIp9 49 api.telegram.org 149.154.166.110, 443, 49701, 49703 TELEGRAMRU United Kingdom 17->49 51 icanhazip.com 104.16.184.241, 49702, 80 CLOUDFLARENETUS United States 17->51 53 147.124.212.141, 49689, 80 AC-AS-1US United States 17->53 45 \Device\ConDrv, ASCII 17->45 dropped 75 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->75 77 Found many strings related to Crypto-Wallets (likely being stolen) 17->77 79 Tries to harvest and steal browser information (history, passwords, etc) 17->79 81 6 other signatures 17->81 26 firefox.exe 1 17->26         started        28 msedge.exe 17->28 injected 31 msedge.exe 1 129 17->31         started        33 chrome.exe 17->33         started        47 stdout, ASCII 22->47 dropped file10 signatures11 process12 signatures13 35 firefox.exe 3 46 26->35         started        95 Writes to foreign memory regions 28->95 39 msedge.exe 31->39         started        process14 dnsIp15 61 mozilla.map.fastly.net 151.101.1.91, 443, 49699 FASTLYUS United States 35->61 63 127.0.0.1 unknown unknown 35->63 83 Monitors registry run keys for changes 35->83 85 Installs a global keyboard hook 35->85 41 firefox.exe 1 35->41         started        43 firefox.exe 1 35->43         started        signatures16 process17
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/7b0832e2efc2f1882ee21569a8e051e8558ff73128275c072167c8abb21df43a
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7b0832e2efc2f1882ee21569a8e051e8558ff73128275c072167c8abb21df43a/
Verdict:
Malicious
Threat:
Family.PHANTOMSTEALER
Link:
https://tip.neiki.dev/file/7b0832e2efc2f1882ee21569a8e051e8558ff73128275c072167c8abb21df43a
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pmedfyxpylyyqlxccvu2rycr5bky75zrfatvybzbm7ekxmq56q5a._file
Verdict:
malicious
Label(s):
phantomstealer
Create hunting rule
Similar samples:
0462d2a890595de741f9a29fb99102e43ce72cfe000aff7afbc749771c8bd819
PhantomStealer
048b16aa8b4c5fcfddc7609999446ff888f7106e2f4fa106a459fdeb21c81e82
PhantomStealer
0daa3fc7e8c657b4e98fbd3be6b56c2c8950224945c5d0d3c10c2e4967637dce
PhantomStealer
0dbab5ca9c9079ca6099b4f036f7c403e0b61fdcb77dea147ff25d8c349ed1d3
PhantomStealer
31d5415b69274dbdcca1e80d57d649b9c643b6fc028d0af383f5040375a45870
PhantomStealer
414557952c390312ea3cafa3cd3c069ff072c40840277921391565b79c800456
PhantomStealer
815b1ccf52d1f815f76b46b5a23f203dc80debafb39e1b6c95d9d19863a69828
PhantomStealer
c5ac054b0470e6b792c9064c1fa7eb8ddd5867d69752637330cad3294c4b875b
PhantomStealer
c612385efecaca9ec7446fdc629d871a12fbcfca9ed45c653faf20361d3105c5
PhantomStealer
error
PhantomStealer
f0c701e1915e2623fee87920b7ee51cdc153bf15781488e94e38c9a2d13b5378
PhantomStealer
+ 113 additional samples on MalwareBazaar
Result
Malware family:
phantom_stealer
Create hunting rule
Score:
  10/10
Tags:
family:phantom_stealer collection defense_evasion discovery execution persistence stealer
Link:
https://tria.ge/reports/260223-nztl4sgw8f/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Accesses Microsoft Outlook profiles
Hide Artifacts: Hidden Window
Looks up external IP address via web service
Checks computer location settings
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Detects PhantomStealer payload
PhantomStealer
Phantom_stealer family
Malware Config
C2 Extraction:
https://api.telegram.org/bot7537774095:AAG3NUNGelEzgGtbXmvz6_F6alj9VfSYk0M/sendMessage?chat_id=6406632357
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7b0832e2efc2f1882ee21569a8e051e8558ff73128275c072167c8abb21df43a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Warp
Create hunting rule
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Create hunting rule
Author:Seth Hardy
Description:Warp Identifying Strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments