MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 86fa2d6e4055dcfbc903a51c3482a96d7149a0eae57f5cdc791f674e5e87a786. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhantomStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 86fa2d6e4055dcfbc903a51c3482a96d7149a0eae57f5cdc791f674e5e87a786
SHA3-384 hash: ecdb3acb33725fe4a4ae4439c003e90c03076bd786cc45999332674f11820cdfaec1d6ce9cba1454e32825876fd24377
SHA1 hash: b0e1fd61e097ac14b21ef0bfa2d2cec3af3aa9b6
MD5 hash: 975f2e66bfd9bc079a84fc737231b13c
humanhash: august-alabama-item-quiet
File name:dhl 81 abu 885 81 abu 768_Navlun FAT..bat
Download: download sample
Signature PhantomStealer
Create hunting rule
File size:1'612'800 bytes
First seen:2026-06-10 16:25:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'067 x AgentTesla, 20'019 x Formbook, 12'352 x SnakeKeylogger)
ssdeep 49152:GYQN+47U1Bdh+u5KVks85RkmDwYtMa1Hec840g:GrY4g1f15KVR41Hec8W
Threatray 110 similar samples on MalwareBazaar
TLSH T1D97512885953D80BC96A27389AF1F13412B85ED9F503D21B5FED3EEBBC66B940C54283
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:bat exe PhantomStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
134
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
NETReactor RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/5162643a-54c5-4698-bb78-16c4c68f2ee2/
Malware family:
n/a
ID:
1
File name:
exe
Verdict:
Malicious activity
Analysis date:
2026-06-10 16:26:14 UTC
Tags:
netreactor auto-reg ip-check stealer phantom evasion smtp
Link:
https://app.any.run/tasks/a62cbd36-1d5d-477c-b148-0e2a7e76953f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.3586.9939.3635.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a299085a15110463ee487d9
Tags:
keylog spam sage word
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade net_reactor obfuscated packed packed
Link:
https://www.filescan.io/uploads/6a2990c4554e843ff86762e8/reports/945d40a6-29b1-4897-ad17-2f6a19e189a7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/86fa2d6e4055dcfbc903a51c3482a96d7149a0eae57f5cdc791f674e5e87a786
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-10T08:39:00Z UTC
Last seen:
2026-06-11T14:16:00Z UTC
Hits:
~1000
Detections:
Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb Trojan-Spy.Agent.SMTP.C&C PDM:Trojan.Win32.Generic HEUR:Trojan.MSIL.Crypt.gen Trojan.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/86fa2d6e4055dcfbc903a51c3482a96d7149a0eae57f5cdc791f674e5e87a786/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9bd879e6-2d1e-4b2f-bcd2-dc004cd5684e
Result
Threat name:
KeyLogger, Phantom stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1926083
Signature
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Browser instances using unsafe startup parameters
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Executable File Creation
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Windows Restart Manager Abuse for Browser Credential File unlocking
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Keylogger Generic
Yara detected Phantom stealer
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1926083 Sample: dhl 81 abu 885 81 abu 768_N... Startdate: 10/06/2026 Architecture: WINDOWS Score: 100 69 mail.binhminhfood.com.vn 2->69 71 youtube-ui.l.google.com 2->71 73 67 other IPs or domains 2->73 85 Found malware configuration 2->85 87 Antivirus detection for URL or domain 2->87 89 Antivirus / Scanner detection for submitted sample 2->89 91 20 other signatures 2->91 9 dhl 81 abu 885 81 abu 768_Navlun FAT..bat.exe 4 2->9         started        13 dhl 81 abu 885 81 abu 768_Navlun FAT..bat.exe 2->13         started        15 dhl 81 abu 885 81 abu 768_Navlun FAT..bat.exe 2->15         started        17 4 other processes 2->17 signatures3 process4 file5 67 dhl 81 abu 885 81 ...un FAT..bat.exe.log, ASCII 9->67 dropped 107 Found many strings related to Crypto-Wallets (likely being stolen) 9->107 109 Adds a directory exclusion to Windows Defender 9->109 19 dhl 81 abu 885 81 abu 768_Navlun FAT..bat.exe 26 14 9->19         started        24 powershell.exe 23 9->24         started        111 Injects a PE file into a foreign processes 13->111 26 dhl 81 abu 885 81 abu 768_Navlun FAT..bat.exe 13->26         started        38 2 other processes 13->38 28 dhl 81 abu 885 81 abu 768_Navlun FAT..bat.exe 15->28         started        30 dhl 81 abu 885 81 abu 768_Navlun FAT..bat.exe 15->30         started        32 firefox.exe 3 323 17->32         started        34 msedge.exe 17->34         started        36 firefox.exe 17->36         started        signatures6 process7 dnsIp8 75 mail.binhminhfood.com.vn 118.69.170.150, 49699, 587 FPT-AS-APFPTTelecomCompanyVN Vietnam 19->75 77 icanhazip.com 104.16.184.241, 49698, 80 CLOUDFLARENET-CloudflareIncUS Canada 19->77 59 dhl 81 abu 885 81 ...Navlun FAT..bat.exe, PE32 19->59 dropped 61 dhl 81 abu 885 81 ...exe:Zone.Identifier, ASCII 19->61 dropped 93 Tries to steal Mail credentials (via file / registry access) 19->93 95 Tries to harvest and steal browser information (history, passwords, etc) 19->95 97 Writes to foreign memory regions 19->97 101 5 other signatures 19->101 40 msedge.exe 19->40         started        43 firefox.exe 2 19->43         started        45 chrome.exe 19->45 injected 55 2 other processes 19->55 99 Loading BitLocker PowerShell Module 24->99 47 conhost.exe 24->47         started        79 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 49701, 49703, 49736 GOOGLE-CLOUD-PLATFORM-GoogleLLCUS United States 32->79 81 push.services.mozilla.com 34.107.243.93, 443, 49710, 49711 GOOGLE-CLOUD-PLATFORM-GoogleLLCUS United States 32->81 83 10 other IPs or domains 32->83 63 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 32->63 dropped 65 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 32->65 dropped 49 firefox.exe 32->49         started        51 firefox.exe 32->51         started        53 firefox.exe 32->53         started        file9 signatures10 process11 signatures12 103 Monitors registry run keys for changes 40->103 105 Installs a global keyboard hook 40->105 57 msedge.exe 40->57         started        process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/86fa2d6e4055dcfbc903a51c3482a96d7149a0eae57f5cdc791f674e5e87a786
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/86fa2d6e4055dcfbc903a51c3482a96d7149a0eae57f5cdc791f674e5e87a786/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q35c23sakxopxsiduuodjavjnvyutihk4v7vzxdzd5tu4xuhu6da._file
Verdict:
malicious
Label(s):
phantomstealer
Create hunting rule
Similar samples:
197c9b2fe8116d8e9329c5ab49f7fa2a900d27704bb8d36da9d1bc77f2239b07
PhantomStealer
1e0bbcaa4d9b3f4c144e10dad6fb9ecbde607e3c48c2d3194195f56852ef8ffb
PhantomStealer
7c26003b25a03f34ac2ddd11324d2501506ef7fa694cac3ec9d63717d3071783
PhantomStealer
d266b7b27d36add4acc8cfa1fa5b6ca01517411013109f07564bfe9e078325d4
PhantomStealer
e3aeb7f86f362b9c16a292cd4bd9f76ed2f653de8b405557a661927c6c65a59f
PhantomStealer
+ 100 additional samples on MalwareBazaar
Result
Malware family:
phantom_stealer
Create hunting rule
Score:
  10/10
Tags:
family:phantom_stealer collection discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/260610-txyqyadt2z/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Detects PhantomStealer written in C#
Family: PhantomStealer
Unpacked files
SH256 hash:
86fa2d6e4055dcfbc903a51c3482a96d7149a0eae57f5cdc791f674e5e87a786
MD5 hash:
975f2e66bfd9bc079a84fc737231b13c
SHA1 hash:
b0e1fd61e097ac14b21ef0bfa2d2cec3af3aa9b6
Link:
https://www.unpac.me/results/108b68c5-84cb-442b-8ab7-593bd1d70ffa/
SH256 hash:
d9e5daf48e8b4a8b777c6f9a7df9c4c41e8338ece797d845c269b9be8605e490
MD5 hash:
883ed17a5c12affc9bc45c75c6ca0d38
SHA1 hash:
13b5ada68a6725657b59c24bb9b6348d5826fa73
Detections:
phantom_stealer
Create hunting rule
Link:
https://www.unpac.me/results/108b68c5-84cb-442b-8ab7-593bd1d70ffa/
Parent samples :
ebaf8f3cf910b2a0e32e97c13712d6dc9ba62fc57ec456a55136420585755bbf
7bc1a0941fd78ba96fdd56d7eec944b31ac5ff6d6548031142d8ef5235bb2037
601a3b4652a3ee14717c169259230d0b3e4fd4bc2e128e26b7f3102d1b375822
86fa2d6e4055dcfbc903a51c3482a96d7149a0eae57f5cdc791f674e5e87a786
SH256 hash:
5f42eb39ab4b0bd2146a041a921ad316db253d49c0344cf307702968fd91564c
MD5 hash:
c8f5af416eba9e6338ce44f3c969b922
SHA1 hash:
2b285d87078f928d4c1338405e746e9f8d57d602
Link:
https://www.unpac.me/results/108b68c5-84cb-442b-8ab7-593bd1d70ffa/
SH256 hash:
dc060f41fc596c42dec6c6fb3d8fc113caec461c467ab1d3ddcb2bb7097ab39b
MD5 hash:
acedda7f23070b937c9710d2244a3bd7
SHA1 hash:
c499563a1c30ffd2c2469a74f03bba1da62b6139
Link:
https://www.unpac.me/results/108b68c5-84cb-442b-8ab7-593bd1d70ffa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/86fa2d6e4055dcfbc903a51c3482a96d7149a0eae57f5cdc791f674e5e87a786

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments