MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c76cc9279d103aed1a1c2b3cf52c6af5bce08bbd10fc3e5f005af2c605cce49a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhantomStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c76cc9279d103aed1a1c2b3cf52c6af5bce08bbd10fc3e5f005af2c605cce49a
SHA3-384 hash: 79af9191f4b9d7ea577d7cc2b64818e557a309d73dff59241dc93ec4d496b4eae3272238d44af18da752ead60e5b4299
SHA1 hash: 5acd58f44aec44ae5d258c84c6376df6346a8a31
MD5 hash: 5c586672bc2e3223a7b574592ed4dc94
humanhash: carbon-grey-uniform-tango
File name:Product Specification PO 01222016.vbs
Download: download sample
Signature PhantomStealer
Create hunting rule
File size:348'968 bytes
First seen:2026-06-15 17:04:50 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 6144:7SAgzPBWnH509ShMwcofMSAYhI3AhyQP1wmk0AhAbNCnCY3:7FgzPBWnZ0IhMZofMSAYhI3AhyAw10Av
TLSH T13F744B283DFA502971B3EF958FE479E6DA1FB7B3370668591081034A4B13A41EDD263E
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika html
Reporter abuse_ch
Tags:PhantomStealer vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
58
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70854/
Detection(s):
SecuriteInfo.com.VBS.Agent-107.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a3030ed34eaf30d8ce66921
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/6a3030f0554e843ff86c39e0/reports/09498cd5-d04c-4884-ae77-89e74d3497d4/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/c76cc9279d103aed1a1c2b3cf52c6af5bce08bbd10fc3e5f005af2c605cce49a
Verdict:
Malicious
File Type:
vbs
First seen:
2026-06-15T10:14:00Z UTC
Last seen:
2026-06-15T11:55:00Z UTC
Hits:
~100
Detections:
PDM:Trojan.Win32.Generic HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/c76cc9279d103aed1a1c2b3cf52c6af5bce08bbd10fc3e5f005af2c605cce49a/results?tab=lookup
Result
Threat name:
KeyLogger, Phantom stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1928249
Signature
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Powershell scriptblock execution from environment variable
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Tries to harvest and steal browser information (history, passwords, etc)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
WScript reads language and country specific registry keys (likely country aware script)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Keylogger Generic
Yara detected Phantom stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1928249 Sample: Product Specification PO 01... Startdate: 15/06/2026 Architecture: WINDOWS Score: 100 29 ftp.iplescc.com 2->29 31 www.google.com 2->31 33 2 other IPs or domains 2->33 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for URL or domain 2->53 55 16 other signatures 2->55 9 wscript.exe 1 2->9         started        signatures3 process4 signatures5 57 VBScript performs obfuscated calls to suspicious functions 9->57 59 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->59 61 Suspicious execution chain found 9->61 63 2 other signatures 9->63 12 conhost.exe 9->12         started        process6 process7 14 powershell.exe 15 123 12->14         started        dnsIp8 35 ftp.iplescc.com 192.64.117.217, 12043, 12056, 12075 NAMECHEAP-NET-NamecheapIncUS United States 14->35 37 sixmexicos.com 149.56.97.184, 49706, 80 OVHFR Canada 14->37 39 icanhazip.com 104.16.185.241, 49723, 80 CLOUDFLARENET-CloudflareIncUS Canada 14->39 23 C:\Users\user\AppData\...\Log_Summaries.txt, Unicode 14->23 dropped 25 McdonaldPartnershi...vbs:Zone.Identifier, ASCII 14->25 dropped 27 C:\Users\...\McdonaldPartnershipStainless.vbs, Unicode 14->27 dropped 41 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->41 43 Creates an undocumented autostart registry key 14->43 45 Found many strings related to Crypto-Wallets (likely being stolen) 14->45 47 5 other signatures 14->47 19 chrome.exe 14->19 injected 21 chrome.exe 14->21         started        file9 signatures10 process11
Score:
80%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/c76cc9279d103aed1a1c2b3cf52c6af5bce08bbd10fc3e5f005af2c605cce49a
Gathering data
Detection:
phantomstealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c76cc9279d103aed1a1c2b3cf52c6af5bce08bbd10fc3e5f005af2c605cce49a/
Verdict:
Malicious
Threat:
Family.PHANTOM_STEALER
Link:
https://tip.neiki.dev/file/c76cc9279d103aed1a1c2b3cf52c6af5bce08bbd10fc3e5f005af2c605cce49a
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y5wmsj45ca5o2gq4fm6pkldk6w6obc55cd6d4xyallzmmbom4sna._file
Result
Malware family:
phantom_stealer
Create hunting rule
Score:
  10/10
Tags:
family:phantom_stealer collection costura discovery execution packer persistence stealer
Link:
https://tria.ge/reports/260615-vl88zadt3x/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Time Discovery
Costura .NET executable packer
Drops file in Program Files directory
Drops file in Windows directory
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Registers new Windows logon scripts automatically executed at logon.
Badlisted process makes network request
Detects PhantomStealer written in C#
Family: PhantomStealer
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/70854/

Comments