MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a05790987759904eaacf9334088c089bc2bab90c7223d6e72d3014043a3b72bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhantomStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a05790987759904eaacf9334088c089bc2bab90c7223d6e72d3014043a3b72bc
SHA3-384 hash: 8a006ce58e35199a5a00d8e460e340800b75b2192995b8521eb9e1e1aa07f947a92e7613e55cec379abe6930690a3637
SHA1 hash: 9c1c0988420a2cea8dcc79d1721c34529156929c
MD5 hash: 8ed08b5340a193492f1adf356c685cff
humanhash: avocado-stream-pasta-seven
File name:dsfsdofw0gge0gf0h0e0et34ertiurt090tfd9dfgt3tter0d9gd0fg0gg0dg0d0g0dfg0cvb0.hta
Download: download sample
Signature PhantomStealer
Create hunting rule
File size:79'326 bytes
First seen:2025-10-29 12:23:30 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 384:gJvLDGyL4jk6oL5oBKKKeaYu+8m3n4xkihcy:2Jb6oL5oBK3Nc6cy
Threatray 107 similar samples on MalwareBazaar
TLSH T1A473A0C8A5CA8BCAFC16B6480EB31C5A9B038C1E543508F6B80EF84D67BD1569ED45F7
Magika html
Reporter abuse_ch
Tags:hta PhantomStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
52
Origin country :
SE SE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69020697706befaf4ec9f644
Tags:
obfuscate xtreme spawn
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/a05790987759904eaacf9334088c089bc2bab90c7223d6e72d3014043a3b72bc/results/dashboard
Payload URLs
URL
File name
http://ixti.net/development/javascript/2011/11/11/cofiring-enpreposteratedepreposterate-of-utf8-in-browser-with-js.html
HTA File
Behaviour
BlacklistAPI detected
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/a05790987759904eaacf9334088c089bc2bab90c7223d6e72d3014043a3b72bc
Verdict:
Malicious
File Type:
hta
First seen:
2025-10-29T03:01:00Z UTC
Last seen:
2025-10-31T04:35:00Z UTC
Hits:
~100
Detections:
PDM:Trojan.Win32.Generic Backdoor.Agent.TCP.C&C Trojan-Downloader.JS.SLoad.sb Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/a05790987759904eaacf9334088c089bc2bab90c7223d6e72d3014043a3b72bc/results?tab=lookup
Result
Threat name:
Caminho Loader, Phantom stealer, Strela
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1803850
Signature
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Contains functionality to capture screen (.Net source)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Drops script or batch files to the startup folder
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Found Tor onion address
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Monitors registry run keys for changes
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Caminho Loader
Yara detected Costura Assembly Loader
Yara detected Phantom stealer
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Strela Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1803850 Sample: dsfsdofw0gge0gf0h0e0et34ert... Startdate: 29/10/2025 Architecture: WINDOWS Score: 100 137 api.telegram.org 2->137 139 surveillance.steelpanman.com 2->139 141 28 other IPs or domains 2->141 177 Suricata IDS alerts for network traffic 2->177 179 Found malware configuration 2->179 181 Malicious sample detected (through community Yara rule) 2->181 185 20 other signatures 2->185 14 mshta.exe 1 2->14         started        17 cmd.exe 2->17         started        19 msedge.exe 2->19         started        22 10 other processes 2->22 signatures3 183 Uses the Telegram API (likely for C&C communication) 137->183 process4 dnsIp5 205 Suspicious powershell command line found 14->205 24 powershell.exe 15 15 14->24         started        28 cmd.exe 17->28         started        30 conhost.exe 17->30         started        143 192.168.2.4, 138, 31166, 443 unknown unknown 19->143 145 192.168.2.16 unknown unknown 19->145 147 2 other IPs or domains 19->147 207 Maps a DLL or memory area into another process 19->207 32 msedge.exe 19->32         started        40 7 other processes 19->40 34 cmd.exe 22->34         started        36 cmd.exe 22->36         started        38 cmd.exe 22->38         started        42 15 other processes 22->42 signatures6 process7 dnsIp8 149 spaste.us 76.76.21.21, 443, 49718 AMAZON-02US United States 24->149 151 archive.org 207.241.224.2, 443, 49716 INTERNET-ARCHIVEUS United States 24->151 153 ia902801.us.archive.org 207.241.232.101, 443, 49717 INTERNET-ARCHIVEUS United States 24->153 195 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->195 197 Drops script or batch files to the startup folder 24->197 199 Found many strings related to Crypto-Wallets (likely being stolen) 24->199 201 6 other signatures 24->201 45 CasPol.exe 1 7 24->45         started        50 conhost.exe 24->50         started        52 cmd.exe 28->52         started        155 ntp.msn.com 32->155 157 c.msn.com 32->157 159 34 other IPs or domains 32->159 54 cmd.exe 34->54         started        56 cmd.exe 36->56         started        58 cmd.exe 38->58         started        60 setup.exe 40->60         started        161 14 other IPs or domains 42->161 127 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 42->127 dropped 129 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 42->129 dropped 62 cmd.exe 42->62         started        64 7 other processes 42->64 file9 signatures10 process11 dnsIp12 163 surveillance.steelpanman.com 5.101.84.143, 31166, 49719 PINDC-ASRU Russian Federation 45->163 131 C:\Users\user\AppData\Local\Temp\yujvid.bat, ASCII 45->131 dropped 133 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 45->133 dropped 209 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 45->209 66 cmd.exe 1 45->66         started        211 Suspicious powershell command line found 52->211 69 powershell.exe 52->69         started        72 conhost.exe 52->72         started        74 powershell.exe 54->74         started        76 conhost.exe 54->76         started        78 2 other processes 56->78 80 2 other processes 58->80 82 2 other processes 62->82 84 8 other processes 64->84 file13 signatures14 process15 file16 169 Suspicious powershell command line found 66->169 86 cmd.exe 1 66->86         started        88 conhost.exe 66->88         started        111 C:\Users\user\AppData\Roaming\...\1e3e.bat, ASCII 69->111 dropped 171 Drops script or batch files to the startup folder 69->171 173 Found suspicious powershell code related to unpacking or dynamic code loading 69->173 175 Loading BitLocker PowerShell Module 69->175 113 C:\Users\user\AppData\Roaming\...\6614.bat, ASCII 74->113 dropped 115 C:\Users\user\AppData\Roaming\...\7de6.bat, ASCII 78->115 dropped 117 C:\Users\user\AppData\Roaming\...\0a4e.bat, ASCII 80->117 dropped 119 C:\Users\user\AppData\Roaming\...\5b30.bat, ASCII 82->119 dropped 121 C:\Users\user\AppData\Roaming\...\4293.bat, ASCII 84->121 dropped 123 C:\Users\user\AppData\Roaming\...\189d.bat, ASCII 84->123 dropped 125 C:\Users\user\AppData\Roaming\...\0705.bat, ASCII 84->125 dropped signatures17 process18 process19 90 cmd.exe 2 86->90         started        signatures20 203 Suspicious powershell command line found 90->203 93 powershell.exe 11 39 90->93         started        98 conhost.exe 90->98         started        process21 dnsIp22 165 api.telegram.org 149.154.167.220, 443, 49777, 49790 TELEGRAMRU United Kingdom 93->165 167 icanhazip.com 104.16.184.241, 49789, 80 CLOUDFLARENETUS United States 93->167 135 C:\Users\user\AppData\Roaming\...\3b47.bat, ASCII 93->135 dropped 213 Tries to harvest and steal browser information (history, passwords, etc) 93->213 215 Writes to foreign memory regions 93->215 217 Installs a global keyboard hook 93->217 219 3 other signatures 93->219 100 msedge.exe 93->100         started        103 chrome.exe 93->103 injected 105 msedge.exe 93->105 injected 107 2 other processes 93->107 file23 signatures24 process25 signatures26 187 Monitors registry run keys for changes 100->187 189 Installs a global keyboard hook 100->189 109 msedge.exe 100->109         started        191 Found many strings related to Crypto-Wallets (likely being stolen) 103->191 193 Writes to foreign memory regions 105->193 process27
Score:
64%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/a05790987759904eaacf9334088c089bc2bab90c7223d6e72d3014043a3b72bc
Verdict:
inconclusive
YARA:
2 match(es)
Tags:
Html
Link:
https://app.malva.re/file/8ed08b5340a193492f1adf356c685cff
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a05790987759904eaacf9334088c089bc2bab90c7223d6e72d3014043a3b72bc/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/a05790987759904eaacf9334088c089bc2bab90c7223d6e72d3014043a3b72bc
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-10-29 07:47:20 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
12 of 38 (31.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ublzbgdxlgie5kwpsm2ardaitpblvoimoir5nzzngakaior3ok6a._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
phantomstealer
Create hunting rule
Similar samples:
32d605dc2e89607318b9039a6511ca4c91d770f9dfc514d89fe5232c7b269008
PhantomStealer
3c4850bad9e48453996875f76725ab4caf188613ec4621fef7fbca2fd19c2147
PhantomStealer
4ffb945bc637b8c2e1d287c1f6127121d967e1366f0a437f2b7f505fac391f5d
PhantomStealer
750178918522765b83b32510dce10c8cf9614ae72b95539f93b8ba7088bb1779
PhantomStealer
80943dad82a060b3506f2312c2d282f117e08a1b16cd9f1f6fcaf852be916407
PhantomStealer
b0961aa2c9918dcf749b377444825d064161c4c4abea2c7fa143b634a4d2c8e9
PhantomStealer
b9673438f2064f7660899c46219889f3b76db3b64efcc1d074023bceea7cd043
PhantomStealer
cc2204af1024b7fc2c9c7e0132ce788518f3d835741d489886fbab703c08d400
PhantomStealer
error
PhantomStealer
f75bc578269b2286c78a711a0cc932ba6b57e1e2642b883847400c44c8bb57f5
PhantomStealer
febef3a364126ac2aa64f960389c62bd38cc9cfced7606726afe7f0824c239a7
PhantomStealer
+ 97 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution
Link:
https://tria.ge/reports/251029-pktt1af16g/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Malware Config
Dropper Extraction:
https://archive.org/download/optimized_msi_20251025_0159/optimized_MSI.png
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a05790987759/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a05790987759904eaacf9334088c089bc2bab90c7223d6e72d3014043a3b72bc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PhantomStealer

HTML Application (hta) hta a05790987759904eaacf9334088c089bc2bab90c7223d6e72d3014043a3b72bc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3690211/
  
Delivery method
Distributed via web download

Comments