MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a44cdc09efee4306bfd3e76dc65af3876965ffa9fff4a5f4b8c7b4c0fc867084. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhantomStealer


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a44cdc09efee4306bfd3e76dc65af3876965ffa9fff4a5f4b8c7b4c0fc867084
SHA3-384 hash: 7492c22f57fa1efdd15a2ade14c21d1061f4a3c2ed60bad26f66177f9031e9aa98e64d8cabb06c8f0328b63f3f02a2b2
SHA1 hash: 47d7d7731ec955f5dbe89b6740c064359f4829d4
MD5 hash: ee6646fb7c11be161099a19a3fe6e2e1
humanhash: lima-autumn-ack-maryland
File name:ee6646fb7c11be161099a19a3fe6e2e1.js
Download: download sample
Signature PhantomStealer
Create hunting rule
File size:18'325 bytes
First seen:2026-02-27 17:13:17 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 384:KSPfNlzkG4pqF9dfHvrvnOe2MomTIwZ7jeNkz6u9D4B:KYfHsYOe1oC7jYSz4B
TLSH T11C82038C3EC6F2A65271A437AD2FA15EF7FE5C90B58CC095C63D5CA2E814308E9B6C54
Magika javascript
Reporter abuse_ch
Tags:js PhantomStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Script.SNH-gen.59729228.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a1d0ebc950ab5d9ab22d6e
Tags:
ransomware downloader shell
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
evasive obfuscated repaired
Link:
https://www.filescan.io/uploads/69a1d0e997feb4afd65fcc1f/reports/def732a0-5820-40be-a28d-c79f5672518e/overview
Verdict:
Malicious
Labled as:
SVM:TrojanDownloader/JS.Nemucod
Link:
https://www.hybrid-analysis.com/sample/a44cdc09efee4306bfd3e76dc65af3876965ffa9fff4a5f4b8c7b4c0fc867084
Verdict:
Malicious
File Type:
js
Detections:
Trojan-Downloader.JS.SLoad.sb HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Script.Generic Trojan-Downloader.Agent.HTTP.C&C
Link:
https://opentip.kaspersky.com/a44cdc09efee4306bfd3e76dc65af3876965ffa9fff4a5f4b8c7b4c0fc867084/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad.spyw.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1876140
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Browser instances using unsafe startup parameters
Bypasses PowerShell execution policy
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Monitors registry run keys for changes
Multi AV Scanner detection for submitted file
Potential obfuscated javascript found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
WScript reads language and country specific registry keys (likely country aware script)
Wscript starts Powershell (via cmd or directly)
Yara detected Generic JS Downloader
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1876140 Sample: X4j5XhAzwl.js Startdate: 27/02/2026 Architecture: WINDOWS Score: 100 70 umxtxhub.za.com 2->70 72 _kerberos._tcp.dc._msdcs.titanmarin.com.tr 2->72 74 15 other IPs or domains 2->74 96 Malicious sample detected (through community Yara rule) 2->96 98 Antivirus detection for URL or domain 2->98 100 Multi AV Scanner detection for submitted file 2->100 102 7 other signatures 2->102 12 wscript.exe 1 17 2->12         started        17 svchost.exe 2->17         started        signatures3 process4 dnsIp5 88 umxtxhub.za.com 16.24.142.86, 443, 49705 unknown United States 12->88 62 C:\Users\user\AppData\...\SECURED[1].ps1, ASCII 12->62 dropped 64 C:\Temp\RW759SJ4.ps1, ASCII 12->64 dropped 116 System process connects to network (likely due to code injection or exploit) 12->116 118 JScript performs obfuscated calls to suspicious functions 12->118 120 Wscript starts Powershell (via cmd or directly) 12->120 122 4 other signatures 12->122 19 powershell.exe 16 12->19         started        file6 signatures7 process8 signatures9 104 Writes to foreign memory regions 19->104 106 Injects a PE file into a foreign processes 19->106 22 aspnet_compiler.exe 15 12 19->22         started        26 conhost.exe 19->26         started        process10 dnsIp11 76 cmail19.webkontrol.doruk.net.tr 212.58.6.99, 53760, 587 DORUKNETTR Turkey 22->76 78 icanhazip.com 104.16.185.241, 53759, 80 CLOUDFLARENETUS United States 22->78 108 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->108 110 Tries to steal Mail credentials (via file / registry access) 22->110 112 Tries to harvest and steal browser information (history, passwords, etc) 22->112 114 6 other signatures 22->114 28 msedge.exe 21 275 22->28         started        33 firefox.exe 2 22->33         started        35 chrome.exe 22->35         started        37 9 other processes 22->37 signatures12 process13 dnsIp14 90 192.168.11.20, 137, 138, 1900 unknown unknown 28->90 92 part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 49712 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 28->92 94 239.255.255.250, 1900 unknown Reserved 28->94 66 C:\Users\user\AppData\...\download_cache, COM 28->66 dropped 68 C:\Users\user\AppData\Local\Temp\...\cache, COM 28->68 dropped 124 Monitors registry run keys for changes 28->124 39 msedge.exe 28->39         started        41 msedge.exe 28->41         started        43 msedge.exe 28->43         started        50 6 other processes 28->50 46 firefox.exe 45 33->46         started        48 chrome.exe 35->48         started        file15 signatures16 process17 dnsIp18 52 cookie_exporter.exe 39->52         started        54 cookie_exporter.exe 41->54         started        80 dns.quad9.net 149.112.112.112, 443, 51263, 52177 QUAD9-AS-1US United States 43->80 82 13.107.213.45, 443, 58587 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 43->82 86 11 other IPs or domains 43->86 84 127.0.0.1 unknown unknown 46->84 56 firefox.exe 2 46->56         started        process19 process20 58 WerFault.exe 52->58         started        60 WerFault.exe 54->60         started       
Score:
94%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/a44cdc09efee4306bfd3e76dc65af3876965ffa9fff4a5f4b8c7b4c0fc867084
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a44cdc09efee4306bfd3e76dc65af3876965ffa9fff4a5f4b8c7b4c0fc867084/
Verdict:
Malicious
Threat:
Family.PHANTOM
Link:
https://tip.neiki.dev/file/a44cdc09efee4306bfd3e76dc65af3876965ffa9fff4a5f4b8c7b4c0fc867084
Threat name:
Script-JS.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-02-27 03:12:03 UTC
File Type:
Text (JavaScript)
AV detection:
10 of 38 (26.32%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=urgnycpp5zbqnp6t45w4mwxtq5uwl75j772kl5fyy62mb7egocca._file
Verdict:
malicious
Label(s):
fantomcrypt
Create hunting rule
Similar samples:
error
PhantomStealer
Result
Malware family:
phantom_stealer
Create hunting rule
Score:
  10/10
Tags:
family:phantom_stealer collection discovery execution persistence stealer
Link:
https://tria.ge/reports/260227-vrkgssaw3g/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Command and Scripting Interpreter: JavaScript
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Badlisted process makes network request
Detects PhantomStealer payload
PhantomStealer
Phantom_stealer family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a44cdc09efee4306bfd3e76dc65af3876965ffa9fff4a5f4b8c7b4c0fc867084

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments