MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 86cc797fb5b5c13bf7595edc8eb5ac58bd57a1e78d60b8330d04b844ca66b082. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhantomStealer


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 86cc797fb5b5c13bf7595edc8eb5ac58bd57a1e78d60b8330d04b844ca66b082
SHA3-384 hash: 61217447505099213d2e6fdba5df8745607c31553c2f0578880911cefb36de50e6727913977e979af35a9b8ab41ded85
SHA1 hash: 732e4d9aa291775d920971cf6d53b8197dd24bfb
MD5 hash: 493b46a92c30c8d9d1b0b3315cde057b
humanhash: queen-twenty-skylark-johnny
File name:VULKAN ESPAÑOLA SA REQ_080060026.bat
Download: download sample
Signature PhantomStealer
Create hunting rule
File size:4'467 bytes
First seen:2026-06-08 10:51:01 UTC
Last seen:2026-06-12 21:55:58 UTC
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 96:i26Azc2OFzVSM6RU+oPRi0EiBB8ykaQ+sr:iMc8BUhPw9L
TLSH T1F5912AB4AEF8C82A690EAD7B30168E0508A47B40F00E762FA77495CD5894D18076FBFC
Magika powershell
Reporter lowmal3
Tags:bat PhantomStealer

Intelligence

File Origin
# of uploads :
4
# of downloads :
66
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_86cc797fb5b5c13bf7595edc8eb5ac58bd57a1e78d60b8330d04b844ca66b082.txt
Verdict:
Malicious activity
Analysis date:
2026-06-08 10:53:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e9569b55-a067-4983-9ca8-b98389b78338

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70057/
Detection(s):
SecuriteInfo.com.Trojan-Downloader.PS.Agent.27036.6090.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a269eb93e9eff6a6b68c786
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the %AppData% directory
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
Using obfuscated Powershell scripts
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 encrypted obfuscated powershell
Link:
https://www.filescan.io/uploads/6a269ec3bf16337e43bb847b/reports/2d51d36f-ad28-4abd-b1ad-748d0452379a/overview
Verdict:
Suspicious
Labled as:
PSH/Agent.AKK
Link:
https://www.hybrid-analysis.com/sample/86cc797fb5b5c13bf7595edc8eb5ac58bd57a1e78d60b8330d04b844ca66b082
Verdict:
Malicious
File Type:
ps1
First seen:
2026-06-08T05:28:00Z UTC
Last seen:
2026-06-10T09:09:00Z UTC
Hits:
~1000
Detections:
Trojan.PowerShell.Agent.bge Trojan-Downloader.PowerShell.Agent.sb Trojan.PowerShell.Strion.sb
Link:
https://opentip.kaspersky.com/86cc797fb5b5c13bf7595edc8eb5ac58bd57a1e78d60b8330d04b844ca66b082/results?tab=lookup
Result
Threat name:
GuLoader, Phantom stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1924355
Signature
Browser instances using unsafe startup parameters
Creates a thread in another existing process (thread injection)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Monitors registry run keys for changes
Obfuscated command line found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Potential PowerShell Command Line Obfuscation
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected GuLoader
Yara detected Phantom stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1924355 Sample: VULKAN ESPA#U00d1OLA SA REQ... Startdate: 08/06/2026 Architecture: WINDOWS Score: 100 64 mozilla.map.fastly.net 2->64 66 mail.sorraiahotel.com 2->66 68 3 other IPs or domains 2->68 106 Malicious sample detected (through community Yara rule) 2->106 108 Yara detected Phantom stealer 2->108 110 Yara detected GuLoader 2->110 112 5 other signatures 2->112 10 powershell.exe 18 2->10         started        13 cmd.exe 1 2->13         started        signatures3 process4 signatures5 116 Writes to foreign memory regions 10->116 118 Found suspicious powershell code related to unpacking or dynamic code loading 10->118 120 Switches to a custom stack to bypass stack traces 10->120 15 backgroundTaskHost.exe 1 19 10->15         started        19 backgroundTaskHost.exe 10->19         started        21 conhost.exe 10->21         started        122 Suspicious powershell command line found 13->122 124 Obfuscated command line found 13->124 23 powershell.exe 14 16 13->23         started        26 conhost.exe 13->26         started        process6 dnsIp7 56 C:\Users\user\...\backgroundTaskHost.exe, PE32 15->56 dropped 88 Tries to harvest and steal browser information (history, passwords, etc) 15->88 90 Writes to foreign memory regions 15->90 92 Creates a thread in another existing process (thread injection) 15->92 94 Injects a PE file into a foreign processes 15->94 28 firefox.exe 2 15->28         started        30 msedge.exe 117 902 15->30         started        34 chrome.exe 15->34 injected 36 10 other processes 15->36 96 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->96 98 Browser instances using unsafe startup parameters 19->98 100 Unusual module load detection (module proxying) 19->100 102 Switches to a custom stack to bypass stack traces 19->102 80 drive.google.com 142.251.215.206, 443, 49719, 49724 GOOGLE-GoogleLLCUS United States 23->80 82 drive.usercontent.google.com 142.251.45.1, 443, 49720, 49725 GOOGLE-GoogleLLCUS United States 23->82 104 Found suspicious powershell code related to unpacking or dynamic code loading 23->104 file8 signatures9 process10 dnsIp11 38 firefox.exe 3 46 28->38         started        84 192.168.2.4, 138, 443, 49710 unknown unknown 30->84 86 239.255.255.250 unknown ZZ 30->86 58 C:\...\the-real-index~RF32c80.TMP (copy), COM 30->58 dropped 60 C:\Users\user\...\the-real-index (copy), COM 30->60 dropped 62 C:\Users\user\AppData\Local\...\temp-index, COM 30->62 dropped 42 msedge.exe 30->42         started        44 setup.exe 30->44         started        46 msedge.exe 30->46         started        48 3 other processes 30->48 file12 process13 dnsIp14 70 mozilla.map.fastly.net 151.101.193.91, 443, 49731 FASTLY-FastlyIncUS Canada 38->70 72 127.0.0.1 unknown unknown 38->72 114 Monitors registry run keys for changes 38->114 50 firefox.exe 1 38->50         started        52 firefox.exe 1 38->52         started        74 mr-b01.tm-azurefd.net 150.171.109.148, 443, 49726, 49751 MICROSOFT-CORP-MSN-AS-BLOCK-MicrosoftCorporationUS South Africa 42->74 76 150.171.109.150, 443, 49773, 49774 MICROSOFT-CORP-MSN-AS-BLOCK-MicrosoftCorporationUS South Africa 42->76 78 33 other IPs or domains 42->78 54 setup.exe 44->54         started        signatures15 process16
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/86cc797fb5b5c13bf7595edc8eb5ac58bd57a1e78d60b8330d04b844ca66b082
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/86cc797fb5b5c13bf7595edc8eb5ac58bd57a1e78d60b8330d04b844ca66b082/
Verdict:
Malicious
Threat:
Trojan.PowerShell.Strion
Link:
https://tip.neiki.dev/file/86cc797fb5b5c13bf7595edc8eb5ac58bd57a1e78d60b8330d04b844ca66b082
Threat name:
Script-PowerShell.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2026-06-08 09:24:45 UTC
File Type:
Text (JavaScript)
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q3ghs75vwxatx52zl3oi5nnmlc6vpiphrvqlqmynas4ejstgwcba._file
Result
Malware family:
phantom_stealer
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:phantom_stealer collection discovery downloader execution persistence stealer
Link:
https://tria.ge/reports/260608-mx7waac141/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Adds Run key to start application
Contacts third-party web service commonly abused for C2
Looks up external IP address via web service
Executes dropped EXE
Badlisted process makes network request
Detects PhantomStealer written in C#
Family: Guloader,Cloudeye
Family: PhantomStealer
Malware family:
PhantomStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/86cc797fb5b5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/86cc797fb5b5c13bf7595edc8eb5ac58bd57a1e78d60b8330d04b844ca66b082

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PhantomStealer

Batch (bat) bat 86cc797fb5b5c13bf7595edc8eb5ac58bd57a1e78d60b8330d04b844ca66b082

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70057/

Comments