MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d52c6f80a2f8b77133d238743c79aca4554ba5f404e109a93ff9c2db115bd873. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PhantomStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 24 File information Comments

SHA256 hash:	d52c6f80a2f8b77133d238743c79aca4554ba5f404e109a93ff9c2db115bd873
SHA3-384 hash:	6cdc4788f3f6441ba0bbdbf4b0b34c83f18b54cd838e97dbf893bf9b8d498de8dc7c64a6d5df4e94239f8ef97094b268
SHA1 hash:	336d76560bf6d0c5c82211755042420af625c304
MD5 hash:	58b7fb613cb756f09a30f18c572ec45a
humanhash:	mike-timing-artist-emma
File name:	d52c6f80a2f8b77133d238743c79aca4554ba5f404e109a93ff9c2db115bd873
Download:	download sample
Signature	PhantomStealer Create hunting rule
File size:	1'228'800 bytes
First seen:	2025-11-06 10:45:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:c07Afbhft9X4CgC0sH2Gh6KmSINvyRJZiPT3q2C/C:c0A57X47C01N6lyT3FC
TLSH	T1E74523684289D62BD8525B7A1772F370133A0DE9DC02D90B6EDD3DDBB963A028D422D7
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	adrian__luca
Tags:	exe PhantomStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

d52c6f80a2f8b77133d238743c79aca4554ba5f404e109a93ff9c2db115bd873

Verdict:

Malicious activity

Analysis date:

2025-11-06 14:46:49 UTC

Tags:

auto-sch-xml stealer phantom crypto-regex telegram exfiltration evasion ims-api generic

Link:

https://app.any.run/tasks/38abb3a6-8e5c-4968-b1f9-f7d7af0eb30e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/35871/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=690c7c625a5ed7864e2374a8

Tags:

krypt spawn msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a process with a hidden window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Reading critical registry keys

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Setting a keyboard event handler

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Gathering data

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/d52c6f80a2f8b77133d238743c79aca4554ba5f404e109a93ff9c2db115bd873

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-16T03:45:00Z UTC

Last seen:

2025-11-04T16:53:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/d52c6f80a2f8b77133d238743c79aca4554ba5f404e109a93ff9c2db115bd873/results?tab=lookup

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/94aab7d2-8549-4b46-a0d9-1c36e8ace14c

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d52c6f80a2f8b77133d238743c79aca4554ba5f404e109a93ff9c2db115bd873

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.42 Win 32 Exe x86

Link:

https://app.malva.re/file/58b7fb613cb756f09a30f18c572ec45a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d52c6f80a2f8b77133d238743c79aca4554ba5f404e109a93ff9c2db115bd873/

Threat name:

ByteCode-MSIL.Backdoor.FormBook

Status:

Malicious

First seen:

2025-11-06 10:45:41 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2uwg7afc7c3xcm6shb2dy6nmurkuxjpuatqqtkj77hbnwek33bzq._file

Verdict:

malicious

Label(s):

phantomstealer

unc_loader_037

Similar samples:

error

PhantomStealer

Result

Malware family:

phantom_stealer

Score:

10/10

Tags:

family:phantom_stealer collection discovery execution persistence spyware stealer

Link:

https://tria.ge/reports/251106-mtny1avran/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

outlook_office_path

outlook_win_path

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

Detects PhantomStealer payload

PhantomStealer

Phantom_stealer family

Malware Config

C2 Extraction:

https://api.telegram.org/bot8311646472:AAE3y-mOoDjijqIf0ZE_lCtb8S0nWRARlUw/sendMessage?chat_id=6605246356

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/b265a908-00c1-4b17-9a81-9ca2467fc4a9

Unpacked files

SH256 hash:

d52c6f80a2f8b77133d238743c79aca4554ba5f404e109a93ff9c2db115bd873

MD5 hash:

58b7fb613cb756f09a30f18c572ec45a

SHA1 hash:

336d76560bf6d0c5c82211755042420af625c304

Link:

https://www.unpac.me/results/ed032919-debc-4a41-bca2-695d5c01d5bd/

SH256 hash:

b794ed0c0c7d4499d0a2ffff67eb5b92dba83f4be7964591e9edad2755176511

MD5 hash:

2a576318d07470206dd7c45f7d896078

SHA1 hash:

3096b2a5ccd98583949a9f57842d5547b50bbc29

Link:

https://www.unpac.me/results/ed032919-debc-4a41-bca2-695d5c01d5bd/

SH256 hash:

38d4e6f80b50e28096b19761bd028c63a3fb1b94179a64dc8bae29ceb176ee91

MD5 hash:

b6006207acc36b80ac216ae5be169a5a

SHA1 hash:

4780ecff459d94f54c5c6381f72f5b51c382c3c8

Detections:

cn_utf8_windows_terminal

INDICATOR_EXE_Packed_Fody

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon

INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames

Link:

https://www.unpac.me/results/ed032919-debc-4a41-bca2-695d5c01d5bd/

Parent samples :

014566356dcb7f7ead45bf82659bbc942de33a6a15889d1fcfc8be3338c79506
dc60b3a787e014b5ed9ef2a3eb0d7b7d93ed800d0524a10d0eb8447d47b43926
27bdcb028d5a949b002ab6337453221e24c2f3d181c7a804eeb2d5ecda123d9d
98675f783173694a7f20851b05169361426d794a04e9e38602f30973aa3d4cfe
3975996e48050e31858381e0a8adacd0eb43f7417af5d344323e4b4c22045052
9acd0901461dd314c6c2eb2d5f4e9dd8867d3bdadd50cd696a4ee809e346ca71
6945230e786da1f48c3f4d9ea9fa52a73a501d343c24cc3616ad4e092b32fb5c
d52c6f80a2f8b77133d238743c79aca4554ba5f404e109a93ff9c2db115bd873

SH256 hash:

2418540e2029f24028041a0772d3b0b05d434c809fcbfc066b65b8c8f5350ac9

MD5 hash:

81f41b77aa5f564e896b4f40e7bafc98

SHA1 hash:

e16d511943a9d3013aecb0fd56a42a635ed9bf96

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/ed032919-debc-4a41-bca2-695d5c01d5bd/

Malware family:

PhantomStealer

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d52c6f80a2f8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d52c6f80a2f8b77133d238743c79aca4554ba5f404e109a93ff9c2db115bd873

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	INDICATOR_EXE_Packed_Fody Create hunting rule
Author:	ditekSHen
Description:	Detects executables manipulated with Fody

Rule name:	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs Create hunting rule
Author:	ditekSHen
Description:	Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing possible sandbox analysis VM names

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing possible sandbox analysis VM usernames

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon Create hunting rule
Author:	ditekSHen
Description:	Detects executables with interest in wireless interface using netsh

Rule name:	Lumma_Stealer_Detection Create hunting rule
Author:	ashizZz
Description:	Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:	https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/

Rule name:	Macos_Infostealer_Wallets_8e469ea0 Create hunting rule
Author:	Elastic Security

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Windows_Generic_Threat_f57e5e2a Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Xeno_89f9f060 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/35871/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample