MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc3f5e9e8a61735805215ca013abd153e8a93d49af5b40445e3e77945f53c939. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NWHStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bc3f5e9e8a61735805215ca013abd153e8a93d49af5b40445e3e77945f53c939
SHA3-384 hash: ae57307a7dd0597fab82493393b8d7b691aa7e88e2b137b11eb6ce332a5b74082785dbe6f85f254384152ecb7d6ef3d1
SHA1 hash: a91d7f8f358809441c1957632de3ea4c03a57a7c
MD5 hash: 69c1a7f285fc53bfa8236691d6306d56
humanhash: march-twelve-sierra-magazine
File name:Phantom.CS2.zip
Download: download sample
Signature NWHStealer
Create hunting rule
File size:42'748'934 bytes
First seen:2026-05-30 11:34:17 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 786432:lFKw3qhTN8nTTO/KDps4zkDupZ4IJjBWzNod+LC28a7cqueYYQsDjso:lH9HO/Eps4zkDucCW0SC22peYYQeoo
TLSH T1299733C87CF02487FC329942446B5ACEE132E426687A49FF665A472CB6C0FD457FA19C
Magika zip
Reporter burger
Tags:NWHStealer zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
DE DE
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Phantom Loader.exe
File size:117'440'512 bytes
SHA256 hash: cc6b71e9ad9098c329427da3006bc00626bf79b1b4c0523373bda7ad20eb71bf
MD5 hash: 4a4712f1ada2500a9a121daaf189df0b
MIME type:application/x-dosexec
Signature NWHStealer
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/7c8df278-2f60-495d-a638-5f5f66debd9a/
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a1acb615a2e3b5e58e42341
Tags:
obfuscate shell sage
Result
Verdict:
Malicious
File Type:
ZIP File - Malicious
Link:
https://app.docguard.net/bc3f5e9e8a61735805215ca013abd153e8a93d49af5b40445e3e77945f53c939/results/dashboard
Behaviour
SuspiciousEmbeddedObjects detected
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug crypto fingerprint obfuscated overlay packed reconnaissance rust
Link:
https://www.filescan.io/uploads/6a1acb4477463968d6180a19/reports/24e9cf45-eaad-43fe-abcb-0a4501a4edc5/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/bc3f5e9e8a61735805215ca013abd153e8a93d49af5b40445e3e77945f53c939
Verdict:
Unknown
File Type:
zip
First seen:
2026-05-30T13:02:00Z UTC
Last seen:
2026-05-30T13:55:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/bc3f5e9e8a61735805215ca013abd153e8a93d49af5b40445e3e77945f53c939/results?tab=lookup
Score:
25%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/bc3f5e9e8a61735805215ca013abd153e8a93d49af5b40445e3e77945f53c939
Gathering data
Threat name:
Win64.Trojan.Qwexlafiba
Create hunting rule
Status:
Malicious
First seen:
2026-05-30 11:35:53 UTC
File Type:
Binary (Archive)
Extracted files:
17
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xq7v5hukmfzvqbjblsqbhk6rkpukspkjv5nuarc6hz3zix2tze4q._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/260530-sdyfdsf171/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bc3f5e9e8a61735805215ca013abd153e8a93d49af5b40445e3e77945f53c939

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NWHStealer

zip bc3f5e9e8a61735805215ca013abd153e8a93d49af5b40445e3e77945f53c939

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3855764/
  
Delivery method
Distributed via web download

Comments