MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2c3a1892d379740143ff9752fcbf6aac138086e7ea0e36e7f69dd7070d8180e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a2c3a1892d379740143ff9752fcbf6aac138086e7ea0e36e7f69dd7070d8180e
SHA3-384 hash: 51ca6eeec1976431b87c28195c6ee3650df3e71395e3ee1db07ed6a1ad49ca77905c0de9d104e67232f45d4fd049f251
SHA1 hash: a68c80d10708e5f9021f0d1f270c669c18340f0d
MD5 hash: e54426fc1a87669af58043b5df506dd8
humanhash: mars-carbon-social-angel
File name:PhantomHack 2.0.0.exe
Download: download sample
File size:90'267'136 bytes
First seen:2026-03-18 19:11:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9bf3f5698d1c8e5d8bbe8d194ac5d544 (1 x ScarfaceStealer)
ssdeep 786432:dAZqtFi3zQzwBs6vNtcZY5Dfw3pgPVlcmXW:dAZui3zQz2jOZKft
TLSH T179187D03B3A705D5E8F7DA3196E65223A932BC066F3085DF324C17262F73AE05A76B51
TrID 51.9% (.EXE) Win64 Executable (generic) (6522/11/2)
16.1% (.EXE) OS/2 Executable (generic) (2029/13)
15.9% (.EXE) Generic Win/DOS Executable (2002/3)
15.9% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
Reporter burger
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'428
Origin country :
NL NL
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/e0f17711-4072-4156-babe-404cdd593423/
Malware family:
n/a
ID:
1
File name:
PhantomHack2.0.0.exe
Verdict:
Suspicious activity
Analysis date:
2026-03-18 19:10:49 UTC
Tags:
susp-powershell
Link:
https://app.any.run/tasks/af394158-32d7-48fb-b053-800420735b54

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69baf8c688c80c01586bb86e
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Restart of the analyzed sample
Creating a process with a hidden window
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Connection attempt to an infection source
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Moving a recently created file
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Creating a window
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug crypto fingerprint microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/69baf9104678eefbc7ae6fa1/reports/878af4a5-e26b-49cd-83c6-d6b99afdf96e/overview
Verdict:
Malicious
Labled as:
Trojan.Win64.Downloader.oa
Link:
https://www.hybrid-analysis.com/sample/a2c3a1892d379740143ff9752fcbf6aac138086e7ea0e36e7f69dd7070d8180e
Result
Gathering data
Verdict:
Malicious
File Type:
exe x64
Detections:
Trojan-Downloader.Win32.Paph.pht PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/a2c3a1892d379740143ff9752fcbf6aac138086e7ea0e36e7f69dd7070d8180e/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1885980
Signature
Encrypted powershell cmdline option found
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Suspicious powershell command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1885980 Sample: PhantomHack 2.0.0.exe Startdate: 18/03/2026 Architecture: WINDOWS Score: 60 21 Multi AV Scanner detection for submitted file 2->21 23 Suspicious powershell command line found 2->23 25 Encrypted powershell cmdline option found 2->25 27 Joe Sandbox ML detected suspicious sample 2->27 8 PhantomHack 2.0.0.exe 1 2->8         started        process3 process4 10 PhantomHack 2.0.0.exe 8->10         started        13 conhost.exe 8->13         started        signatures5 29 Suspicious powershell command line found 10->29 31 Encrypted powershell cmdline option found 10->31 15 tasklist.exe 1 10->15         started        17 powershell.exe 4 10->17         started        process6 process7 19 conhost.exe 15->19         started       
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a2c3a1892d379740143ff9752fcbf6aac138086e7ea0e36e7f69dd7070d8180e
Gathering data
Verdict:
Malicious
Threat:
Trojan-Downloader.Win32.Paph
Link:
https://tip.neiki.dev/file/a2c3a1892d379740143ff9752fcbf6aac138086e7ea0e36e7f69dd7070d8180e
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ulb2dcjng6luafb77f2s7s7wvlatqcdop2qog3t7nhoxa4gydaha._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/260318-xwl8asbx6p/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

rar 393fc85c62f98031ad989d77d572d372e18779abac75a6041222ffcb900bff7a

Executable exe a2c3a1892d379740143ff9752fcbf6aac138086e7ea0e36e7f69dd7070d8180e

(this sample)

  
Dropped by
SHA256 393fc85c62f98031ad989d77d572d372e18779abac75a6041222ffcb900bff7a
  
Dropped by
MD5 36dc5b78b4f86fd764a5fa90a5586a0d

Comments