MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e763f70c225397859178eb99d03beee5e11fccc8680df2e32c77d58eb094397f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PhantomStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	e763f70c225397859178eb99d03beee5e11fccc8680df2e32c77d58eb094397f
SHA3-384 hash:	e8da938b71f5eca749a8b4136b377d21634824e4e4817f29a1ca50c841ca640820b26fda2562fcf8eb57a802fa80fff9
SHA1 hash:	9803a712b6ccdb8684c57d65e4501569cafa582d
MD5 hash:	f950a84805169248a29e9904cab956ee
humanhash:	burger-lithium-missouri-illinois
File name:	e763f70c225397859178eb99d03beee5e11fccc8680df2e32c77d58eb094397f
Download:	download sample
Signature	PhantomStealer Create hunting rule
File size:	1'226'752 bytes
First seen:	2025-12-08 14:51:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'739 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	24576:oAnpv8xP0h3wiDe4s9aIzr2ge/6nnWQLpRNI/SEHo1+BoS+jxjRB:zpv86wiDvs9aIHbUSVjI6EIIBs
Threatray	24 similar samples on MalwareBazaar
TLSH	T1D545231CB9B356C6DFAE19B7C127084881B38C1AB11AF614AAC83D7F9C98F04C957F56
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	adrian__luca
Tags:	exe PhantomStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

DeepSea

Details

DeepSea

DeepSea decrypted strings

Link:

https://research.acce.ciphertechsolutions.com/results/0d8319d9-96c6-42af-af1e-0d67b1534b8a/

Malware family:

n/a

ID:

File name:

e763f70c225397859178eb99d03beee5e11fccc8680df2e32c77d58eb094397f

Verdict:

Malicious activity

Analysis date:

2025-12-08 18:08:08 UTC

Tags:

auto-sch-xml stealer phantom crypto-regex ims-api generic telegram exfiltration evasion

Link:

https://app.any.run/tasks/b299cdb0-a9a6-4968-bfda-b3a344802735

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/43208/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6936e645881313558a2b8812

Tags:

shell virus sage

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/e763f70c225397859178eb99d03beee5e11fccc8680df2e32c77d58eb094397f

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-11-13T02:04:00Z UTC

Last seen:

2025-11-19T05:57:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/e763f70c225397859178eb99d03beee5e11fccc8680df2e32c77d58eb094397f/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/75aa1a83-64ed-49ff-a06a-b103f84e2e5c

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/e763f70c225397859178eb99d03beee5e11fccc8680df2e32c77d58eb094397f

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.37 Win 32 Exe x86

Link:

https://app.malva.re/file/f950a84805169248a29e9904cab956ee

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e763f70c225397859178eb99d03beee5e11fccc8680df2e32c77d58eb094397f/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2025-11-13 04:40:53 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 36 (75.00%)

Threat level:

5/5

Verdict:

malicious

Label(s):

unc_loader_037

phantomstealer

PhantomStealer

60c6bb5011402b715799a09d83531b185c5a4825a611b18e08b89c9451f68cbb

PhantomStealer

750bfb6b02d5ebacb9e4eb938ffb64751feccfaf0c883b5489b77d26825d1009

PhantomStealer

b7d078fa73d4a05c8216beddcb32493375d8457879525e026712e2a3e5198d89

PhantomStealer

e763f70c225397859178eb99d03beee5e11fccc8680df2e32c77d58eb094397f

PhantomStealer

error

PhantomStealer

+ 14 additional samples on MalwareBazaar

Result

Malware family:

phantom_stealer

Score:

10/10

Tags:

family:phantom_stealer collection discovery execution persistence spyware stealer

Link:

https://tria.ge/reports/251208-r8cxhaez9c/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

outlook_office_path

outlook_win_path

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

Detects PhantomStealer payload

PhantomStealer

Phantom_stealer family

Malware Config

C2 Extraction:

https://api.telegram.org/bot8316552739:AAER7yEiHyuLounhYJBGHRHg1BbkqUdzW4Q/sendMessage?chat_id=8118564505

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/07ca428e-1198-4275-a859-a7c3331a74a4

Unpacked files

SH256 hash:

e763f70c225397859178eb99d03beee5e11fccc8680df2e32c77d58eb094397f

MD5 hash:

f950a84805169248a29e9904cab956ee

SHA1 hash:

9803a712b6ccdb8684c57d65e4501569cafa582d

Link:

https://www.unpac.me/results/61f63a0a-76dc-48d1-8a12-566dd972f635/

SH256 hash:

7b0ec811a5cca3a59eebaccce9d9ee12e386960086911d59eb8fb9f80a7f8f94

MD5 hash:

bacc441ed2e93d386ad8999b82ac761b

SHA1 hash:

1f902959c8b393e47c311e38db6b3f44534026b2

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/61f63a0a-76dc-48d1-8a12-566dd972f635/

SH256 hash:

f44a97ba959a2f1b2154d69c4d118fd16bc5608f7f1dcf4f36bd44c6543b3b9a

MD5 hash:

64a9dd1563f828735d8bb70617bd4d5a

SHA1 hash:

85cfa4ff543dc85b7c8247876c9a8bee99cd9091

Link:

https://www.unpac.me/results/61f63a0a-76dc-48d1-8a12-566dd972f635/

SH256 hash:

5bd5af9db4060898913835d01438daa85f260751037d9a39064730b70f4b6055

MD5 hash:

0eb3b4bb09170ce7382589c0de7fef20

SHA1 hash:

e04e44c1422afdfe484a0293517143bc372890d5

Detections:

phantom_stealer

cn_utf8_windows_terminal

INDICATOR_EXE_Packed_Fody

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon

INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames

Link:

https://www.unpac.me/results/61f63a0a-76dc-48d1-8a12-566dd972f635/

Parent samples :

b6968bc63433009553101e5303b880d403e2a2a0c6521694ddb122e25336ad82
191901bedbfc9521e8d346058964cbaca797f07d6e52f9ec285296acc5faa847
e763f70c225397859178eb99d03beee5e11fccc8680df2e32c77d58eb094397f

Malware family:

PhantomStealer

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e763f70c2253/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e763f70c225397859178eb99d03beee5e11fccc8680df2e32c77d58eb094397f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/43208/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample