MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5688e630ded6c873e5680ebac79d2fde8882ff27795a4b2b809745c58cfd173. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PhantomStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 4 File information Comments

SHA256 hash:	b5688e630ded6c873e5680ebac79d2fde8882ff27795a4b2b809745c58cfd173
SHA3-384 hash:	0c746c6cc765d470ae9713a3d713578f1df177170071d48910748f3e6da787d34072ed4e149efe7693a89e28c05eae1b
SHA1 hash:	c95de6e5339bcf5c95b90026d614247985ff178e
MD5 hash:	590b8d6427c873e995a230bf7e086bed
humanhash:	eight-wolfram-floor-paris
File name:	payment advice.exe
Download:	download sample
Signature	PhantomStealer Create hunting rule
File size:	1'517'568 bytes
First seen:	2026-02-18 14:44:17 UTC
Last seen:	2026-02-18 15:36:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'818 x AgentTesla, 19'742 x Formbook, 12'286 x SnakeKeylogger)
ssdeep	24576:+/iEOLGGkjsgytBZ8MYQp2v2qbbIxvkn7aNPsDUg2q2lCQiwVruRCrpsdDSn/XO:+/iMHlytBZ3pCbevk7aNP+4VlCQ70e2O
Threatray	382 similar samples on MalwareBazaar
TLSH	T136652348224AEE03E5662B740E66F2B007751EC8E065E31BCFD5FDE7783A7D0585928B
TrID	25.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 25.3% (.EXE) Win64 Executable (generic) (6522/11/2) 17.5% (.EXE) Win32 Executable (generic) (4504/4/1) 8.0% (.ICL) Windows Icons Library (generic) (2059/9) 7.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	James_inthe_box
Tags:	exe PhantomStealer

Intelligence

File Origin

# of uploads :

# of downloads :

135

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

RoboSki

Details

Link:

https://research.acce.ciphertechsolutions.com/results/86b7bea5-1ad8-432a-adc1-207566728ff3/

Malware family:

n/a

ID:

File name:

payment advice.exe

Verdict:

Malicious activity

Analysis date:

2026-02-18 14:45:47 UTC

Tags:

auto-startup amsi-bypass auto-reg stealer phantom crypto-regex evasion

Link:

https://app.any.run/tasks/9caf9396-845f-4dd1-8aba-1626c6f6a793

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/53738/

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6995d0851ebe863df48533f1

Tags:

autorun micro shell hype

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

masquerade obfuscated packed

Link:

https://www.filescan.io/uploads/6995e9a4cd25bfe1dfd4d200/reports/fd49bb74-3b3c-4f72-a959-49a9f45317f3/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/b5688e630ded6c873e5680ebac79d2fde8882ff27795a4b2b809745c58cfd173

Verdict:

Malicious

File Type:

exe x32

Detections:

PDM:Trojan.Win32.Generic HEUR:Trojan.MSIL.Injector.gen HEUR:Trojan.MSIL.Crypt.gen Trojan.MSIL.Crypt.sb Trojan.Win32.Agent.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Agent.sb

Link:

https://opentip.kaspersky.com/b5688e630ded6c873e5680ebac79d2fde8882ff27795a4b2b809745c58cfd173/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/f0186409-d52f-4ec8-8f0a-2a10e2ca6eac

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b5688e630ded6c873e5680ebac79d2fde8882ff27795a4b2b809745c58cfd173

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b5688e630ded6c873e5680ebac79d2fde8882ff27795a4b2b809745c58cfd173/

Verdict:

Malicious

Threat:

Family.PHANTOM

Link:

https://tip.neiki.dev/file/b5688e630ded6c873e5680ebac79d2fde8882ff27795a4b2b809745c58cfd173

Threat name:

ByteCode-MSIL.Infostealer.Browsstl

Status:

Malicious

First seen:

2026-02-18 11:59:48 UTC

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wvui4yyn5vwiopswqdv2y6os7xuiql7so6k2jmvybf2fywgp2fzq._file

