MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e37c838dc5eaa1b302ffbd8721c6a5f52a068e8f78bbec63b19b950462fe6cf8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhantomStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e37c838dc5eaa1b302ffbd8721c6a5f52a068e8f78bbec63b19b950462fe6cf8
SHA3-384 hash: 61363fbae5f9a09c2dbefced205e7a341b40d34772186db754d54d4fcc862ca1fc2cf58527a2b4638691d0ff5263d306
SHA1 hash: e421261bf9c56bc5390d1f1b5be10f4fa53ba34c
MD5 hash: be0930fc1d862072effdd01493361fb5
humanhash: paris-kentucky-idaho-princess
File name:QUOTATION.exe
Download: download sample
Signature PhantomStealer
Create hunting rule
File size:1'586'176 bytes
First seen:2026-02-13 12:15:41 UTC
Last seen:2026-02-19 14:44:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'818 x AgentTesla, 19'742 x Formbook, 12'286 x SnakeKeylogger)
ssdeep 49152:xORW7rRaIcKdnFVb4C/mxjcNDJwF3ZQQuWQc:xn79hFFlHexjWFwF36/W
Threatray 357 similar samples on MalwareBazaar
TLSH T1D6751254669FC913C1A85B7284E1E63017F09E4EA023D25B6EDE2EE77E537A71E80343
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:exe PhantomStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
118
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
NETReactor RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/19082106-0839-4eae-bc17-e5cab36b060d/
Malware family:
n/a
ID:
1
File name:
03accf587998a6841af02404f21e1527cefaf6dc37f0167c45c8419fdd484bba.rar
Verdict:
Suspicious activity
Analysis date:
2026-02-13 06:01:51 UTC
Tags:
arch-exec
Link:
https://app.any.run/tasks/b06b0116-d122-40a9-b98d-cedf82539b8b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/53246/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=698ebe5076589225f666363d
Tags:
stration autorun shell hype
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
krypt net_reactor obfuscated packed packed
Link:
https://www.filescan.io/uploads/698f160f981ff1d38a54ba51/reports/587a73e9-fe72-4835-8958-b6e31cb14180/overview
Verdict:
Malicious
Labled as:
PasswordStealer.Genie8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/e37c838dc5eaa1b302ffbd8721c6a5f52a068e8f78bbec63b19b950462fe6cf8
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-02-12T23:02:00Z UTC
Last seen:
2026-02-13T17:19:00Z UTC
Hits:
~1000
Detections:
Trojan-PSW.Win32.Stealer.sb Trojan-PSW.MSIL.Stealerium.sb HEUR:Trojan.MSIL.PowerShell.gen Trojan.Win32.Agent.sb Trojan-PSW.Win32.Disco.sb Trojan-PSW.Win32.Coins.sb PDM:Trojan.Win32.Generic Trojan.MSIL.Inject.sb Trojan.MSIL.Agent.sb HEUR:Trojan.WinLNK.Powecod.e VHO:Trojan-PSW.Win32.ReaderDB.gen
Link:
https://opentip.kaspersky.com/e37c838dc5eaa1b302ffbd8721c6a5f52a068e8f78bbec63b19b950462fe6cf8/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/279a8463-7f5e-4694-bd56-0d854e6a9f49
Result
Threat name:
KeyLogger, Phantom stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1869082
Signature
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows shortcut file (LNK) contains suspicious command line arguments
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Keylogger Generic
Yara detected Phantom stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1869082 Sample: QUOTATION.exe Startdate: 13/02/2026 Architecture: WINDOWS Score: 100 75 ftp.henfruit.ro 2->75 77 youtube-ui.l.google.com 2->77 79 73 other IPs or domains 2->79 91 Found malware configuration 2->91 93 Antivirus detection for URL or domain 2->93 95 Multi AV Scanner detection for submitted file 2->95 97 17 other signatures 2->97 9 QUOTATION.exe 8 2->9         started        13 powershell.exe 2->13         started        15 firefox.exe 2->15         started        17 4 other processes 2->17 signatures3 process4 file5 69 C:\Users\user\AppData\...\wvcHSnDAjR.exe, PE32 9->69 dropped 71 C:\Users\...\wvcHSnDAjR.exe:Zone.Identifier, ASCII 9->71 dropped 73 C:\Users\user\AppData\...\QUOTATION.exe.log, ASCII 9->73 dropped 117 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->117 119 Found many strings related to Crypto-Wallets (likely being stolen) 9->119 121 Adds a directory exclusion to Windows Defender 9->121 123 Switches to a custom stack to bypass stack traces 9->123 19 QUOTATION.exe 26 15 9->19         started        24 powershell.exe 23 9->24         started        26 wvcHSnDAjR.exe 13->26         started        28 conhost.exe 13->28         started        30 firefox.exe 15->30         started        125 Multi AV Scanner detection for dropped file 17->125 32 msedge.exe 17->32         started        34 QUOTATION.exe 17->34         started        36 QUOTATION.exe 17->36         started        38 2 other processes 17->38 signatures6 process7 dnsIp8 81 ftp.henfruit.ro 91.213.188.9, 21, 49730, 49732 TBM-ASRU United Kingdom 19->81 83 icanhazip.com 104.16.184.241, 49751, 80 CLOUDFLARENETUS United States 19->83 61 C:\Users\user\AppData\Roaming\QUOTATION.exe, PE32 19->61 dropped 63 C:\Users\...\QUOTATION.exe:Zone.Identifier, ASCII 19->63 dropped 99 Tries to steal Mail credentials (via file / registry access) 19->99 101 Tries to harvest and steal browser information (history, passwords, etc) 19->101 103 Writes to foreign memory regions 19->103 113 2 other signatures 19->113 40 msedge.exe 19->40         started        43 firefox.exe 2 19->43         started        45 chrome.exe 19->45 injected 53 2 other processes 19->53 105 Loading BitLocker PowerShell Module 24->105 47 WmiPrvSE.exe 24->47         started        49 conhost.exe 24->49         started        107 Multi AV Scanner detection for dropped file 26->107 109 Injects a PE file into a foreign processes 26->109 55 2 other processes 26->55 85 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 49729, 49735, 49784 GOOGLEUS United States 30->85 87 push.services.mozilla.com 34.107.243.93, 443, 49760, 49763 GOOGLEUS United States 30->87 89 10 other IPs or domains 30->89 65 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 30->65 dropped 67 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 30->67 dropped 111 Suspicious powershell command line found 30->111 51 firefox.exe 30->51         started        57 2 other processes 30->57 file9 signatures10 process11 signatures12 115 Monitors registry run keys for changes 40->115 59 msedge.exe 40->59         started        process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e37c838dc5eaa1b302ffbd8721c6a5f52a068e8f78bbec63b19b950462fe6cf8
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.62 Win 32 Exe x86
Link:
https://app.malva.re/file/be0930fc1d862072effdd01493361fb5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e37c838dc5eaa1b302ffbd8721c6a5f52a068e8f78bbec63b19b950462fe6cf8/
Threat name:
ByteCode-MSIL.Infostealer.Genie8DN
Create hunting rule
Status:
Malicious
First seen:
2026-02-13 04:00:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4n6ihdof5kq3gax7xwdsdrvf6uvanduppc56yy5rtokqiyx6nt4a._file
Verdict:
malicious
Label(s):
phantomstealer
Create hunting rule
Similar samples:
071a363ec38e71da9d074123c50ea594969d28878da8e754a6b6f7684940e809
PhantomStealer
3e24bc53a54d730bc18f29a09e5bcbca55fa332d67a983a62bb39b12b4514f62
PhantomStealer
414557952c390312ea3cafa3cd3c069ff072c40840277921391565b79c800456
PhantomStealer
53fa73713016ccf9636f69659053fc115cc779b1e17506d50cf4181474a27e8e
PhantomStealer
56014a5ec7d4be83b5fbe439b9142654a267619981184bb757fb325edd4f3b08
PhantomStealer
66158410eadaa76f6a183087c95b694a1404641be3a16b3b704f4cd56e53f20c
PhantomStealer
764892433fc11dc14ec10608d16131c178f7750b4fc9f8075a94d3824687162f
PhantomStealer
c612385efecaca9ec7446fdc629d871a12fbcfca9ed45c653faf20361d3105c5
PhantomStealer
dbbb1c1ad17996d18e3e28537e0188b204657e87b8cb495e05bdb36c75cae466
PhantomStealer
error
PhantomStealer
+ 347 additional samples on MalwareBazaar
Result
Malware family:
phantom_stealer
Create hunting rule
Score:
  10/10
Tags:
family:phantom_stealer discovery execution stealer
Link:
https://tria.ge/reports/260213-pfk2asdz8h/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
System Time Discovery
SmartAssembly .NET packer
Command and Scripting Interpreter: PowerShell
Detects PhantomStealer payload
PhantomStealer
Phantom_stealer family
Unpacked files
SH256 hash:
e37c838dc5eaa1b302ffbd8721c6a5f52a068e8f78bbec63b19b950462fe6cf8
MD5 hash:
be0930fc1d862072effdd01493361fb5
SHA1 hash:
e421261bf9c56bc5390d1f1b5be10f4fa53ba34c
Link:
https://www.unpac.me/results/608eb11c-a08a-46b5-80b2-578f99ef1c2b/
SH256 hash:
993655b7b15370d8c09874c2cf9c6dc96f622bd84f06c06f6ee8befb5815c0ad
MD5 hash:
ca43b6b9b7805cc50c3d46bad61f1fcc
SHA1 hash:
56413c731e40e371f98fee4651d5c83cc36845d2
Detections:
phantom_stealer
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
INDICATOR_EXE_Packed_Fody
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames
Create hunting rule
Link:
https://www.unpac.me/results/608eb11c-a08a-46b5-80b2-578f99ef1c2b/
Parent samples :
74a7b0a30846e3b670be3f9fd0ba2fda1f0d682d1dae1006b36b3781ec521153
e37c838dc5eaa1b302ffbd8721c6a5f52a068e8f78bbec63b19b950462fe6cf8
b5688e630ded6c873e5680ebac79d2fde8882ff27795a4b2b809745c58cfd173
SH256 hash:
724245ae3fd7d1632d6e059ad6b79ef92dec9148c6727f9779e8b23800f06260
MD5 hash:
8fb5863356fd4d1d74697aec919b07f4
SHA1 hash:
967caffb512da12ab9dc106004e2ad6b6809538b
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/608eb11c-a08a-46b5-80b2-578f99ef1c2b/
Parent samples :
bde515aa510b4c30129ab004d7edaab51539f3170289be077bc2649168ccafa4
24b68cc56ca49a71fe5b439d0c765afe01552472c3793562519984803e8d1db7
479ca9e4974c18451cc33514037e524b1e04aea73d7ea1e2cec19ae5d443bb5d
5531654e84b8a3de3ce10423d12052f06db68e27805f874a1c4142bc27b0a37e
9e4efb8300d61fa29a18a9169965c531fc547234d3ced0532aa341f899801621
3c23073583bd33a068be551134983e7958884cb7656a4da03d9cc737b262f1ee
c9a7422e9bda1f8e36f23648857c16fe5332be73c474503b6502eccf4d5ed059
e37c838dc5eaa1b302ffbd8721c6a5f52a068e8f78bbec63b19b950462fe6cf8
fc72b3ca2ae3fb65114b8c60e539aec25d8e0383204e7cda9794e8b66d2a098c
9843f5987f4cc3ecb4dc341853be6549567da44e273162a36841020464cd9258
SH256 hash:
f4d318c0bc5ca03ca725472ca53f529e617c380933b402fb8afb125b35b3f6b2
MD5 hash:
6a0f8a12089466db41185b54880a1b8d
SHA1 hash:
f41e6cb6859e2231b46ce2726dccbaa1059bb81a
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/608eb11c-a08a-46b5-80b2-578f99ef1c2b/
Malware family:
PhantomStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e37c838dc5ea/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e37c838dc5eaa1b302ffbd8721c6a5f52a068e8f78bbec63b19b950462fe6cf8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PhantomStealer

Executable exe e37c838dc5eaa1b302ffbd8721c6a5f52a068e8f78bbec63b19b950462fe6cf8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/53246/

Comments