MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b430b6d8ffe30bb994eb58e11cab86092452755f0044acba6de4ef305f8fc28c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b430b6d8ffe30bb994eb58e11cab86092452755f0044acba6de4ef305f8fc28c
SHA3-384 hash: 3822a403f7f4c3466a82980ee313127dd29359acef0f10f4d462d45681afe22b3d776a8bd05cfb60b245a2bcf58d089e
SHA1 hash: 69e21b8e6d3c552acabe5d2e75db56d880fc20d4
MD5 hash: 2a27ad3f105fc50033095c5a8eeb23d2
humanhash: fillet-zebra-autumn-six
File name:Fiyat Teklifi ve Termin Bilgisi Rica Ederiz. SiparisNHM-0014.exe
Download: download sample
File size:1'765'376 bytes
First seen:2026-02-19 17:09:51 UTC
Last seen:2026-02-19 17:45:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'818 x AgentTesla, 19'741 x Formbook, 12'286 x SnakeKeylogger)
ssdeep 24576:HvdP4lTp3YHdCvVGEKN//eu9BrV7qItrE+qlLB1o:HVPYp3MdCvMv5/VVmIUB
TLSH T18D85F1257E632705C53AAB3984271D8423F0C9839A93DB0FAFDD41F8BA5A3F5D660742
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
127
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
DeepSea
Details
DeepSea
DeepSea decrypted strings
Link:
https://research.acce.ciphertechsolutions.com/results/1c38d1d5-f5aa-42ba-999b-dbb8d15b6abb/
Malware family:
n/a
ID:
1
File name:
Fiyat Teklifi ve Termin Bilgisi Rica Ederiz. SiparisNHM-0014.exe
Verdict:
Malicious activity
Analysis date:
2026-02-19 17:13:55 UTC
Tags:
stealer crypto-regex netreactor phantom evasion smtp
Link:
https://app.any.run/tasks/1254fa40-afec-40b0-8d3f-19c12c13b823

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/53873/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.69167374.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=699744028fffa866e3af7804
Tags:
redline emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated obfuscated vbnet
Link:
https://www.filescan.io/uploads/699743ff91ad9169e532c4c8/reports/4a823e21-a602-4a21-99c1-238973f877c3/overview
Verdict:
Malicious
Labled as:
Trojan.MSIL.Basic.8
Link:
https://www.hybrid-analysis.com/sample/b430b6d8ffe30bb994eb58e11cab86092452755f0044acba6de4ef305f8fc28c
Verdict:
Malicious
File Type:
exe x32
Link:
https://opentip.kaspersky.com/b430b6d8ffe30bb994eb58e11cab86092452755f0044acba6de4ef305f8fc28c/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/34627748-7e0d-4665-a352-6d76ec4479e4
Result
Threat name:
DarkTortilla, KeyLogger, Phantom stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1872037
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Monitors registry run keys for changes
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected DarkTortilla Crypter
Yara detected Keylogger Generic
Yara detected Phantom stealer
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1872037 Sample: Fiyat Teklifi ve Termin Bil... Startdate: 19/02/2026 Architecture: WINDOWS Score: 100 62 politekhidrolik.com 2->62 64 mail.politekhidrolik.com 2->64 66 19 other IPs or domains 2->66 86 Found malware configuration 2->86 88 Multi AV Scanner detection for submitted file 2->88 90 Yara detected Phantom stealer 2->90 92 15 other signatures 2->92 9 Fiyat Teklifi ve Termin Bilgisi Rica Ederiz. SiparisNHM-0014.exe 3 2->9         started        13 msedge.exe 2->13         started        16 firefox.exe 1 2->16         started        18 firefox.exe 2->18         started        signatures3 process4 dnsIp5 56 Fiyat Teklifi ve T...risNHM-0014.exe.log, ASCII 9->56 dropped 106 Found many strings related to Crypto-Wallets (likely being stolen) 9->106 108 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->108 110 Injects a PE file into a foreign processes 9->110 20 Fiyat Teklifi ve Termin Bilgisi Rica Ederiz. SiparisNHM-0014.exe 15 9 9->20         started        82 192.168.2.6, 138, 443, 49398 unknown unknown 13->82 84 239.255.255.250 unknown Reserved 13->84 24 msedge.exe 13->24         started        26 setup.exe 13->26         started        28 msedge.exe 13->28         started        35 4 other processes 13->35 30 firefox.exe 3 380 16->30         started        33 firefox.exe 18->33         started        file6 signatures7 process8 dnsIp9 68 politekhidrolik.com 89.252.186.172, 49750, 587 RADORETR Turkey 20->68 70 icanhazip.com 104.16.184.241, 49746, 80 CLOUDFLARENETUS United States 20->70 94 Tries to steal Mail credentials (via file / registry access) 20->94 96 Tries to harvest and steal browser information (history, passwords, etc) 20->96 98 Writes to foreign memory regions 20->98 100 4 other signatures 20->100 37 msedge.exe 20->37         started        40 chrome.exe 20->40 injected 42 firefox.exe 1 20->42         started        52 2 other processes 20->52 72 104.208.16.92, 443, 49732 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->72 74 part-0010.t-0009.t-msedge.net 13.107.213.38, 443, 49710 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->74 78 37 other IPs or domains 24->78 44 setup.exe 26->44         started        76 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 49767, 49773, 80 GOOGLEUS United States 30->76 80 9 other IPs or domains 30->80 58 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 30->58 dropped 60 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 30->60 dropped 46 firefox.exe 30->46         started        48 firefox.exe 30->48         started        50 firefox.exe 30->50         started        file10 signatures11 process12 signatures13 102 Monitors registry run keys for changes 37->102 104 Installs a global keyboard hook 37->104 54 msedge.exe 37->54         started        process14
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b430b6d8ffe30bb994eb58e11cab86092452755f0044acba6de4ef305f8fc28c
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b430b6d8ffe30bb994eb58e11cab86092452755f0044acba6de4ef305f8fc28c/
Threat name:
Win32.Trojan.Etset
Create hunting rule
Status:
Malicious
First seen:
2026-02-19 07:45:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
68
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wqylnwh74mf3tfhlldqrzk4gbesfe5k7abckzotn4txtax4pykga._file
Result
Malware family:
phantom_stealer
Create hunting rule
Score:
  10/10
Tags:
family:phantom_stealer collection discovery persistence spyware stealer
Link:
https://tria.ge/reports/260219-vpwgaadw7d/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
.NET Reactor proctector
Reads user/profile data of web browsers
Detects PhantomStealer payload
PhantomStealer
Phantom_stealer family
Unpacked files
SH256 hash:
b430b6d8ffe30bb994eb58e11cab86092452755f0044acba6de4ef305f8fc28c
MD5 hash:
2a27ad3f105fc50033095c5a8eeb23d2
SHA1 hash:
69e21b8e6d3c552acabe5d2e75db56d880fc20d4
Link:
https://www.unpac.me/results/a5973604-9e1a-4e13-877d-630e8fad006b/
SH256 hash:
18bf646fad26a0aa1264cac867789c6d9f4de762bc83b9aeeff0f8d8d48ee6ac
MD5 hash:
4faf9d90e22fe6f5452ab806bb763ed7
SHA1 hash:
564455391f73d9d8f3baf3b907dfb9723f249820
Link:
https://www.unpac.me/results/a5973604-9e1a-4e13-877d-630e8fad006b/
SH256 hash:
94b14081554bfbcbe4d0d670acb2ff350b4a3c63d2b75fccbc60c009493195a5
MD5 hash:
0ddc7943736ab0a4f06e234bbc8105a2
SHA1 hash:
8e8c0554ebd0a374c0ac4e5b48fc3f8ec6d3d995
Detections:
phantom_stealer
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
INDICATOR_EXE_Packed_Fody
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames
Create hunting rule
Link:
https://www.unpac.me/results/a5973604-9e1a-4e13-877d-630e8fad006b/
SH256 hash:
a6a6cf76c8a7dd497424f636ddaa9c58a77971f9b267b257f1906c0388c281d6
MD5 hash:
f0ff6d188e5191a7295ae1e852259e7d
SHA1 hash:
c3f1b28ff5806069dc6b694eb2c40af6bdc27078
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/a5973604-9e1a-4e13-877d-630e8fad006b/
Parent samples :
24d6cbd8f4eb920651f82adb1288cd4d5227f6bcd8fe71341ebdeb434bbfae01
b430b6d8ffe30bb994eb58e11cab86092452755f0044acba6de4ef305f8fc28c
6f998e066e89d74f97f68b8b300cbf96f10df8bca0f96b78082e54ae578c6808
dbd4edd258813db2cac4abddb2a4230b62874591c09daa6ffbcd5c9022ebd042
787603ed370b21f4b0c042915f7fec0e3ad9f1a74f9bea21a99f9e7a5232a31c
cf790980d19ae946d6de6a03100ec1c207ceff95cf7e220d90108c2749fd0f63
24a07efb7c95800b89d34683abe09cf8e7d7776483f586abca769c2f98bb67c6
5524f65612afc339bd726ce2d20c9b8040a2137c7c23d8b68c47fe35a02c616d
SH256 hash:
69b83d39655ef00f775e5bc22b91874d629e68319550000343c581318fbe6fd4
MD5 hash:
b02d83e8ecf71c6399a3b3be638fb93b
SHA1 hash:
dfaff9ecb5aeab521334bf05aa7832d3d9af9451
Link:
https://www.unpac.me/results/a5973604-9e1a-4e13-877d-630e8fad006b/
Malware family:
PhantomStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b430b6d8ffe3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b430b6d8ffe30bb994eb58e11cab86092452755f0044acba6de4ef305f8fc28c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe b430b6d8ffe30bb994eb58e11cab86092452755f0044acba6de4ef305f8fc28c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/53873/

Comments