MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0210da3603f43d66ac5fd9ce665c9bd544cdb66ec47d30b03b8191a6c1c09dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhantomStealer


Vendor detections: 19


Intelligence 19 IOCs YARA 25 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f0210da3603f43d66ac5fd9ce665c9bd544cdb66ec47d30b03b8191a6c1c09dc
SHA3-384 hash: c364fb408878ee90240ee1730b1e0249c944d6341ba6378a5b16238234456b123261f5c837ec3c1850c17457bbbb394f
SHA1 hash: 0c02bdfd404bce6724e7b767491b238c16345216
MD5 hash: 62b4563e05a19ae79b05c4c51cbba5a8
humanhash: quebec-echo-summer-butter
File name:62b4563e05a19ae79b05c4c51cbba5a8.exe
Download: download sample
Signature PhantomStealer
Create hunting rule
File size:1'640'960 bytes
First seen:2026-02-27 16:40:15 UTC
Last seen:2026-02-27 17:42:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'818 x AgentTesla, 19'741 x Formbook, 12'286 x SnakeKeylogger)
ssdeep 24576:97/k9mc44Cjl7wrHZd0wlYe0mmvlUfMwEAonf0pTop/J6emd1N7E/Z6I5aO:9zk9L47aNdffeodonf0pTQ/8ei7qZrU
Threatray 399 similar samples on MalwareBazaar
TLSH T1CD75025427A59C1AC77D473659A0F1789774CE9BB111C24ABEDD3EE77B2AF000A82383
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe PhantomStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
79
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
NETReactor RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/1ecc4dc5-1112-42d3-8ed0-abba3021b6d1/
Malware family:
remcos
Create hunting rule
ID:
1
File name:
ALZAMLH QUOTATION_A07501-20260226.pdf(82KB).com
Verdict:
Malicious activity
Analysis date:
2026-02-26 16:44:37 UTC
Tags:
loader java auto-reg auto-startup rat remcos remote susp-lnk xworm stealer phantom evasion phishing quasar
Link:
https://app.any.run/tasks/6f05ae37-b959-42b2-a827-c7db5869582e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/54888/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a1c8fdc950ab5d9ab2253d
Tags:
spawn hype
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
bitmap net_reactor obfuscated packed packed packed stego vbnet
Link:
https://www.filescan.io/uploads/69a1c8f710e80629d4f58342/reports/cc504ffe-1628-4d3f-9ec6-7a789cf694f2/overview
Verdict:
Malicious
Labled as:
Ser.Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/f0210da3603f43d66ac5fd9ce665c9bd544cdb66ec47d30b03b8191a6c1c09dc
Result
Gathering data
Verdict:
Malicious
File Type:
exe x32
Link:
https://opentip.kaspersky.com/f0210da3603f43d66ac5fd9ce665c9bd544cdb66ec47d30b03b8191a6c1c09dc/results?tab=lookup
Malware family:
KeyBase
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b19ba368-ad56-4af0-821c-05612e4271c3
Result
Threat name:
KeyLogger, Phantom stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1876077
Signature
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Browser instances using unsafe startup parameters
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Windows Restart Manager Abuse for Browser Credential File unlocking
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Keylogger Generic
Yara detected Phantom stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1876077 Sample: AiAK8K6NiM.exe Startdate: 27/02/2026 Architecture: WINDOWS Score: 100 70 mail.hsk-new.com 2->70 72 youtube-ui.l.google.com 2->72 74 30 other IPs or domains 2->74 90 Found malware configuration 2->90 92 Antivirus detection for URL or domain 2->92 94 Antivirus / Scanner detection for submitted sample 2->94 96 12 other signatures 2->96 9 AiAK8K6NiM.exe 3 2->9         started        13 AiAK8K6NiM.exe 2->13         started        15 firefox.exe 1 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 62 C:\Users\user\AppData\...\AiAK8K6NiM.exe.log, ASCII 9->62 dropped 108 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->108 110 Found many strings related to Crypto-Wallets (likely being stolen) 9->110 112 Injects a PE file into a foreign processes 9->112 116 2 other signatures 9->116 20 AiAK8K6NiM.exe 26 14 9->20         started        114 Multi AV Scanner detection for dropped file 13->114 25 AiAK8K6NiM.exe 13->25         started        27 firefox.exe 3 388 15->27         started        64 192.168.2.16 unknown unknown 17->64 66 192.168.2.9, 138, 25, 443 unknown unknown 17->66 68 239.255.255.250 unknown Reserved 17->68 29 msedge.exe 17->29         started        31 setup.exe 17->31         started        33 msedge.exe 17->33         started        35 3 other processes 17->35 file6 signatures7 process8 dnsIp9 76 mail.hsk-new.com 158.94.208.190, 25 JANETJiscServicesLimitedGB United Kingdom 20->76 78 icanhazip.com 104.16.184.241, 49755, 80 CLOUDFLARENETUS United States 20->78 54 C:\Users\user\AppData\...\AiAK8K6NiM.exe, PE32 20->54 dropped 56 C:\Users\...\AiAK8K6NiM.exe:Zone.Identifier, ASCII 20->56 dropped 100 Tries to steal Mail credentials (via file / registry access) 20->100 102 Tries to harvest and steal browser information (history, passwords, etc) 20->102 104 Writes to foreign memory regions 20->104 106 4 other signatures 20->106 37 msedge.exe 20->37         started        40 chrome.exe 20->40 injected 42 firefox.exe 1 20->42         started        50 3 other processes 20->50 80 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 49778, 49779, 80 GOOGLEUS United States 27->80 86 10 other IPs or domains 27->86 58 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 27->58 dropped 60 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 27->60 dropped 44 firefox.exe 27->44         started        46 firefox.exe 27->46         started        82 23.219.0.136, 443, 49733, 49734 RAYA-ASEG United States 29->82 84 a1666.dscr.akamai.net 23.219.2.14, 443, 49703, 49705 RAYA-ASEG United States 29->84 88 38 other IPs or domains 29->88 48 setup.exe 31->48         started        file10 signatures11 process12 signatures13 98 Monitors registry run keys for changes 37->98 52 msedge.exe 37->52         started        process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f0210da3603f43d66ac5fd9ce665c9bd544cdb66ec47d30b03b8191a6c1c09dc
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.63 Win 32 Exe x86
Link:
https://app.malva.re/file/62b4563e05a19ae79b05c4c51cbba5a8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f0210da3603f43d66ac5fd9ce665c9bd544cdb66ec47d30b03b8191a6c1c09dc/
Verdict:
Malicious
Threat:
Family.PHANTOM
Link:
https://tip.neiki.dev/file/f0210da3603f43d66ac5fd9ce665c9bd544cdb66ec47d30b03b8191a6c1c09dc
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2026-02-26 15:56:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
41
AV detection:
21 of 36 (58.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6aqq3i3ah5b5m2wf7woomzojxvkezw3g5rd5gcydxamru3a4bhoa._file
Verdict:
malicious
Label(s):
phantomstealer
Create hunting rule
Similar samples:
071a363ec38e71da9d074123c50ea594969d28878da8e754a6b6f7684940e809
PhantomStealer
3e24bc53a54d730bc18f29a09e5bcbca55fa332d67a983a62bb39b12b4514f62
PhantomStealer
414557952c390312ea3cafa3cd3c069ff072c40840277921391565b79c800456
PhantomStealer
53fa73713016ccf9636f69659053fc115cc779b1e17506d50cf4181474a27e8e
PhantomStealer
56014a5ec7d4be83b5fbe439b9142654a267619981184bb757fb325edd4f3b08
PhantomStealer
66158410eadaa76f6a183087c95b694a1404641be3a16b3b704f4cd56e53f20c
PhantomStealer
78826700c53185405a0a3897848ca8474920804a01172f987a18bd3ef9a4fc77
PhantomStealer
c612385efecaca9ec7446fdc629d871a12fbcfca9ed45c653faf20361d3105c5
PhantomStealer
dbbb1c1ad17996d18e3e28537e0188b204657e87b8cb495e05bdb36c75cae466
PhantomStealer
ec5b91ad14060b955dec4c1fcd63be9d63d66185d463ea785e5f888eee460f0b
PhantomStealer
error
PhantomStealer
+ 389 additional samples on MalwareBazaar
Result
Malware family:
phantom_stealer
Create hunting rule
Score:
  10/10
Tags:
family:phantom_stealer collection discovery persistence spyware stealer
Link:
https://tria.ge/reports/260227-t6pvdsgt4d/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Executes dropped EXE
Reads user/profile data of web browsers
Detects PhantomStealer payload
PhantomStealer
Phantom_stealer family
Unpacked files
SH256 hash:
f0210da3603f43d66ac5fd9ce665c9bd544cdb66ec47d30b03b8191a6c1c09dc
MD5 hash:
62b4563e05a19ae79b05c4c51cbba5a8
SHA1 hash:
0c02bdfd404bce6724e7b767491b238c16345216
Link:
https://www.unpac.me/results/2271e7d1-137a-45ae-abda-a0d0b035907a/
SH256 hash:
1d505ea8bbeba5f8dafdba977e3798970abec0ded018eca8c8c1d71a510d5b36
MD5 hash:
15185513dcfc65611ee21ddee6d3b94d
SHA1 hash:
76f1da946c7257494d9c81ae3691b4c14063afcd
Link:
https://www.unpac.me/results/2271e7d1-137a-45ae-abda-a0d0b035907a/
SH256 hash:
aad3814a42a40a47e0a2bf84dfa60fb003abbdcb63ff3c6deeb2dad3c5f1ada7
MD5 hash:
a4b98cb9b3932d5256057bb41e8e019b
SHA1 hash:
d87d3129f0a304a44adfd951717b0c20b48b850f
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/2271e7d1-137a-45ae-abda-a0d0b035907a/
SH256 hash:
f3966f5c0acf9606bcaab622053c3131f329db7e2a52d4169702190ee51e6c4a
MD5 hash:
a02770dbded2c377ea70218a2aea3cd8
SHA1 hash:
dcaf2f947e445a2ccf0868f239847d792d9f0e04
Detections:
cn_utf8_windows_terminal
Create hunting rule
INDICATOR_EXE_Packed_Fody
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames
Create hunting rule
Link:
https://www.unpac.me/results/2271e7d1-137a-45ae-abda-a0d0b035907a/
Parent samples :
65ca5368c87b5c53a24995aa3bb88240abf1766e2fd013ad10756e5006be286c
a0a642f5131f1d82cb91f1237deb6b0002b0e6f178d208295b5b7fe39cedb1d6
def6c1b31a71cb1325bdb0b286263d2d5ced9a24d213b0bceba824492d68d1c3
f0210da3603f43d66ac5fd9ce665c9bd544cdb66ec47d30b03b8191a6c1c09dc
Malware family:
PhantomStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f0210da3603f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f0210da3603f43d66ac5fd9ce665c9bd544cdb66ec47d30b03b8191a6c1c09dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames
Create hunting rule
Author:ditekSHen
Description:Detects executables containing possible sandbox analysis VM names
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
Create hunting rule
Author:ditekSHen
Description:Detects executables containing possible sandbox analysis VM usernames
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon
Create hunting rule
Author:ditekSHen
Description:Detects executables with interest in wireless interface using netsh
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:Macos_Infostealer_Wallets_8e469ea0
Create hunting rule
Author:Elastic Security
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:Windows_Generic_Threat_f57e5e2a
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Xeno_89f9f060
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PhantomStealer

Executable exe f0210da3603f43d66ac5fd9ce665c9bd544cdb66ec47d30b03b8191a6c1c09dc

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/54888/
  
URLhaus
https://urlhaus.abuse.ch/url/3786903/
  
Delivery method
Distributed via web download

Comments