MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efcc455c178e18e96638ee642b2d395b7ff2931d702dc68253f8ab75b70e1721. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhantomStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: efcc455c178e18e96638ee642b2d395b7ff2931d702dc68253f8ab75b70e1721
SHA3-384 hash: 8612e71ea6e12f71f986392db701ce3e1ff45f4cc957de8a0d4e10332cadd748656bdf1d5ad0e20a20ed7c861ef278a5
SHA1 hash: 60b1a8e0d146609e1f83ac50875513f547d8beb1
MD5 hash: 06c0a48bf06852cd3f73cc700c11a604
humanhash: gee-pizza-bravo-wyoming
File name:Sabadell_AvisodePago_0003192026-pdf.js
Download: download sample
Signature PhantomStealer
Create hunting rule
File size:1'861'417 bytes
First seen:2026-03-19 06:03:15 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 384:yiTEhBrin1paAn1kYmprluBVr7KQtwall4Phx4+5ePpxKS0FTUxfX9F0jv5FUmos:j8
Threatray 461 similar samples on MalwareBazaar
TLSH T1B085949703E4D0B84964544BFC5EA1E4DF0D49862B239CE8AD8CB7C5C02DBBD8735AB6
Magika javascript
Reporter Skynet11
Tags:js PhantomStealer stealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
183
Origin country :
AU AU
Vendor Threat Intelligence
No detections
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69bb44f188c80c01586bdb66
Tags:
n/a
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
formbook repaired
Link:
https://www.filescan.io/uploads/69bb91db2000fc76c3ebef06/reports/b5809179-ab57-47a8-a95b-86c4e4794d0b/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/efcc455c178e18e96638ee642b2d395b7ff2931d702dc68253f8ab75b70e1721
Verdict:
Malicious
File Type:
js
Detections:
HEUR:Trojan.Script.SAgent.gen HEUR:Trojan-Downloader.Script.Generic Trojan.VBS.SAgent.sb Trojan.JS.SAgent.sb
Link:
https://opentip.kaspersky.com/efcc455c178e18e96638ee642b2d395b7ff2931d702dc68253f8ab75b70e1721/results?tab=lookup
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/efcc455c178e18e96638ee642b2d395b7ff2931d702dc68253f8ab75b70e1721/
Verdict:
Malicious
Threat:
Family.PHANTOM
Link:
https://tip.neiki.dev/file/efcc455c178e18e96638ee642b2d395b7ff2931d702dc68253f8ab75b70e1721
Threat name:
Script-JS.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-03-19 00:36:04 UTC
File Type:
Binary
AV detection:
5 of 24 (20.83%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=57gekxaxrymoszry5zscwljzln77fey5oaw4nast7cvxlnyoc4qq._file
Verdict:
malicious
Label(s):
phantomstealer
Create hunting rule
Similar samples:
2a86c8ae8cabbeb5909a0240fef9bd50fbf422f9d3d6a54c4a4e5c255dae3ddf
PhantomStealer
30d56c8ec53a25a82fec93797c8f7e1bcd4137cedf066cc80ab26027f1204de0
PhantomStealer
408fbffb330ad289ae8e39bd708a3ccdb55ac31358d4a82ccea4f1c705308c2e
PhantomStealer
57e039b60ff31952018541ae912518263ff5c9f2d5069bb9c7b5f7778cea8de1
PhantomStealer
6314c3c82acb165b93aa922ff379754ea29c321d7a757a5d55d72e537072d9c7
PhantomStealer
80556f89dc73c0363733a728326aa27fab12eba80b9afe18fb7a5fb3d1c5e5f5
PhantomStealer
9cbffe3435e4218fbfebedbbc72a2e587098bdd9eb4a4b3014a38d1d9869817b
PhantomStealer
c29966f812a4a6b5db08fc8926aecafaa24395caea1213a8f84da02987a6ff6b
PhantomStealer
c5f8fd48834eb238614b5a3817aeff16510a749d51fc0da922e3b7fcca8c2af7
PhantomStealer
error
PhantomStealer
+ 451 additional samples on MalwareBazaar
Result
Malware family:
phantom_stealer
Create hunting rule
Score:
  10/10
Tags:
family:phantom_stealer collection discovery execution persistence stealer
Link:
https://tria.ge/reports/260319-gspw1sax5j/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Command and Scripting Interpreter: JavaScript
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Detects PhantomStealer written in C#
PhantomStealer
Phantom_stealer family
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.71
Link:
https://yomi.yoroi.company/submissions/efcc455c178e18e96638ee642b2d395b7ff2931d702dc68253f8ab75b70e1721

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments