MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa44a570abbebe8ef664a2ddd4466fd075bf595572e4c2c37f089182e79f364f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PhantomStealer

Vendor detections: 17

Intelligence 17 IOCs YARA 4 File information Comments

SHA256 hash:	aa44a570abbebe8ef664a2ddd4466fd075bf595572e4c2c37f089182e79f364f
SHA3-384 hash:	51c6c7da1abcfcd89a43e85437eb68075c3f4fa4a67f822e922f81f1cd72362cade634e2d55acb3a050e8498142fa3db
SHA1 hash:	0115f14e9874da7aa58119bcbba48a2db826bcda
MD5 hash:	ba650e75ca3c98bf5cde03476204cd44
humanhash:	california-saturn-fruit-ink
File name:	SecuriteInfo.com.Win32.MalwareX-gen.86229973
Download:	download sample
Signature	PhantomStealer Create hunting rule
File size:	1'547'776 bytes
First seen:	2026-02-04 07:32:35 UTC
Last seen:	2026-02-04 08:19:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'754 x AgentTesla, 19'661 x Formbook, 12'252 x SnakeKeylogger)
ssdeep	24576:A81GhgAoxvlybCWPSSVp9V8ND1f0oZPMl/TXt/Eio9eOIwtQ7tRKCoyHlfuv8ML0:GhJoxvcNqM9V8PJZET5Ef9JIwtQ54CoR
Threatray	325 similar samples on MalwareBazaar
TLSH	T1E165131DB775AEA1C20C273BC80B607D41E6C827D262FA552ACD7DE12F29B48C58FD46
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10522/11/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	exe PhantomStealer

Intelligence

File Origin

# of uploads :

# of downloads :

109

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

DeepSea

Details

DeepSea

DeepSea decrypted strings

Link:

https://research.acce.ciphertechsolutions.com/results/771c4ff8-4399-4235-917a-132dc58f4430/

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Win32.MalwareX-gen.86229973

Verdict:

Malicious activity

Analysis date:

2026-02-04 07:35:05 UTC

Tags:

auto-startup susp-lnk stealer phantom crypto-regex evasion

Link:

https://app.any.run/tasks/75699f5f-2157-4265-b468-062fcaacff47

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/51616/

Detection(s):

SecuriteInfo.com.Win32.MalwareX-gen.86229973.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6982f63b6b1af47db72ca886

Tags:

autorun spam

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

explorer lolbin obfuscated obfuscated packed vbnet

Link:

https://www.filescan.io/uploads/6982f638930564ff3c88de97/reports/84876658-49dc-40ad-b745-88f8ecd5bd41/overview

Verdict:

Malicious

Labled as:

IL:Trojan.MSILZilla

Link:

https://www.hybrid-analysis.com/sample/aa44a570abbebe8ef664a2ddd4466fd075bf595572e4c2c37f089182e79f364f

Result

Gathering data

Verdict:

Malicious

File Type:

exe x32

Link:

https://opentip.kaspersky.com/aa44a570abbebe8ef664a2ddd4466fd075bf595572e4c2c37f089182e79f364f/results?tab=lookup

Malware family:

KeyBase

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9ac4bb84-8f8d-4666-b81b-ca8ac01704b6

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/aa44a570abbebe8ef664a2ddd4466fd075bf595572e4c2c37f089182e79f364f

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.43 Win 32 Exe x86

Link:

https://app.malva.re/file/ba650e75ca3c98bf5cde03476204cd44

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/aa44a570abbebe8ef664a2ddd4466fd075bf595572e4c2c37f089182e79f364f/

Verdict:

Malicious

Threat:

Family.DEEPSEAOBFUSCATOR

Link:

https://tip.neiki.dev/file/aa44a570abbebe8ef664a2ddd4466fd075bf595572e4c2c37f089182e79f364f

Threat name:

Win32.Trojan.Kepavll

Status:

Malicious

First seen:

2026-02-04 07:14:46 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

14 of 36 (38.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vjckk4flx27i55teulo5irtp2b236wkvolsmfq37bciyfz47gzhq._file

Verdict:

malicious

Label(s):

phantomstealer

PhantomStealer

3e24bc53a54d730bc18f29a09e5bcbca55fa332d67a983a62bb39b12b4514f62

PhantomStealer

414557952c390312ea3cafa3cd3c069ff072c40840277921391565b79c800456

PhantomStealer

56014a5ec7d4be83b5fbe439b9142654a267619981184bb757fb325edd4f3b08

PhantomStealer

66158410eadaa76f6a183087c95b694a1404641be3a16b3b704f4cd56e53f20c

PhantomStealer

764892433fc11dc14ec10608d16131c178f7750b4fc9f8075a94d3824687162f

PhantomStealer

78826700c53185405a0a3897848ca8474920804a01172f987a18bd3ef9a4fc77

PhantomStealer

c612385efecaca9ec7446fdc629d871a12fbcfca9ed45c653faf20361d3105c5

PhantomStealer

dbbb1c1ad17996d18e3e28537e0188b204657e87b8cb495e05bdb36c75cae466

PhantomStealer

ec5b91ad14060b955dec4c1fcd63be9d63d66185d463ea785e5f888eee460f0b

PhantomStealer

error

PhantomStealer

+ 315 additional samples on MalwareBazaar

Result

Malware family:

phantom_stealer

Score:

10/10

Tags:

family:phantom_stealer collection discovery persistence spyware stealer

Link:

https://tria.ge/reports/260204-jdmt8ahv8c/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

outlook_office_path

outlook_win_path

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Time Discovery

Drops file in Program Files directory

Drops file in Windows directory

SmartAssembly .NET packer

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Drops startup file

Reads user/profile data of web browsers

Detects PhantomStealer payload

PhantomStealer

Phantom_stealer family

Unpacked files

SH256 hash:

aa44a570abbebe8ef664a2ddd4466fd075bf595572e4c2c37f089182e79f364f

MD5 hash:

ba650e75ca3c98bf5cde03476204cd44

SHA1 hash:

0115f14e9874da7aa58119bcbba48a2db826bcda

Link:

https://www.unpac.me/results/33318188-33f5-4c42-8ca9-33a952834c2f/

SH256 hash:

63a01138fc2f3221947d4534148e1cbd68f082db272344b7db4ccec8f13e3c2e

MD5 hash:

e1072a0573971e6a2df635bdd2df50ec

SHA1 hash:

1036555e92971c9b2cf74f9bd3863a119a31534f

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

Link:

https://www.unpac.me/results/33318188-33f5-4c42-8ca9-33a952834c2f/

SH256 hash:

468e491b66b67fe4b64be0441f709145df86de15491c897eb2869c1adac9a3b3

MD5 hash:

b4df8ac88d4642b060ebc766b5c04a01

SHA1 hash:

110779523111be1b742a890f66fdff25abaab34f

Detections:

phantom_stealer

cn_utf8_windows_terminal

INDICATOR_EXE_Packed_Fody

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon

INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames

Link:

https://www.unpac.me/results/33318188-33f5-4c42-8ca9-33a952834c2f/

SH256 hash:

7d275fc770abe73a59441dae206b95455c5d56ff998b9688e5c1b71e4c8fc92e

MD5 hash:

291851caa7a8f194783c68ad06f695c9

SHA1 hash:

26905685b548aca046b75a5129a3a005d5a0a88c

Detections:

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/33318188-33f5-4c42-8ca9-33a952834c2f/

Parent samples :

77e10fce419cf22127e04f301914bf28f0511a23380221059522d06d15007d90
aa44a570abbebe8ef664a2ddd4466fd075bf595572e4c2c37f089182e79f364f
823e02bde8acad7fd8fb24bd0f5628fcf9faacbe61efed1d47dd115ec63b55f9
aaefbeec8082e0205165604275b5f7fd9e5d9c75de06e97ec157a081fed3b57a
086a8fb7b92306c495fc562bff32642b856edfc1077ed7c00956ae59363a0fb1

Malware family:

PhantomStealer

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/aa44a570abbe/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/aa44a570abbebe8ef664a2ddd4466fd075bf595572e4c2c37f089182e79f364f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/51616/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample