MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9cbffe3435e4218fbfebedbbc72a2e587098bdd9eb4a4b3014a38d1d9869817b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhantomStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9cbffe3435e4218fbfebedbbc72a2e587098bdd9eb4a4b3014a38d1d9869817b
SHA3-384 hash: de8b53b10b0a9cc3f111f9c06970c59d4b875fa014e3ea91cffdbd47f0c9eeb46928feb99f011035fcb84aa2d3b8bf8e
SHA1 hash: 4585a1b23eb51277056ec26926ac316788c23b45
MD5 hash: 2fa1c8558303b87118a43f000240e817
humanhash: music-network-green-connecticut
File name:MT103_Swift copy.exe
Download: download sample
Signature PhantomStealer
Create hunting rule
File size:1'824'256 bytes
First seen:2026-01-07 06:37:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'816 x AgentTesla, 19'736 x Formbook, 12'282 x SnakeKeylogger)
ssdeep 24576:laYY1OiddVoCLrMfwTo3//eu9BrV7qIt5ERqWLmboBhRyH:dY1OKvrMeov/VVmICF4H
Threatray 167 similar samples on MalwareBazaar
TLSH T1A585011453E49A18F9BF9B38983955A753F1FCC7EA76DB0D664870EE0D21B81CA90323
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:exe PhantomStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
158
Origin country :
CH CH
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
MT103_Swift copy.exe
Verdict:
Malicious activity
Analysis date:
2026-01-07 06:38:27 UTC
Tags:
stealer crypto-regex phantom netreactor auto-reg evasion
Link:
https://app.any.run/tasks/819acd4c-f781-4ff9-ab95-eb5eb168511c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48027/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=695dff589922425f92fe2733
Tags:
redline emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Unauthorized injection to a recently created process
Restart of the analyzed sample
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt expand lolbin obfuscated obfuscated unsafe vbnet
Link:
https://www.filescan.io/uploads/695dff576c34f71773c483ab/reports/b4b7c8b3-d1f5-4849-b483-1275c51ac22e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9cbffe3435e4218fbfebedbbc72a2e587098bdd9eb4a4b3014a38d1d9869817b
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-07T02:11:00Z UTC
Last seen:
2026-01-08T15:36:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.Win32.Coins.sb Trojan-PSW.MSIL.Stealerium.sb HEUR:Trojan.MSIL.InjectorNetT.gen VHO:Backdoor.Win32.Androm.gen UDS:DangerousObject.Multi.Generic Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Disco.sb Trojan.MSIL.Inject.b PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/9cbffe3435e4218fbfebedbbc72a2e587098bdd9eb4a4b3014a38d1d9869817b/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4354a28f-6f54-421f-a168-2bc14bd40653
Result
Threat name:
DarkTortilla, KeyLogger, Phantom stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1845834
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected DarkTortilla Crypter
Yara detected Keylogger Generic
Yara detected Phantom stealer
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1845834 Sample: MT103_Swift copy.exe Startdate: 07/01/2026 Architecture: WINDOWS Score: 100 32 poskirantekstil.com 2->32 34 mail.poskirantekstil.com 2->34 36 icanhazip.com 2->36 48 Found malware configuration 2->48 50 Antivirus detection for URL or domain 2->50 52 Multi AV Scanner detection for dropped file 2->52 54 17 other signatures 2->54 7 MT103_Swift copy.exe 3 2->7         started        11 MT103_Swift copy.exe 2 2->11         started        13 MT103_Swift copy.exe 2 2->13         started        signatures3 process4 file5 30 C:\Users\user\...\MT103_Swift copy.exe.log, ASCII 7->30 dropped 56 Found many strings related to Crypto-Wallets (likely being stolen) 7->56 58 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->58 60 Injects a PE file into a foreign processes 7->60 15 MT103_Swift copy.exe 16 9 7->15         started        20 MT103_Swift copy.exe 11->20         started        22 MT103_Swift copy.exe 11->22         started        24 MT103_Swift copy.exe 13->24         started        signatures6 process7 dnsIp8 38 poskirantekstil.com 94.199.205.77, 49724, 587 AEROTEK-ASTR Turkey 15->38 40 icanhazip.com 104.16.184.241, 49723, 80 CLOUDFLARENETUS United States 15->40 26 C:\Users\user\...\MT103_Swift copy.exe, PE32 15->26 dropped 28 C:\...\MT103_Swift copy.exe:Zone.Identifier, ASCII 15->28 dropped 42 Tries to steal Mail credentials (via file / registry access) 15->42 44 Tries to harvest and steal browser information (history, passwords, etc) 15->44 46 Installs a global keyboard hook 15->46 file9 signatures10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9cbffe3435e4218fbfebedbbc72a2e587098bdd9eb4a4b3014a38d1d9869817b
Verdict:
inconclusive
YARA:
11 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.84 Win 32 Exe x86
Link:
https://app.malva.re/file/2fa1c8558303b87118a43f000240e817
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9cbffe3435e4218fbfebedbbc72a2e587098bdd9eb4a4b3014a38d1d9869817b/
Verdict:
Malicious
Threat:
Family.PHANTOM_STEALER
Link:
https://tip.neiki.dev/file/9cbffe3435e4218fbfebedbbc72a2e587098bdd9eb4a4b3014a38d1d9869817b
Threat name:
ByteCode-MSIL.Trojan.Pretoria
Create hunting rule
Status:
Malicious
First seen:
2026-01-07 05:08:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
70
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ts774nbv4qqy7p7l5w54okrolbyjrpoz5nfewmauuogr3gdjqf5q._file
Verdict:
malicious
Label(s):
phantomstealer
Create hunting rule
unc_loader_078
Create hunting rule
Similar samples:
0daa3fc7e8c657b4e98fbd3be6b56c2c8950224945c5d0d3c10c2e4967637dce
PhantomStealer
31d5415b69274dbdcca1e80d57d649b9c643b6fc028d0af383f5040375a45870
PhantomStealer
815b1ccf52d1f815f76b46b5a23f203dc80debafb39e1b6c95d9d19863a69828
PhantomStealer
895ac52424ffd4290f510f68bcca67e4cefdb3243cefe2d2b88bb11160e41695
PhantomStealer
db4ba887fbffce0421ef201fd572c3ce93e4d6ecdbd1c13e2707d1d02b2c4f65
PhantomStealer
dc60b3a787e014b5ed9ef2a3eb0d7b7d93ed800d0524a10d0eb8447d47b43926
PhantomStealer
e49c36c3b9de82ab0dfc8e3410d0389de54b21b535f972c81fe289998b52cde3
PhantomStealer
error
PhantomStealer
fa4a8617c2f42af34d02ae881916a128ac30549f3c848fb4e72d37c8ee55aeb1
PhantomStealer
+ 157 additional samples on MalwareBazaar
Result
Malware family:
phantom_stealer
Create hunting rule
Score:
  10/10
Tags:
family:phantom_stealer collection discovery persistence spyware stealer
Link:
https://tria.ge/reports/260107-hd555agl2y/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
.NET Reactor proctector
Executes dropped EXE
Reads user/profile data of web browsers
Detects PhantomStealer payload
PhantomStealer
Phantom_stealer family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4a50ec06-f125-4122-907c-f4c0954ce129
Unpacked files
SH256 hash:
9cbffe3435e4218fbfebedbbc72a2e587098bdd9eb4a4b3014a38d1d9869817b
MD5 hash:
2fa1c8558303b87118a43f000240e817
SHA1 hash:
4585a1b23eb51277056ec26926ac316788c23b45
Link:
https://www.unpac.me/results/fb974b6a-dbe1-49e0-91da-cc4dd407a318/
Malware family:
PhantomStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9cbffe3435e4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.77
Link:
https://yomi.yoroi.company/submissions/9cbffe3435e4218fbfebedbbc72a2e587098bdd9eb4a4b3014a38d1d9869817b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PhantomStealer

Executable exe 9cbffe3435e4218fbfebedbbc72a2e587098bdd9eb4a4b3014a38d1d9869817b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/48027/

Comments