Verdict:

malicious

Label(s):

phantomstealer

PhantomStealer

3e24bc53a54d730bc18f29a09e5bcbca55fa332d67a983a62bb39b12b4514f62

PhantomStealer

414557952c390312ea3cafa3cd3c069ff072c40840277921391565b79c800456

PhantomStealer

53fa73713016ccf9636f69659053fc115cc779b1e17506d50cf4181474a27e8e

PhantomStealer

56014a5ec7d4be83b5fbe439b9142654a267619981184bb757fb325edd4f3b08

PhantomStealer

66158410eadaa76f6a183087c95b694a1404641be3a16b3b704f4cd56e53f20c

PhantomStealer

78826700c53185405a0a3897848ca8474920804a01172f987a18bd3ef9a4fc77

PhantomStealer

c612385efecaca9ec7446fdc629d871a12fbcfca9ed45c653faf20361d3105c5

PhantomStealer

dbbb1c1ad17996d18e3e28537e0188b204657e87b8cb495e05bdb36c75cae466

PhantomStealer

ec5b91ad14060b955dec4c1fcd63be9d63d66185d463ea785e5f888eee460f0b

PhantomStealer

error

PhantomStealer

+ 372 additional samples on MalwareBazaar

Result

Malware family:

phantom_stealer

Score:

10/10

Tags:

family:phantom_stealer collection discovery execution persistence spyware stealer

Link:

https://tria.ge/reports/260218-t2dlkaes9d/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

System Time Discovery

Drops file in Program Files directory

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

Looks up external IP address via web service

Checks computer location settings

Drops startup file

Executes dropped EXE

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

Detects PhantomStealer payload

PhantomStealer

Phantom_stealer family

Unpacked files

SH256 hash:

b5688e630ded6c873e5680ebac79d2fde8882ff27795a4b2b809745c58cfd173

MD5 hash:

590b8d6427c873e995a230bf7e086bed

SHA1 hash:

c95de6e5339bcf5c95b90026d614247985ff178e

Link:

https://www.unpac.me/results/c11fe4ea-3fe0-43cb-8046-e09f262cc68c/

SH256 hash:

62a43b80daf09bdb31453fdf847dc02131167d0cdf90a68131b07e11cf5de16b

MD5 hash:

fd3aae346258c1274dc806e6d3f18ec9

SHA1 hash:

19138a43f1f187ceabc38a16d0e2802d56732a03

Link:

https://www.unpac.me/results/c11fe4ea-3fe0-43cb-8046-e09f262cc68c/

SH256 hash:

993655b7b15370d8c09874c2cf9c6dc96f622bd84f06c06f6ee8befb5815c0ad

MD5 hash:

ca43b6b9b7805cc50c3d46bad61f1fcc

SHA1 hash:

56413c731e40e371f98fee4651d5c83cc36845d2

Detections:

phantom_stealer

cn_utf8_windows_terminal

INDICATOR_EXE_Packed_Fody

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon

INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames

Link:

https://www.unpac.me/results/c11fe4ea-3fe0-43cb-8046-e09f262cc68c/

Parent samples :

74a7b0a30846e3b670be3f9fd0ba2fda1f0d682d1dae1006b36b3781ec521153
e37c838dc5eaa1b302ffbd8721c6a5f52a068e8f78bbec63b19b950462fe6cf8
b5688e630ded6c873e5680ebac79d2fde8882ff27795a4b2b809745c58cfd173

SH256 hash:

45a97e6eda48aa8bee0fe2054b0135c5b14a03e31600db13dbe76bacebbac5f5

MD5 hash:

40f5a6fd30e262fa4db2128014a265fc

SHA1 hash:

eda916e0a7a7f682ebf38d40556fffe88d703f06

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

Link:

https://www.unpac.me/results/c11fe4ea-3fe0-43cb-8046-e09f262cc68c/

Malware family:

PhantomStealer

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b5688e630ded/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b5688e630ded6c873e5680ebac79d2fde8882ff27795a4b2b809745c58cfd173

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/53738/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample