MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 865bedd407bf055a750c50a398e50cfcbbb7a870a19e5931ac29e81030cc5b17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PhantomStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 11 File information Comments

SHA256 hash:	865bedd407bf055a750c50a398e50cfcbbb7a870a19e5931ac29e81030cc5b17
SHA3-384 hash:	17ca5fa51756c1c7e9792cb24bf2b35ad16021b7ea535967d1e7f9227e10105056d3fd8369c6158e6cdc467bf41549df
SHA1 hash:	9dfccb3ca9d8b8b3c441b5eda6a1af2f1a5f68a2
MD5 hash:	8610c41e6e322b7eff29432be74b9149
humanhash:	alaska-april-march-sodium
File name:	tcl86.dll
Download:	download sample
Signature	PhantomStealer Create hunting rule
File size:	3'519'488 bytes
First seen:	2026-02-02 16:54:36 UTC
Last seen:	2026-02-02 17:27:53 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c735ff4d7a29b4d100c198a1c01ba633 (1 x PhantomStealer)
ssdeep	49152:x0IWOpJtY3nv3djzo80M7mzMrKGXOd6f+MWDoHJHcJKp8siluX:x61bed6mPg
Threatray	2'705 similar samples on MalwareBazaar
TLSH	T197F5BF16A3E901B4D57BCB78C651D233CA707D9A9321948B06A8F6053F77AA18F3F721
TrID	66.6% (.EXE) InstallShield setup (43053/19/16) 16.2% (.EXE) Win64 Executable (generic) (10522/11/4) 7.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 3.1% (.EXE) OS/2 Executable (generic) (2029/13) 3.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	Anonymous
Tags:	dll exe PhantomStealer

Intelligence

File Origin

# of uploads :

# of downloads :

110

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

tcl86.dll

Verdict:

Malicious activity

Analysis date:

2026-02-02 16:57:11 UTC

Tags:

stealer phantom crypto-regex telegram evasion ims-api generic

Link:

https://app.any.run/tasks/34e50d3e-251b-4098-8056-894e41699b31

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/51261/

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6980d70ba9ffec4a960959fb

Tags:

virus

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

adaptive-context masquerade microsoft_visual_cc packed

Link:

https://www.filescan.io/uploads/6980d707930564ff3c846469/reports/a8081b06-4b27-46c8-9b03-e6e5025a1e1c/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/865bedd407bf055a750c50a398e50cfcbbb7a870a19e5931ac29e81030cc5b17

Verdict:

Malicious

File Type:

dll x64

First seen:

2026-02-02T10:44:00Z UTC

Last seen:

2026-02-03T04:49:00Z UTC

Hits:

~10

Detections:

PDM:Trojan.Win32.Generic Trojan-PSW.MSIL.Stealerium.sb HEUR:Trojan.Win64.Generic Trojan-PSW.Win32.Stealer.sb Trojan.Win32.Agent.sb Trojan-PSW.Win32.Disco.sb Trojan-PSW.Win32.Coins.sb HEUR:Trojan-PSW.Win32.Disco.gen Trojan-Dropper.Win32.Injector.sb Trojan-Dropper.Win32.Agent.sb Trojan.Win32.Inject.sb

Link:

https://opentip.kaspersky.com/865bedd407bf055a750c50a398e50cfcbbb7a870a19e5931ac29e81030cc5b17/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/cf486edb-e1c8-4844-a824-cb5ebd3f0153

Score:

93%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/865bedd407bf055a750c50a398e50cfcbbb7a870a19e5931ac29e81030cc5b17

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/865bedd407bf055a750c50a398e50cfcbbb7a870a19e5931ac29e81030cc5b17/

Verdict:

Malicious

Threat:

Family.PHANTOM

Link:

https://tip.neiki.dev/file/865bedd407bf055a750c50a398e50cfcbbb7a870a19e5931ac29e81030cc5b17

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qzn63vahx4cvu5imkcrzrzim7s53pkdqugpfsmnmfhubamgmlmlq._file

Verdict:

malicious

Label(s):

phantomstealer

PhantomStealer

0cf3d7eaea22681caa5425bca164468cf7a13f0848e12ad2fe0115b93e0c9f9c

PhantomStealer

0dbab5ca9c9079ca6099b4f036f7c403e0b61fdcb77dea147ff25d8c349ed1d3

PhantomStealer

31d5415b69274dbdcca1e80d57d649b9c643b6fc028d0af383f5040375a45870

PhantomStealer

80556f89dc73c0363733a728326aa27fab12eba80b9afe18fb7a5fb3d1c5e5f5

PhantomStealer

815b1ccf52d1f815f76b46b5a23f203dc80debafb39e1b6c95d9d19863a69828

PhantomStealer

8965d3f8da67f5dfb489fc9491240becb0293a1a8bdb56f26e6c4240ab3c76b0

PhantomStealer

c0e7dcf3dc7f8585cca9ebc201b47eed57a71b296a6ef9b6631920fa8db2216e

PhantomStealer

c5ac054b0470e6b792c9064c1fa7eb8ddd5867d69752637330cad3294c4b875b

PhantomStealer

error

PhantomStealer

fc3d9f89cc5a6b2824022593ed3ab4d94a72f71ef5f34953acc952141ad110f0

PhantomStealer

+ 2'695 additional samples on MalwareBazaar

Result

Malware family:

phantom_stealer

Score:

10/10

Tags:

family:phantom_stealer collection discovery persistence stealer

Link:

https://tria.ge/reports/260202-vffdpsey7f/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

outlook_office_path

outlook_win_path

System Location Discovery: System Language Discovery

System Time Discovery

Drops file in Program Files directory

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Detects PhantomStealer payload

PhantomStealer

Phantom_stealer family

Malware Config

C2 Extraction:

https://api.telegram.org/bot7688992285:AAHe0c6MBDdbXTbl4mMbiulZyUla5FF2hv0/sendMessage?chat_id=6750183315

Unpacked files

SH256 hash:

865bedd407bf055a750c50a398e50cfcbbb7a870a19e5931ac29e81030cc5b17

MD5 hash:

8610c41e6e322b7eff29432be74b9149

SHA1 hash:

9dfccb3ca9d8b8b3c441b5eda6a1af2f1a5f68a2

Link:

https://www.unpac.me/results/edbf8301-6374-4aa4-8ac5-0cd3d8131b24/

Malware family:

PhantomStealer

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/865bedd407bf/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/865bedd407bf055a750c50a398e50cfcbbb7a870a19e5931ac29e81030cc5b17

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__MemoryWorkingSet Create hunting rule
Author:	Fernando Mercês
Description:	Anti-debug process memory working set size check
Reference:	http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/51261/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample