MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9af2f5e717e15fc83cefbd6ff0b8ec8efb22d1cb49413a03217b9bee50ffe673. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhantomStealer


Vendor detections: 6


Intelligence 6 IOCs YARA 124 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9af2f5e717e15fc83cefbd6ff0b8ec8efb22d1cb49413a03217b9bee50ffe673
SHA3-384 hash: 8cb7fef333f2a79763211c884e1a160988b03e60eec7586ae33e599b189714e6cf2d8d87ccc34db658757cd137b0f6d5
SHA1 hash: ec294b6b10d7c695e028cf2abe3774dbbff63298
MD5 hash: 23649f4c759a9b297c254e52a85cdbc5
humanhash: bulldog-comet-west-beryllium
File name:Re Invoice Submission for Payment.zip
Download: download sample
Signature PhantomStealer
Create hunting rule
File size:17'433'112 bytes
First seen:2025-10-06 07:21:11 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 393216:Nctspyt+cP/PLwR1IXIRsVSi9NOEX0i/9+38OblQdpB:Kht+cPn9X/oi9NO6l/S8ObWj
TLSH T1B907330E79208F6F67EBBFB73FA072F9D60E69162578568B404749C102CF4D92504FAA
TrID 60.0% (.WMZ) Windows Media Player skin (6000/1/1)
40.0% (.ZIP) ZIP compressed archive (4000/1)
Magika zip
Reporter cocaman
Tags:INVOICE payment PhantomStealer zip


Avatar
cocaman
Malicious email (T1566.001)
From: "Alexandru Gavril <antoniopadilla@grupoasgaya.com>" (likely spoofed)
Received: "from grupoasgaya.com (unknown [195.29.176.187]) "
Date: "3 Oct 2025 10:03:37 -0700"
Subject: "INQUIRY"
Attachment: "Re Invoice Submission for Payment.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
48
Origin country :
CH CH
File Archive Information

This file archive contains 22 file(s), sorted by their relevance:

File name:MSVCP140.dll
File size:627'992 bytes
SHA256 hash: 99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd
MD5 hash: c1b066f9e3e2f3a6785161a8c7e0346a
MIME type:application/x-dosexec
Signature PhantomStealer
File name:MSVCP140_1.dll
File size:31'512 bytes
SHA256 hash: 5e627fac479f72363075824423d74d0a5d100bb69377f2a8c0942e12099af700
MD5 hash: d281be80d404478ea08651ab0bf071b5
MIME type:application/x-dosexec
Signature PhantomStealer
File name:api-ms-win-crt-utility-l1-1-0.dll
File size:21'032 bytes
SHA256 hash: af1e1b84f066ba05da20847bffd874d80a810b5407f8c6647b3ff9e8f7d37863
MD5 hash: 9b622ca5388b6400705c8f21550bae8e
MIME type:application/x-dosexec
Signature PhantomStealer
File name:Qt5Widgets.dll
File size:11'188'978 bytes
SHA256 hash: 03211407b165e3d6fbd3f1bb59c2e20b506e6cfae4c7424592e7d1cc7c564fbd
MD5 hash: abea5b95aeb14147b139d070ab8bbe30
MIME type:application/x-dosexec
Signature PhantomStealer
File name:api-ms-win-crt-heap-l1-1-0.dll
File size:21'544 bytes
SHA256 hash: 2ee3d52640d84ac4f7f7ddfe748f51baa6fd0d492286c781251222420e85ca97
MD5 hash: a22f9a4cbd701209842b204895fedf37
MIME type:application/x-dosexec
Signature PhantomStealer
File name:1.exe
File size:2'160'408 bytes
SHA256 hash: d6bb1fccf4f142d4a41c06f02918883956ebc4ca9b9613c34be5ecc7d3a644fe
MD5 hash: 576e79e43e4b76dbccc82fbe83d84399
MIME type:application/x-dosexec
Signature PhantomStealer
File name:Qt5Network.dll
File size:3'334'840 bytes
SHA256 hash: bbaa6b56732c43911fed308516ddc1585dc9cc18552d924210714384f12926d2
MD5 hash: 8c454020d52949362c97cc675f558fe6
MIME type:application/x-dosexec
Signature PhantomStealer
File name:Qt5Gui.dll
File size:5'620'408 bytes
SHA256 hash: 7656aac45cb5754be55af191cb5aaa0837f121fbd244de93eba64f942c1938b1
MD5 hash: 58ba6a27e97b80941a160db7b495b7c9
MIME type:application/x-dosexec
Signature PhantomStealer
File name:api-ms-win-crt-string-l1-1-0.dll
File size:26'664 bytes
SHA256 hash: e71d517e6b7039437e3fc449d8ad12eeeca0d5c8ed1c500555344fd90ddc3207
MD5 hash: aacade02d7aaf6b5eff26a0e3a11c42d
MIME type:application/x-dosexec
Signature PhantomStealer
File name:VCRUNTIME140.dll
File size:85'784 bytes
SHA256 hash: 2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c
MD5 hash: 1453290db80241683288f33e6dd5e80e
MIME type:application/x-dosexec
Signature PhantomStealer
File name:api-ms-win-crt-math-l1-1-0.dll
File size:29'528 bytes
SHA256 hash: 7c3336c3a50bf3b4c5492c0d085519c040878243e9f7d3ea9f6a2e35c8f1f374
MD5 hash: c4cac2d609bb5e0da9017ebb535634ce
MIME type:application/x-dosexec
Signature PhantomStealer
File name:api-ms-win-crt-filesystem-l1-1-0.dll
File size:22'568 bytes
SHA256 hash: ab2158fe6b354fb429f57f374ca25105b44e97edcbdc1b752650d895dadd6fd1
MD5 hash: 1193f810519fbc07beb3ffbad3247fc4
MIME type:application/x-dosexec
Signature PhantomStealer
File name:libGLESv2.dll
File size:3'594'936 bytes
SHA256 hash: be61113b78c3ebd6abe679dde6523cbfe5f90a43688b3fc7d6941de990013531
MD5 hash: 874da8b26a3493874ac7cc6cf1387b05
MIME type:application/x-dosexec
Signature PhantomStealer
File name:Qt5Qml.dll
File size:3'949'752 bytes
SHA256 hash: afcfecfe4d8805cd674a1072b6715ffa9dbed90ba79089a6446250c2de8e20df
MD5 hash: f0745bb5274865b987f1f428a5788d48
MIME type:application/x-dosexec
Signature PhantomStealer
File name:api-ms-win-crt-stdio-l1-1-0.dll
File size:26'664 bytes
SHA256 hash: e6a1ef1f7c1957c50a3d9c1d70c0f7b0d8badc7f279cd056eb179dc256bfefda
MD5 hash: 5df2410c0afd30c9a11de50de4798089
MIME type:application/x-dosexec
Signature PhantomStealer
File name:api-ms-win-crt-time-l1-1-0.dll
File size:23'080 bytes
SHA256 hash: c3a70153e1d0ecd1cbf95de033bfef5cfecabe7a8274cafe272cc2c14865cd8c
MD5 hash: 0d9afb006f46478008c180b9da5465ac
MIME type:application/x-dosexec
Signature PhantomStealer
File name:api-ms-win-crt-runtime-l1-1-0.dll
File size:25'128 bytes
SHA256 hash: 57fe2bab2acb1184a468e45cebe7609a2986d5220bb2d82592b9ca6e22384f89
MD5 hash: dbd23405e7baa8e1ac763fa506021122
MIME type:application/x-dosexec
Signature PhantomStealer
File name:api-ms-win-crt-convert-l1-1-0.dll
File size:24'616 bytes
SHA256 hash: 983f4d4c7b7330e7f5f091080c1e81905575ebccd97e11dff8a064979ec8d9b8
MD5 hash: 0485c463cd8d2ae1cbd42df6f0591246
MIME type:application/x-dosexec
Signature PhantomStealer
File name:mbcut.dll
File size:2'602'768 bytes
SHA256 hash: 84dfee39a405b946ec966f7e3ab8fa65323d14fe5bba11ee2f8dbd22449bda79
MD5 hash: 2ee361fff2dc3bf58f7b5841c56d0253
MIME type:application/x-dosexec
Signature PhantomStealer
File name:Qt5Core.dll
File size:6'585'016 bytes
SHA256 hash: b1704968beed0400a20191349d48552968f3dc7ad7b986154357fd5307bd328f
MD5 hash: d7b6555e745bbf93e93066766ecb2710
MIME type:application/x-dosexec
Signature PhantomStealer
File name:api-ms-win-crt-locale-l1-1-0.dll
File size:21'032 bytes
SHA256 hash: c36f5c0ac5d91a8417866dd4d8c670c2192ba83364693e7438282fb8678c3d1e
MD5 hash: ba17b278fff2c18e34e47562ddde8166
MIME type:application/x-dosexec
Signature PhantomStealer
File name:api-ms-win-crt-environment-l1-1-0.dll
File size:21'032 bytes
SHA256 hash: 67bbb287b2e9057bf8b412ad2faa266321ac28c6e6ba5f22169e2517a3ead248
MD5 hash: e48a1860000fd2bd61566e76093984f5
MIME type:application/x-dosexec
Signature PhantomStealer
Vendor Threat Intelligence
Detection(s):
no reply from clamd
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e36e1091bc581176cc4b46
Tags:
injection obfusc crypt
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
anti-vm expired-cert microsoft_visual_cc signed
Link:
https://www.filescan.io/uploads/68e36e075a3bccf09eb94c70/reports/e45b4583-0d20-4298-b6e2-1c1f09c2b4d7/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/9af2f5e717e15fc83cefbd6ff0b8ec8efb22d1cb49413a03217b9bee50ffe673
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/9af2f5e717e15fc83cefbd6ff0b8ec8efb22d1cb49413a03217b9bee50ffe673
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
File Type:
zip
First seen:
2025-09-26T21:43:00Z UTC
Last seen:
2025-10-07T15:48:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/9af2f5e717e15fc83cefbd6ff0b8ec8efb22d1cb49413a03217b9bee50ffe673/results?tab=lookup
Score:
1%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/9af2f5e717e15fc83cefbd6ff0b8ec8efb22d1cb49413a03217b9bee50ffe673
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Zip Archive
Link:
https://app.malva.re/file/23649f4c759a9b297c254e52a85cdbc5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9af2f5e717e15fc83cefbd6ff0b8ec8efb22d1cb49413a03217b9bee50ffe673/
Threat name:
Win64.Trojan.Midie
Create hunting rule
Status:
Malicious
First seen:
2025-09-26 17:48:41 UTC
File Type:
Binary (Archive)
Extracted files:
47
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tlzplzyx4fp4qphpxvx7bohmr35sfuoljfatuazbpon64uh74zzq._file
Result
Malware family:
phantomstealer
Create hunting rule
Score:
  10/10
Tags:
family:phantomstealer collection discovery persistence
Link:
https://tria.ge/reports/251006-k613zsxyfw/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Phantomstealer family
Malware Config
C2 Extraction:
https://api.telegram.org/bot7400238380:AAESKXmR_7sAiicCgnR7DSpkfNY2F9AinbU/sendMessage?chat_id=6410945890
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
Link:
https://yomi.yoroi.company/submissions/9af2f5e717e15fc83cefbd6ff0b8ec8efb22d1cb49413a03217b9bee50ffe673

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Any_SU_Domain
Create hunting rule
Author:you
Description:Detect any reference to .su domains or subdomains
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:Check_VBox_Description
Create hunting rule
Rule name:CMD_Shutdown
Create hunting rule
Author:adm1n_usa32
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Jupyter_infostealer
Create hunting rule
Author:CD_R0M_
Description:Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:SUSP_Websites
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:test_Malaysia
Create hunting rule
Author:rectifyq
Description:Detects file containing malaysia string
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants
Rule name:win_stealer_generic
Create hunting rule
Author:Reedus0
Description:Rule for detecting generic stealer malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PhantomStealer

zip 9af2f5e717e15fc83cefbd6ff0b8ec8efb22d1cb49413a03217b9bee50ffe673

(this sample)

983f4d4c7b7330e7f5f091080c1e81905575ebccd97e11dff8a064979ec8d9b8

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 983f4d4c7b7330e7f5f091080c1e81905575ebccd97e11dff8a064979ec8d9b8
  
Dropping
SHA256 67bbb287b2e9057bf8b412ad2faa266321ac28c6e6ba5f22169e2517a3ead248
  
Dropping
SHA256 ab2158fe6b354fb429f57f374ca25105b44e97edcbdc1b752650d895dadd6fd1
  
Dropping
SHA256 2ee3d52640d84ac4f7f7ddfe748f51baa6fd0d492286c781251222420e85ca97
  
Dropping
SHA256 c36f5c0ac5d91a8417866dd4d8c670c2192ba83364693e7438282fb8678c3d1e
  
Dropping
SHA256 7c3336c3a50bf3b4c5492c0d085519c040878243e9f7d3ea9f6a2e35c8f1f374
  
Dropping
SHA256 57fe2bab2acb1184a468e45cebe7609a2986d5220bb2d82592b9ca6e22384f89
  
Dropping
SHA256 e6a1ef1f7c1957c50a3d9c1d70c0f7b0d8badc7f279cd056eb179dc256bfefda
  
Dropping
SHA256 e71d517e6b7039437e3fc449d8ad12eeeca0d5c8ed1c500555344fd90ddc3207
  
Dropping
SHA256 c3a70153e1d0ecd1cbf95de033bfef5cfecabe7a8274cafe272cc2c14865cd8c
  
Dropping
SHA256 af1e1b84f066ba05da20847bffd874d80a810b5407f8c6647b3ff9e8f7d37863
  
Dropping
SHA256 be61113b78c3ebd6abe679dde6523cbfe5f90a43688b3fc7d6941de990013531
  
Dropping
SHA256 84dfee39a405b946ec966f7e3ab8fa65323d14fe5bba11ee2f8dbd22449bda79
  
Dropping
SHA256 99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd
  
Dropping
SHA256 5e627fac479f72363075824423d74d0a5d100bb69377f2a8c0942e12099af700
  
Dropping
SHA256 b1704968beed0400a20191349d48552968f3dc7ad7b986154357fd5307bd328f
  
Dropping
SHA256 7656aac45cb5754be55af191cb5aaa0837f121fbd244de93eba64f942c1938b1
  
Dropping
SHA256 bbaa6b56732c43911fed308516ddc1585dc9cc18552d924210714384f12926d2
  
Dropping
SHA256 afcfecfe4d8805cd674a1072b6715ffa9dbed90ba79089a6446250c2de8e20df
  
Dropping
SHA256 03211407b165e3d6fbd3f1bb59c2e20b506e6cfae4c7424592e7d1cc7c564fbd
  
Dropping
SHA256 d6bb1fccf4f142d4a41c06f02918883956ebc4ca9b9613c34be5ecc7d3a644fe
  
Dropping
SHA256 2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c
  
Dropping
MD5 874da8b26a3493874ac7cc6cf1387b05
  
Dropping
MD5 2ee361fff2dc3bf58f7b5841c56d0253
  
Dropping
MD5 d7b6555e745bbf93e93066766ecb2710
  
Dropping
MD5 58ba6a27e97b80941a160db7b495b7c9
  
Dropping
MD5 8c454020d52949362c97cc675f558fe6
  
Dropping
MD5 f0745bb5274865b987f1f428a5788d48
  
Dropping
MD5 abea5b95aeb14147b139d070ab8bbe30
  
Dropping
MD5 576e79e43e4b76dbccc82fbe83d84399

Comments