MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80556f89dc73c0363733a728326aa27fab12eba80b9afe18fb7a5fb3d1c5e5f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhantomStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80556f89dc73c0363733a728326aa27fab12eba80b9afe18fb7a5fb3d1c5e5f5
SHA3-384 hash: ca19d6b0d9b7f56b1977441a3b6f82bd6ac0224f09605f06499c50dbd926a197df21f55b5a28bb05c27cd9f36e2edbdf
SHA1 hash: 623453054f613630f0c6f603071abb068dffe1b3
MD5 hash: 282d397a52e94c2d57d9c547d664e73e
humanhash: jig-autumn-mississippi-jersey
File name:RFQ-Quotation INQ-RFQ-D-0022026 .bat
Download: download sample
Signature PhantomStealer
Create hunting rule
File size:2'241'474 bytes
First seen:2026-02-02 08:28:31 UTC
Last seen:2026-02-03 06:59:06 UTC
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 24576:fyxLn2gd8WSBqjNGwWYCvuOtqLH4mlH7n/OnXRykZ5C07MvQ31MmRgc2sbjhzcR4:fgdGAswWL3tqL7UXx31MmRgWbxzIgV1
Threatray 2'796 similar samples on MalwareBazaar
TLSH T1F5A5021589C86FB9DFAC5A1C80FE160E93F04A8A515A758AEB33BD4BBFFB50401071D9
Magika batch
Reporter lowmal3
Tags:bat PhantomStealer

Intelligence

File Origin
# of uploads :
4
# of downloads :
56
Origin country :
DE DE
Vendor Threat Intelligence
Gathering data
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
RFQ-Quotation INQ-RFQ-D-0022026 .zip
Verdict:
Malicious activity
Analysis date:
2026-02-02 05:45:20 UTC
Tags:
arch-doc keylogger agenttesla susp-powershell phantom stealer evasion donutloader loader
Link:
https://app.any.run/tasks/68e54d46-f33e-487f-8a80-bcc52246ee28

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/51166/
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69806067d93e7233498c85eb
Tags:
emotet spam
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 obfuscated powershell
Link:
https://www.filescan.io/uploads/69806064981ff1d38a445e2f/reports/b7ff6ee4-c0b6-45df-880d-dad776ea2c2e/overview
Verdict:
Suspicious
Labled as:
BAT/Runner.PL trojan
Link:
https://www.hybrid-analysis.com/sample/80556f89dc73c0363733a728326aa27fab12eba80b9afe18fb7a5fb3d1c5e5f5
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-02-01T09:18:00Z UTC
Last seen:
2026-02-02T09:42:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/80556f89dc73c0363733a728326aa27fab12eba80b9afe18fb7a5fb3d1c5e5f5/results?tab=lookup
Result
Threat name:
DonutLoader, KeyLogger, Phantom stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1861449
Signature
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Compiles code for process injection (via .Net compiler)
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Encrypted powershell cmdline option found
Found large BAT file
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the prolog of user mode functions (user mode inline hooks)
Monitors registry run keys for changes
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected DonutLoader
Yara detected Keylogger Generic
Yara detected Phantom stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1861449 Sample: RFQ-Quotation INQ-RFQ-D-002... Startdate: 02/02/2026 Architecture: WINDOWS Score: 100 97 mail.taikei-rmc-co.biz 2->97 99 icanhazip.com 2->99 113 Found malware configuration 2->113 115 Malicious sample detected (through community Yara rule) 2->115 117 Multi AV Scanner detection for submitted file 2->117 119 20 other signatures 2->119 12 cmd.exe 1 2->12         started        15 cmd.exe 1 2->15         started        signatures3 process4 signatures5 135 Suspicious powershell command line found 12->135 137 Uses cmd line tools excessively to alter registry or file data 12->137 139 Encrypted powershell cmdline option found 12->139 141 Bypasses PowerShell execution policy 12->141 17 cmd.exe 10 12->17         started        21 conhost.exe 12->21         started        23 cmd.exe 1 15->23         started        25 conhost.exe 15->25         started        process6 file7 85 C:\Users\user\AppData\Roaming\...\PAPER.cmd, DOS 17->85 dropped 107 Suspicious powershell command line found 17->107 109 Uses cmd line tools excessively to alter registry or file data 17->109 111 Encrypted powershell cmdline option found 17->111 27 powershell.exe 30 17->27         started        31 powershell.exe 16 17->31         started        33 conhost.exe 17->33         started        35 reg.exe 1 1 17->35         started        37 powershell.exe 15 23->37         started        39 conhost.exe 23->39         started        41 reg.exe 1 23->41         started        43 powershell.exe 23->43         started        signatures8 process9 file10 91 C:\Users\user\AppData\Local\...\m41hjaky.0.cs, C++ 27->91 dropped 93 C:\Users\user\AppData\...\l52stpgs.cmdline, Unicode 27->93 dropped 143 Injects code into the Windows Explorer (explorer.exe) 27->143 145 Writes to foreign memory regions 27->145 147 Creates a thread in another existing process (thread injection) 27->147 45 explorer.exe 61 101 27->45 injected 49 csc.exe 3 27->49         started        52 csc.exe 3 27->52         started        95 C:\Users\user\AppData\Local\...\continue.ps1, Unicode 31->95 dropped 149 Found many strings related to Crypto-Wallets (likely being stolen) 31->149 151 Found suspicious powershell code related to unpacking or dynamic code loading 31->151 153 Compiles code for process injection (via .Net compiler) 31->153 signatures11 process12 dnsIp13 103 mail.taikei-rmc-co.biz 103.253.42.215, 49702, 587 TELE-ASTeleAsiaLimitedHK Hong Kong 45->103 105 icanhazip.com 104.16.184.241, 49700, 80 CLOUDFLARENETUS United States 45->105 155 System process connects to network (likely due to code injection or exploit) 45->155 157 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 45->157 159 Tries to harvest and steal browser information (history, passwords, etc) 45->159 161 4 other signatures 45->161 54 cmd.exe 45->54         started        56 msedge.exe 45->56         started        59 firefox.exe 45->59         started        61 chrome.exe 45->61         started        87 C:\Users\user\AppData\Local\...\m41hjaky.dll, PE32 49->87 dropped 63 cvtres.exe 1 49->63         started        89 C:\Users\user\AppData\Local\...\l52stpgs.dll, PE32 52->89 dropped 65 cvtres.exe 1 52->65         started        file14 signatures15 process16 signatures17 67 cmd.exe 54->67         started        70 conhost.exe 54->70         started        129 Injects code into the Windows Explorer (explorer.exe) 56->129 131 Writes to foreign memory regions 56->131 72 firefox.exe 59->72         started        133 Found many strings related to Crypto-Wallets (likely being stolen) 61->133 process18 dnsIp19 121 Suspicious powershell command line found 67->121 123 Uses cmd line tools excessively to alter registry or file data 67->123 125 Encrypted powershell cmdline option found 67->125 75 conhost.exe 67->75         started        77 reg.exe 67->77         started        79 powershell.exe 67->79         started        81 powershell.exe 67->81         started        101 127.0.0.1 unknown unknown 72->101 127 Monitors registry run keys for changes 72->127 83 firefox.exe 72->83         started        signatures20 process21
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/80556f89dc73c0363733a728326aa27fab12eba80b9afe18fb7a5fb3d1c5e5f5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/80556f89dc73c0363733a728326aa27fab12eba80b9afe18fb7a5fb3d1c5e5f5/
Verdict:
Malicious
Threat:
Trojan-PSW.Win32.Discord
Link:
https://tip.neiki.dev/file/80556f89dc73c0363733a728326aa27fab12eba80b9afe18fb7a5fb3d1c5e5f5
Threat name:
Script-BAT.Trojan.Runner
Create hunting rule
Status:
Malicious
First seen:
2026-02-01 12:28:24 UTC
File Type:
Text (Batch)
AV detection:
6 of 38 (15.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qbkw7co4opadmnztu4ude2vcp6vrf25ibonp4gh3pjp3huof4x2q._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
phantomstealer
Create hunting rule
Similar samples:
0462d2a890595de741f9a29fb99102e43ce72cfe000aff7afbc749771c8bd819
PhantomStealer
0cf3d7eaea22681caa5425bca164468cf7a13f0848e12ad2fe0115b93e0c9f9c
PhantomStealer
0daa3fc7e8c657b4e98fbd3be6b56c2c8950224945c5d0d3c10c2e4967637dce
PhantomStealer
0dbab5ca9c9079ca6099b4f036f7c403e0b61fdcb77dea147ff25d8c349ed1d3
PhantomStealer
31d5415b69274dbdcca1e80d57d649b9c643b6fc028d0af383f5040375a45870
PhantomStealer
815b1ccf52d1f815f76b46b5a23f203dc80debafb39e1b6c95d9d19863a69828
PhantomStealer
8965d3f8da67f5dfb489fc9491240becb0293a1a8bdb56f26e6c4240ab3c76b0
PhantomStealer
c0e7dcf3dc7f8585cca9ebc201b47eed57a71b296a6ef9b6631920fa8db2216e
PhantomStealer
c5ac054b0470e6b792c9064c1fa7eb8ddd5867d69752637330cad3294c4b875b
PhantomStealer
error
PhantomStealer
fc3d9f89cc5a6b2824022593ed3ab4d94a72f71ef5f34953acc952141ad110f0
PhantomStealer
+ 2'786 additional samples on MalwareBazaar
Result
Malware family:
phantom_stealer
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:phantom_stealer collection discovery execution loader persistence stealer
Link:
https://tria.ge/reports/260202-kdrnvacz2a/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
System Time Discovery
Drops file in Windows directory
Accesses Microsoft Outlook profiles
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Detects DonutLoader
Detects PhantomStealer payload
DonutLoader
Donutloader family
PhantomStealer
Phantom_stealer family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/80556f89dc73c0363733a728326aa27fab12eba80b9afe18fb7a5fb3d1c5e5f5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule
Rule name:BAT_Begin_Substring_Env
Create hunting rule
Author:marcin@ulikowski.pl
Description:Detects suspicious substring syntax at the begining of batch script
Reference:https://cybersecurity.att.com/blogs/labs-research/seroxen-rat-for-sale
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:WIN_FileFix_Detection
Create hunting rule
Author:dogsafetyforeverone
Description:Detects FileFix social engineering technique that launches chained PowerShell and PHP commands from file explorer typed paths
Reference:FileFix social engineering with PowerShell and PHP commands

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PhantomStealer

Batch (bat) bat 80556f89dc73c0363733a728326aa27fab12eba80b9afe18fb7a5fb3d1c5e5f5

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/51166/

Comments