MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c612385efecaca9ec7446fdc629d871a12fbcfca9ed45c653faf20361d3105c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PhantomStealer

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	c612385efecaca9ec7446fdc629d871a12fbcfca9ed45c653faf20361d3105c5
SHA3-384 hash:	5d4518e4cde40e1ed9b40980d97b572b61c8d053c70369486932321c866fa1f716146392cffcbabd4bd9eaf5f457e246
SHA1 hash:	328681b0c8f54c3cc693a211e2fe09b232b27d74
MD5 hash:	f6bd5fdbc0205d413b60c477b64ef877
humanhash:	spring-gee-november-jig
File name:	DOCUMENTS.JS
Download:	download sample
Signature	PhantomStealer Create hunting rule
File size:	6'522'444 bytes
First seen:	2026-01-15 07:51:07 UTC
Last seen:	Never
File type:	js
MIME type:	text/plain
ssdeep	196608:/4W5Fr43V9Hz2E5s2g8GT83GhlUFRKqcwREsvkA3BoeSY6vnDZHucL5rNF:/4Wc36UBm8xkrwXvkA3BfS/f1H35hF
Threatray	2'706 similar samples on MalwareBazaar
TLSH	T146661A48EE048DD09B764EB93F737AD580D565536D8B42B8F83E54B1AEE3180F861F28
Magika	javascript
Reporter	abuse_ch
Tags:	js PhantomStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69689c9eef906a21abcd69f8

Tags:

obfuscate xtreme blic

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

aes anti-vm anti-vm base64 base64 cmd crypto evasive findstr fingerprint hacktool lolbin netsh obfuscated packed powershell reconnaissance repaired soft-404 telegram

Link:

https://www.filescan.io/uploads/69689c8e3827c9e1249f3eaa/reports/4cef3111-7832-40f1-940c-18e069dbea8b/overview

Verdict:

Malicious

Labled as:

Trojan.JS.Agent

Link:

https://www.hybrid-analysis.com/sample/c612385efecaca9ec7446fdc629d871a12fbcfca9ed45c653faf20361d3105c5

Verdict:

Malicious

File Type:

First seen:

2026-01-13T23:55:00Z UTC

Last seen:

2026-01-17T06:36:00Z UTC

Hits:

~100

Detections:

HEUR:Trojan.Script.Generic Trojan-Downloader.JS.SLoad.sb Trojan.JS.SAgent.sb PDM:Trojan.Win32.Generic HEUR:Trojan.PowerShell.Tesre.sb

Link:

https://opentip.kaspersky.com/c612385efecaca9ec7446fdc629d871a12fbcfca9ed45c653faf20361d3105c5/results?tab=lookup

Result

Threat name:

KeyLogger, Phantom stealer

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1851114

Signature

.NET source code contains potential unpacker

.NET source code contains process injector

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Antivirus detection for URL or domain

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Creates a thread in another existing process (thread injection)

Creates autostart registry keys with suspicious values (likely registry only malware)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

JavaScript source code contains functionality to generate code involving a shell, file or stream

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Malicious sample detected (through community Yara rule)

Monitors registry run keys for changes

Multi AV Scanner detection for submitted file

Powershell drops PE file

Powershell is started from unusual location (likely to bypass HIPS)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Reads the Security eventlog

Reads the System eventlog

Renames powershell.exe to bypass HIPS

Sample uses string decryption to hide its real strings

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: PowerShell Base64 Encoded IEX Cmdlet

Sigma detected: System File Execution Location Anomaly

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Unusual module load detection (module proxying)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected Costura Assembly Loader

Yara detected Keylogger Generic

Yara detected Phantom stealer

Yara detected Powershell decode and execute

Behaviour

Behavior Graph:

Download SVG

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c612385efecaca9ec7446fdc629d871a12fbcfca9ed45c653faf20361d3105c5/

Verdict:

Malicious

Threat:

Family.PHANTOM_STEALER

Link:

https://tip.neiki.dev/file/c612385efecaca9ec7446fdc629d871a12fbcfca9ed45c653faf20361d3105c5

Threat name:

Script-JS.Trojan.Generic

Status:

Suspicious

First seen:

2026-01-14 04:50:32 UTC

File Type:

Binary

AV detection:

8 of 24 (33.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yyjdqxx6zlfj5r2en7ogfhmhdijpxt6kt3kfyzj7v4qdmhjraxcq._file

Verdict:

malicious

Label(s):

phantomstealer

PhantomStealer

2c7d58690529990afc514b12c60f805abebfae9f798685f93de0b87eebbb240d

PhantomStealer

33f6bff83a6ce68bf321847b66f432840af51cdec378b2cda41ab1f2f0e0ecb1

PhantomStealer

3a1108af4bfe7864add18f34e0658f2da34930fbef90e34f176fd938065bf2bc

PhantomStealer

414557952c390312ea3cafa3cd3c069ff072c40840277921391565b79c800456

PhantomStealer

614ce7fb8a4a9214f3c185458394866350ce76cb99ce2012f06dbe9ecaaffa31

PhantomStealer

7925aea8fdd372084d270a382309a4faa68a01d6021b3e25f3fc55e05d221888

PhantomStealer

c5a31f2c04e3d0e7aec2a3877597075386dc4def55db26c0a1a9d2c1f74a5f05

PhantomStealer

c769df21e4dc00da52ac7b81849bf3752f766ee1caf6dfd4f639db4cdff02bd0

PhantomStealer

dd1937330f8b10026eb29045fb3d57e1364bf1fe8a80b92568fc4a055ad99c1d

PhantomStealer

error

PhantomStealer

+ 2'696 additional samples on MalwareBazaar

Result

Malware family:

phantom_stealer

Score:

10/10

Tags:

family:phantom_stealer collection discovery execution persistence stealer

Link:

https://tria.ge/reports/260115-jp7c1agy2h/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

System Time Discovery

Drops file in Program Files directory

Drops file in Windows directory

Accesses Microsoft Outlook profiles

Adds Run key to start application

Command and Scripting Interpreter: PowerShell

Looks up external IP address via web service

Checks computer location settings

Executes dropped EXE

Badlisted process makes network request

Detects PhantomStealer payload

PhantomStealer

Phantom_stealer family

Malware family:

PhantomStealer

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c612385efeca/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c612385efecaca9ec7446fdc629d871a12fbcfca9ed45c653faf20361d3105c5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample