MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8bcaf5c18012ea57704cf548cc1173e10fd713712f4feba765cff7c3de7ca562. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PhantomStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 4 File information Comments

SHA256 hash:	8bcaf5c18012ea57704cf548cc1173e10fd713712f4feba765cff7c3de7ca562
SHA3-384 hash:	b9d16fa2f7895bbedd27d4addd6a4cff5f47d596782b772f9401af33976abe4dbd49dec6244b5e11bc87c7c25f5fe8e3
SHA1 hash:	5ca76b184c18c4fbfb2b8120d15b944ff7c8f1c3
MD5 hash:	5c0b20599f478d93669d0f3dbe7b33b2
humanhash:	harry-solar-music-xray
File name:	JZXT.exe
Download:	download sample
Signature	PhantomStealer Create hunting rule
File size:	1'474'048 bytes
First seen:	2026-02-02 18:18:00 UTC
Last seen:	2026-02-02 19:48:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'795 x AgentTesla, 19'692 x Formbook, 12'274 x SnakeKeylogger)
ssdeep	24576:yYs40P/VMaZGDSSkah+xP/4aUoJEiOdt8vSXeDaXQqY7KHBjy2M2:E40P/VMxm5/4joJlOEqXeGm8yx2
Threatray	338 similar samples on MalwareBazaar
TLSH	T132651254765AC912C5A61BF04972DBF52B79BED8E912C3078FDABEEFB436B440901302
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	qemped
Tags:	exe PhantomStealer

Intelligence

File Origin

# of uploads :

# of downloads :

114

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

RoboSki

Details

Link:

https://research.acce.ciphertechsolutions.com/results/57eace72-747a-443d-8d6d-de84233c024a/

Malware family:

n/a

ID:

File name:

SOA-INVOICES.com.xz

Verdict:

No threats detected

Analysis date:

2026-01-25 18:18:48 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/0ffd416c-8882-49d5-b5de-68c5754ecca1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/51292/

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6980ea7b0bdf9fb6cc096917

Tags:

virus micro msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file in the %temp% subdirectories

Unauthorized injection to a system process

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/8bcaf5c18012ea57704cf548cc1173e10fd713712f4feba765cff7c3de7ca562

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-01-24T09:07:00Z UTC

Last seen:

2026-02-02T23:49:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/8bcaf5c18012ea57704cf548cc1173e10fd713712f4feba765cff7c3de7ca562/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/d789b869-437e-45bf-99a5-605869fab295

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/8bcaf5c18012ea57704cf548cc1173e10fd713712f4feba765cff7c3de7ca562

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.39 Win 32 Exe x86

Link:

https://app.malva.re/file/5c0b20599f478d93669d0f3dbe7b33b2

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8bcaf5c18012ea57704cf548cc1173e10fd713712f4feba765cff7c3de7ca562/

Threat name:

ByteCode-MSIL.Backdoor.FormBook

Status:

Malicious

First seen:

2026-01-23 21:26:38 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rpfplqmaclvfo4cm6vemyelt4eh5oe3rf5h6xj3fz734hxt4uvra._file

Verdict:

malicious

Label(s):

phantomstealer

PhantomStealer

3e24bc53a54d730bc18f29a09e5bcbca55fa332d67a983a62bb39b12b4514f62

PhantomStealer

414557952c390312ea3cafa3cd3c069ff072c40840277921391565b79c800456

PhantomStealer

56014a5ec7d4be83b5fbe439b9142654a267619981184bb757fb325edd4f3b08

PhantomStealer

66158410eadaa76f6a183087c95b694a1404641be3a16b3b704f4cd56e53f20c

PhantomStealer

78826700c53185405a0a3897848ca8474920804a01172f987a18bd3ef9a4fc77

PhantomStealer

893179d3512d7976f223b654ad67c92a94bd10852630a14b2ee19a386212ab56

PhantomStealer

c612385efecaca9ec7446fdc629d871a12fbcfca9ed45c653faf20361d3105c5

PhantomStealer

dbbb1c1ad17996d18e3e28537e0188b204657e87b8cb495e05bdb36c75cae466

PhantomStealer

ec5b91ad14060b955dec4c1fcd63be9d63d66185d463ea785e5f888eee460f0b

PhantomStealer

error

PhantomStealer

+ 328 additional samples on MalwareBazaar

Result

Malware family:

phantom_stealer

Score:

10/10

Tags:

family:phantom_stealer collection discovery persistence stealer

Link:

https://tria.ge/reports/260202-wxvemags6b/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

outlook_office_path

outlook_win_path

System Location Discovery: System Language Discovery

System Time Discovery

Drops file in Program Files directory

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Detects PhantomStealer payload

PhantomStealer

Phantom_stealer family

Unpacked files

SH256 hash:

8bcaf5c18012ea57704cf548cc1173e10fd713712f4feba765cff7c3de7ca562

MD5 hash:

5c0b20599f478d93669d0f3dbe7b33b2

SHA1 hash:

5ca76b184c18c4fbfb2b8120d15b944ff7c8f1c3

Link:

https://www.unpac.me/results/10860d6b-55df-456e-9309-3665e1fc00d9/

SH256 hash:

f532edf1d07195462137164d7f4f280ea22ba02de959b643c09c35532d23b627

MD5 hash:

6072a1d7cc4d4ad959c2d14bc0140e10

SHA1 hash:

4ae33e6530c00861b42b33b59fec0283d1a03527

Link:

https://www.unpac.me/results/10860d6b-55df-456e-9309-3665e1fc00d9/

SH256 hash:

4b55e73a112579deb7c732341bf02508f9003aa00097cb7f96c2a215b0db39b7

MD5 hash:

15f5fe583377fe50d63ac92b8c026730

SHA1 hash:

539913008447cd2aae386f33531702a578966e9a

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

Link:

https://www.unpac.me/results/10860d6b-55df-456e-9309-3665e1fc00d9/

SH256 hash:

59b29728ddadb3043d2240398c0bea15e3d469b245c880493957d5ea2b4f007b

MD5 hash:

e0851ed9ead56a8b63b20a73575b12ff

SHA1 hash:

5e1da646325949e7bf4616da0a9daf657844d8db

Detections:

phantom_stealer

cn_utf8_windows_terminal

INDICATOR_EXE_Packed_Fody

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon

INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames

Link:

https://www.unpac.me/results/10860d6b-55df-456e-9309-3665e1fc00d9/

Parent samples :

8bcaf5c18012ea57704cf548cc1173e10fd713712f4feba765cff7c3de7ca562
53b4317fd9a0cf301121a76a516891ce941588e2b372a82324e36eea5ee3f91e

Malware family:

PhantomStealer

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8bcaf5c18012/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/51292/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample