MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f09a097b958bc565b990c17bb42765b488386fc2803a41872296db6923f09c32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhantomStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f09a097b958bc565b990c17bb42765b488386fc2803a41872296db6923f09c32
SHA3-384 hash: 2d3e7f9e0233e47b07073a3399d2bf1a09d7d894e2730fa426fb4c1ec27c9f60684b787dccd439b50cae4316bf86a14f
SHA1 hash: f4de39bedf10a75f9f118f28d0d8a0aab3982e20
MD5 hash: 80ab57542f5f1b646d6958e1189acafa
humanhash: oranges-speaker-idaho-lithium
File name:#1920029920944.js
Download: download sample
Signature PhantomStealer
Create hunting rule
File size:390'674 bytes
First seen:2026-03-27 15:40:59 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 6144:bcjvuxLVVVNqIxRHf6+N65BU1diSjfxyFdl1OVu5cNHrbsM/+vt5V1L0JUolYzLe:bcjvuFVLNqQi+NaSYHlHiNHrbs7vt5iH
Threatray 3'024 similar samples on MalwareBazaar
TLSH T18884494293F94519F1F78F58BA7A50A14E77BE5A1C78C42C26A8140E1AF3E148CB67F3
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika txt
Reporter TomU
Tags:js PhantomStealer


Avatar
TomU
--- mail headers ---
Date: Thu, 26 Mar 2026 22:20:17 +0100
From: purchase@qdygzh.com
Subject: Re:Purchase Order // PO-#1920029920944
Message-ID: <f75ee795e58267f750eb4fa1998a79af@qdygzh.com>

--- mail attachments (spaces replaced with [_X]) ---
b2ac26804b19be5139122cc7c8d51bc0 #1920029920944.zip
80ab57542f5f1b646d6958e1189acafa #1920029920944.js

Intelligence

File Origin
# of uploads :
1
# of downloads :
155
Origin country :
CH CH
Vendor Threat Intelligence
No detections
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69c5c06a390b9964741415b9
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
repaired
Link:
https://www.filescan.io/uploads/69c6a521e2df9aa488badde3/reports/5fca25ef-612e-40a7-af67-c23048e53380/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/f09a097b958bc565b990c17bb42765b488386fc2803a41872296db6923f09c32
Verdict:
Malicious
File Type:
js
First seen:
2026-03-26T18:33:00Z UTC
Last seen:
2026-03-29T13:23:00Z UTC
Hits:
~1000
Detections:
PDM:Trojan.Win32.Generic HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/f09a097b958bc565b990c17bb42765b488386fc2803a41872296db6923f09c32/results?tab=lookup
Score:
55%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/f09a097b958bc565b990c17bb42765b488386fc2803a41872296db6923f09c32
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f09a097b958bc565b990c17bb42765b488386fc2803a41872296db6923f09c32/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-03-26 23:25:31 UTC
File Type:
Text (JavaScript)
AV detection:
5 of 24 (20.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6cnas64vrpcwlomqyf53ij3fwsedq36cqa5edbzcs3nwsi7qtqza._file
Verdict:
malicious
Label(s):
phantomstealer
Create hunting rule
Similar samples:
045184fbabebcf0ba3f37068d057ff367b1cbe6809de7c7feb1467d9f5bbff45
PhantomStealer
2c7d58690529990afc514b12c60f805abebfae9f798685f93de0b87eebbb240d
PhantomStealer
33f6bff83a6ce68bf321847b66f432840af51cdec378b2cda41ab1f2f0e0ecb1
PhantomStealer
3a1108af4bfe7864add18f34e0658f2da34930fbef90e34f176fd938065bf2bc
PhantomStealer
614ce7fb8a4a9214f3c185458394866350ce76cb99ce2012f06dbe9ecaaffa31
PhantomStealer
7925aea8fdd372084d270a382309a4faa68a01d6021b3e25f3fc55e05d221888
PhantomStealer
9372733224f523df81e19ee2147c830593703920c8c0d40995f9f965e9179957
PhantomStealer
c5a31f2c04e3d0e7aec2a3877597075386dc4def55db26c0a1a9d2c1f74a5f05
PhantomStealer
c8c0f29ae884187179b1891c83c89241fd60b524c1a98ab0f762dab84c589d73
PhantomStealer
dd1937330f8b10026eb29045fb3d57e1364bf1fe8a80b92568fc4a055ad99c1d
PhantomStealer
error
PhantomStealer
+ 3'014 additional samples on MalwareBazaar
Result
Malware family:
phantom_stealer
Create hunting rule
Score:
  10/10
Tags:
family:phantom_stealer collection discovery execution persistence stealer
Link:
https://tria.ge/reports/260327-s4xxjsht9w/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Accesses Microsoft Outlook profiles
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Registers new Windows logon scripts automatically executed at logon.
Badlisted process makes network request
Detects PhantomStealer written in C#
PhantomStealer
Phantom_stealer family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f09a097b958bc565b990c17bb42765b488386fc2803a41872296db6923f09c32

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PhantomStealer

Java Script (JS) js f09a097b958bc565b990c17bb42765b488386fc2803a41872296db6923f09c32

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments