MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b174447649c77a0077b8a72b3efb18d58c23ba32461ddd47cdbae7dcbf19f29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhantomStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b174447649c77a0077b8a72b3efb18d58c23ba32461ddd47cdbae7dcbf19f29
SHA3-384 hash: 30a34b0f79c8d7efb3867251ac5ae8207c0173eef8023fc1cdc315966b44db3dfe3d8a2cb61122627bee831f67b40b71
SHA1 hash: 022bf04922605c6a81a434034f5907189b4ed4ab
MD5 hash: ae22efc1a186e0f6e114ae2e9255c36e
humanhash: equal-two-foxtrot-wisconsin
File name:7b174447649c77a0077b8a72b3efb18d58c23ba32461ddd47cdbae7dcbf19f29
Download: download sample
Signature PhantomStealer
Create hunting rule
File size:1'509'888 bytes
First seen:2026-06-08 09:42:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'066 x AgentTesla, 20'011 x Formbook, 12'352 x SnakeKeylogger)
ssdeep 24576:87pKj/dx3jpJikN7BL+T+Uh5b5h8p0YMtbV3zMbaa58:8lQdxfACUHbr8p0Z3gH
Threatray 143 similar samples on MalwareBazaar
TLSH T1CD6523689E06D146CA8157787E31F2B9062C4DDCA905A7029FEFBEFBB537A940C801E5
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:exe PhantomStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
48
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/db8d8928-f85c-44df-8a1c-29bdf3b46f93/
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69889/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a268f3dae2f98c00a68cb27
Tags:
infosteal redline emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a service
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Reading critical registry keys
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt krypt packed vbnet
Link:
https://www.filescan.io/uploads/6a268ec78161ac6cb55cacf1/reports/18767c19-bde0-49d1-8f3a-ddb7680e5f3a/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/7b174447649c77a0077b8a72b3efb18d58c23ba32461ddd47cdbae7dcbf19f29
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-05-14T17:00:00Z UTC
Last seen:
2026-06-06T18:26:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/7b174447649c77a0077b8a72b3efb18d58c23ba32461ddd47cdbae7dcbf19f29/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/358bf0bd-129d-496c-99a9-0a2a2377f65f
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7b174447649c77a0077b8a72b3efb18d58c23ba32461ddd47cdbae7dcbf19f29
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7b174447649c77a0077b8a72b3efb18d58c23ba32461ddd47cdbae7dcbf19f29/
Threat name:
ByteCode-MSIL.Trojan.Masslogger
Create hunting rule
Status:
Malicious
First seen:
2026-05-14 19:40:15 UTC
AV detection:
27 of 37 (72.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pmluir3etr32ab33rjzlh35rrvmmeo5derq53vd43oxh3s7rt4uq._file
Verdict:
malicious
Label(s):
phantomstealer
Create hunting rule
xworm
Create hunting rule
Similar samples:
0f9fcd8bfc73b744ce1ec0185645156969f864ec4142204fea4b2608226248c5
PhantomStealer
2bc8ac0bc033b568ed2c8fcc3630cfc2c94ce2493f28aa07ed12bd625a7d3219
PhantomStealer
7196e1100732cd16d74ba8099bbccc87077a8ce3fe2c4862e2ec6bec76ed2992
PhantomStealer
8696f4e6b41b7592ea9f4f1e3391284a53349d541c08caba7b32e477ce162809
PhantomStealer
e3aeb7f86f362b9c16a292cd4bd9f76ed2f653de8b405557a661927c6c65a59f
PhantomStealer
error
PhantomStealer
f9b5586faacc3149e8cc0cbd920bdb8f58a6e8b57bd2acbe9215f61cdd2ea3a3
PhantomStealer
+ 133 additional samples on MalwareBazaar
Result
Malware family:
phantom_stealer
Create hunting rule
Score:
  10/10
Tags:
family:phantom_stealer collection discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/260608-lpx6fact6y/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Detects PhantomStealer written in C#
Family: PhantomStealer
Unpacked files
SH256 hash:
7b174447649c77a0077b8a72b3efb18d58c23ba32461ddd47cdbae7dcbf19f29
MD5 hash:
ae22efc1a186e0f6e114ae2e9255c36e
SHA1 hash:
022bf04922605c6a81a434034f5907189b4ed4ab
Link:
https://www.unpac.me/results/375831dd-1a17-4de7-8ec6-4496ec6eb04e/
SH256 hash:
b55e5647223554845ab1680b630826aca32740c3490e87a9343e4aa1f01f19b1
MD5 hash:
914ea20a5055ef5fe0c02386e31643a6
SHA1 hash:
725c9534cb4bc1ed97c130966792c6a4791d47a8
Link:
https://www.unpac.me/results/375831dd-1a17-4de7-8ec6-4496ec6eb04e/
SH256 hash:
363ee51fc02f20cb206039434758c3afa1c71bc7d316c6db4a39b0d310ab92f9
MD5 hash:
afe085b7324d72673eef749ff5f21a49
SHA1 hash:
a86f1039a8877804b1b2c99aed91312846cd40e5
Link:
https://www.unpac.me/results/375831dd-1a17-4de7-8ec6-4496ec6eb04e/
SH256 hash:
d91c06524bb806a2159d9ea10236f7724fbf4c3c63efe33da6b107d99c771d15
MD5 hash:
ab9e23609c35627258c0479f4884bb4e
SHA1 hash:
abd83cf0c5fae9117a45a663f46197e34edbcce6
Detections:
phantom_stealer
Create hunting rule
Link:
https://www.unpac.me/results/375831dd-1a17-4de7-8ec6-4496ec6eb04e/
Parent samples :
d91c06524bb806a2159d9ea10236f7724fbf4c3c63efe33da6b107d99c771d15
0f9fcd8bfc73b744ce1ec0185645156969f864ec4142204fea4b2608226248c5
7b174447649c77a0077b8a72b3efb18d58c23ba32461ddd47cdbae7dcbf19f29
Malware family:
PhantomStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7b174447649c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7b174447649c77a0077b8a72b3efb18d58c23ba32461ddd47cdbae7dcbf19f29

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/69889/

Comments