MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8696f4e6b41b7592ea9f4f1e3391284a53349d541c08caba7b32e477ce162809. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PhantomStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 4 File information Comments

SHA256 hash:	8696f4e6b41b7592ea9f4f1e3391284a53349d541c08caba7b32e477ce162809
SHA3-384 hash:	6029a6d7dff5f8bebf2ae97aa1490f97b258f7f8c016e8ea39a632dd392f8cd64a676ace99ef6bca41204833c5e45617
SHA1 hash:	438b5c48d36ed79c7be365f65ade941caab7d969
MD5 hash:	e902c8f04e4a1de3485c1f6e2a702c46
humanhash:	florida-two-skylark-cat
File name:	SecuriteInfo.com.Trojan.PWS.Siggen5.32333.17769.12347
Download:	download sample
Signature	PhantomStealer Create hunting rule
File size:	1'781'760 bytes
First seen:	2026-03-10 07:23:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'843 x AgentTesla, 19'775 x Formbook, 12'297 x SnakeKeylogger)
ssdeep	49152:PlVtVPwrU/YsEznNhWG7CcoiSszyzQrSeuiOoOyV:fwr/bhhZixCL
TLSH	T1DB8512A031EDCA53C11982B90A71E1725F751C6BA401D2C6BEDD6EEBBFE2F010946B53
TrID	70.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.2% (.EXE) Win64 Executable (generic) (6522/11/2) 4.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	exe PhantomStealer

Intelligence

File Origin

# of uploads :

# of downloads :

139

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

RoboSki

Details

Link:

https://research.acce.ciphertechsolutions.com/results/f37647cb-88b4-43ad-94e9-5c9d76fb2684/

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Trojan.PWS.Siggen5.32333.17769.12347

Verdict:

Malicious activity

Analysis date:

2026-03-10 07:24:27 UTC

Tags:

stealer phantom crypto-regex telegram exfiltration evasion ims-api generic

Link:

https://app.any.run/tasks/821641c1-39f7-4f26-bd6a-cae66589eada

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/56912/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen5.32333.17769.12347.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69afc72be5dc8e2b2c31f923

Tags:

micro hype

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/8696f4e6b41b7592ea9f4f1e3391284a53349d541c08caba7b32e477ce162809

Verdict:

Malicious

File Type:

exe x32

Link:

https://opentip.kaspersky.com/8696f4e6b41b7592ea9f4f1e3391284a53349d541c08caba7b32e477ce162809/results?tab=lookup

Malware family:

KeyBase

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3d060469-1564-4d3a-852a-8ac64dbe06e0

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/8696f4e6b41b7592ea9f4f1e3391284a53349d541c08caba7b32e477ce162809

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.26 Win 32 Exe x86

Link:

https://app.malva.re/file/e902c8f04e4a1de3485c1f6e2a702c46

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8696f4e6b41b7592ea9f4f1e3391284a53349d541c08caba7b32e477ce162809/

Threat name:

Win32.Trojan.Etset

Status:

Malicious

First seen:

2026-03-10 07:10:44 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 38 (60.53%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=q2lpjzvudn2zf2u7j4pdhejijjjtjhkudqemvot3glshptqwfaeq._file

Verdict:

malicious

Label(s):

phantomstealer

Similar samples:

error

PhantomStealer

Result

Malware family:

phantom_stealer

Score:

10/10

Tags:

family:phantom_stealer collection discovery persistence spyware stealer

Link:

https://tria.ge/reports/260310-h8k4fact3y/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

outlook_office_path

outlook_win_path

System Location Discovery: System Language Discovery

System Time Discovery

Drops file in Program Files directory

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads user/profile data of web browsers

Detects PhantomStealer written in C#

PhantomStealer

Phantom_stealer family

Malware Config

C2 Extraction:

https://api.telegram.org/bot8528232795:AAEcxrshf3NCvH1DpgB1iUuJ-dP6S1-Hbe0/sendMessage?chat_id=

Unpacked files

SH256 hash:

8696f4e6b41b7592ea9f4f1e3391284a53349d541c08caba7b32e477ce162809

MD5 hash:

e902c8f04e4a1de3485c1f6e2a702c46

SHA1 hash:

438b5c48d36ed79c7be365f65ade941caab7d969

Link:

https://www.unpac.me/results/2e35075e-7352-43a1-bf71-710a0ef66ad5/

SH256 hash:

636a6dd31cfaaa56d1f741b0800635d42d5004813f3125ce158449a8fd84b744

MD5 hash:

f9c353d2ae4e788e5cbaa08328961077

SHA1 hash:

1fd03d21969fcfb7999f93997f7e43583c02fd0f

Link:

https://www.unpac.me/results/2e35075e-7352-43a1-bf71-710a0ef66ad5/

SH256 hash:

c30da53b706364becb823400ceb4f5b38f79c283d1438bd36fcf83700113567f

MD5 hash:

b86249733bbdebdcbaf9fa248a20707f

SHA1 hash:

4be6a63776767ef8542c6f43293a90b5db8ce605

Detections:

phantom_stealer

cn_utf8_windows_terminal

INDICATOR_EXE_Packed_Fody

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon

INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames

Link:

https://www.unpac.me/results/2e35075e-7352-43a1-bf71-710a0ef66ad5/

Parent samples :

d266b7b27d36add4acc8cfa1fa5b6ca01517411013109f07564bfe9e078325d4
8696f4e6b41b7592ea9f4f1e3391284a53349d541c08caba7b32e477ce162809

SH256 hash:

830cb8323d1ddc185ba97a7eb194c0a223972179483769a0fb47561bb4c1935e

MD5 hash:

2c4a4a0e91bb004503f96fe2bbab06da

SHA1 hash:

db84be3c62eef84723009ec5b8d5b383568c10f1

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

Link:

https://www.unpac.me/results/2e35075e-7352-43a1-bf71-710a0ef66ad5/

Malware family:

PhantomStealer

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8696f4e6b41b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8696f4e6b41b7592ea9f4f1e3391284a53349d541c08caba7b32e477ce162809

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/56912/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample