MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b31a02caad591b90d832673d25c533524d1a3a73a4d3208abce82fe74ff22997. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



PhantomStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash: b31a02caad591b90d832673d25c533524d1a3a73a4d3208abce82fe74ff22997
SHA3-384 hash: b00f84614687638a4f5e40d92147ca2968cd03bd5ee31e1909c31597acadda80aff85b535cac19a585f9eda99cc0d5d0
SHA1 hash: ac01d136917bb81a26572f42bafc7f95aaee09d0
MD5 hash: 21a1309d493edafc14d16cfae2858659
humanhash: california-delaware-seventeen-november
File name:Factura.PDF.js
Download: download sample
Signature PhantomStealer
File size:67'120 bytes
First seen:2026-04-17 14:12:04 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 768:hC71U80/mdqV61bt0INWELnqKId7TJh1TAsSRPkr1ruFzYW/+AQbCi8VSrhqWS4X:6y1hQa
TLSH T1366325E925CF8C0CBD6BDB02F316275CC9E674930B303636A6671688EFF794A6A14474
Magika javascript
Reporter abuse_ch
Tags:js PhantomStealer

Intelligence


File Origin
# of uploads :
1
# of downloads :
114
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
94.1%
Tags:
ransomware
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm evasive fingerprint lolbin masquerade repaired wscript
Verdict:
Malicious
File Type:
js
First seen:
2026-04-16T05:30:00Z UTC
Last seen:
2026-04-19T12:35:00Z UTC
Hits:
~1000
Detections:
HEUR:Trojan.Script.Generic HEUR:Trojan-Downloader.Script.Generic BSS:Trojan.Win32.Generic Trojan.JS.SAgent.sb
Result
Threat name:
KeyLogger, Phantom stealer, PhantomGate,
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Browser instances using unsafe startup parameters
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Creates processes via WMI
Excessive usage of taskkill to terminate processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving a shell, file or stream
Malicious sample detected (through community Yara rule)
Monitors registry run keys for changes
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Decrypt And Execute Base64 Data
Sigma detected: Register Wscript In Run Key
Sigma detected: Suspicious Parent Double Extension File Execution
Sigma detected: Suspicious PowerShell IEX Execution Patterns
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Uses an obfuscated file name to hide its real file extension (double extension)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Keylogger Generic
Yara detected Phantom stealer
Yara detected PhantomGate
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Strela Stealer
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1900188 Sample: Factura.PDF.js Startdate: 17/04/2026 Architecture: WINDOWS Score: 100 86 shed.dual-low.part-0012.t-0009.t-msedge.net 2->86 88 shed.dual-low.part-0010.t-0009.t-msedge.net 2->88 90 14 other IPs or domains 2->90 114 Sigma detected: Register Wscript In Run Key 2->114 116 Suricata IDS alerts for network traffic 2->116 118 Found malware configuration 2->118 120 28 other signatures 2->120 10 powershell.exe 15 20 2->10         started        15 powershell.exe 2->15         started        17 powershell.exe 2->17         started        19 10 other processes 2->19 signatures3 process4 dnsIp5 96 banglabillboard.com 151.106.120.124, 443, 49698, 49773 PLUSSERVER-ASN1DE Germany 10->96 98 hasteb.in 45.33.64.25, 443, 49697, 49767 LINODE-APLinodeLLCUS United States 10->98 84 C:\ProgramData84r1.js, ASCII 10->84 dropped 138 Suspicious powershell command line found 10->138 140 Found many strings related to Crypto-Wallets (likely being stolen) 10->140 142 Creates multiple autostart registry keys 10->142 21 RegAsm.exe 6 10->21         started        24 powershell.exe 12 10->24         started        26 conhost.exe 10->26         started        144 Writes to foreign memory regions 15->144 146 Injects a PE file into a foreign processes 15->146 28 RegAsm.exe 15->28         started        30 powershell.exe 15->30         started        32 conhost.exe 15->32         started        34 powershell.exe 17->34         started        36 2 other processes 17->36 100 127.0.0.1 unknown unknown 19->100 148 Wscript starts Powershell (via cmd or directly) 19->148 150 Windows Scripting host queries suspicious COM object (likely to drop second stage) 19->150 152 Suspicious execution chain found 19->152 154 Creates processes via WMI 19->154 38 6 other processes 19->38 file6 signatures7 process8 signatures9 122 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->122 124 Writes to foreign memory regions 21->124 126 Allocates memory in foreign processes 21->126 134 2 other signatures 21->134 40 msedge.exe 21->40         started        52 6 other processes 21->52 43 cmd.exe 1 24->43         started        46 conhost.exe 24->46         started        128 Creates a thread in another existing process (thread injection) 28->128 130 Injects a PE file into a foreign processes 28->130 54 10 other processes 28->54 56 2 other processes 30->56 48 cmd.exe 34->48         started        50 conhost.exe 34->50         started        132 Creates multiple autostart registry keys 38->132 58 4 other processes 38->58 process10 dnsIp11 92 192.168.2.8, 138, 443, 49465 unknown unknown 40->92 94 239.255.255.250 unknown Reserved 40->94 60 msedge.exe 40->60         started        70 4 other processes 40->70 136 Excessive usage of taskkill to terminate processes 43->136 63 taskkill.exe 1 43->63         started        72 3 other processes 43->72 74 4 other processes 48->74 66 firefox.exe 52->66         started        68 chrome.exe 54->68         started        76 4 other processes 56->76 78 4 other processes 58->78 signatures12 process13 dnsIp14 102 part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 49691, 49695 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 60->102 104 ax-0001.ax-msedge.net 150.171.27.10, 443, 49727 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 60->104 112 36 other IPs or domains 60->112 156 Creates processes via WMI 63->156 106 mozilla.map.fastly.net 151.101.1.91, 443, 49706 FASTLYUS United States 66->106 158 Monitors registry run keys for changes 66->158 80 firefox.exe 66->80         started        108 googlehosted.l.googleusercontent.com 142.250.72.1, 443, 49787, 49806 GOOGLEUS United States 68->108 110 clients2.googleusercontent.com 68->110 82 setup.exe 70->82         started        signatures15 process16
Gathering data
Threat name:
Win32.Trojan.Leonem
Status:
Malicious
First seen:
2026-04-16 13:02:58 UTC
File Type:
Text (JavaScript)
AV detection:
10 of 36 (27.78%)
Threat level:
  5/5
Result
Malware family:
phantom_stealer
Score:
  10/10
Tags:
family:phantom_stealer collection defense_evasion discovery execution persistence spyware stealer
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Command and Scripting Interpreter: JavaScript
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Reads user/profile data of web browsers
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Detects PhantomStealer written in C#
Family: PhantomStealer
Process spawned unexpected child process
Malware Config
C2 Extraction:
https://api.telegram.org/bot8525025862:AAH0P4DSwyHm90tqc8Dni0Yz87j3g_viE6U/sendMessage?chat_id=7629232865
Malware family:
HomeesNETInjector
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ClamAV_Emotet_String_Aggregate

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments