MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6f964f37b721d5d06a11562a46facdcfc70900b48361143472e097af00b1d33. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhantomStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f6f964f37b721d5d06a11562a46facdcfc70900b48361143472e097af00b1d33
SHA3-384 hash: 8a45b034f3fb934c935f19d9c8c218bc1438e9f302414ad6643d3ca42815fdfb4d9d0754784ffabb73df9f22c8bf332c
SHA1 hash: ebdb06c1f216af3277a29865abe0a19dd351ef7e
MD5 hash: 505e5c03de2a09f36ac4fa574d22e47c
humanhash: speaker-johnny-eight-south
File name:Nostro Ordine 264418.vbe
Download: download sample
Signature PhantomStealer
Create hunting rule
File size:61'190 bytes
First seen:2025-10-10 13:24:57 UTC
Last seen:Never
File type:Visual Basic Script (vbe) vbe
MIME type:text/plain
ssdeep 768:/KHqZzemJ1+fv5ae38R5GkRvDjJ1iETUKBwyHNHWUjh:/KyzTmnYesR5GkZ
Threatray 105 similar samples on MalwareBazaar
TLSH T193534432B21C05EB6BA3D4A181464919EED9074E06F92AF6F61185F9085DDEECCF03BD
Magika vba
Reporter abuse_ch
Tags:PhantomStealer vbe

Intelligence

File Origin
# of uploads :
1
# of downloads :
34
Origin country :
SE SE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e90954777ae46bec410d5c
Tags:
vmdetect keylog spawn word
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm aspnet_compiler base64 evasive evasive lolbin obfuscated obfuscated powershell reconnaissance
Link:
https://www.filescan.io/uploads/68e90b084f3013c55e498e33/reports/3e35fdd8-3b3d-4257-ae4f-72b696ac967e/overview
Verdict:
Malicious
Labled as:
VBS/TrojanDownloader.Agent
Link:
https://www.hybrid-analysis.com/sample/f6f964f37b721d5d06a11562a46facdcfc70900b48361143472e097af00b1d33
Verdict:
Malicious
File Type:
vbs
First seen:
2025-10-09T09:11:00Z UTC
Last seen:
2025-10-12T05:16:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Script.Generic Trojan-Downloader.Agent.HTTP.C&C
Link:
https://opentip.kaspersky.com/f6f964f37b721d5d06a11562a46facdcfc70900b48361143472e097af00b1d33/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1792859
Signature
AI detected malicious Powershell script
Allocates memory in foreign processes
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Monitors registry run keys for changes
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1792859 Sample: Nostro Ordine 264418.vbe Startdate: 10/10/2025 Architecture: WINDOWS Score: 100 82 ftp.mzgold.ir 2->82 84 prod.classify-client.prod.webservices.mozgcp.net 2->84 86 2 other IPs or domains 2->86 100 Suricata IDS alerts for network traffic 2->100 102 Malicious sample detected (through community Yara rule) 2->102 104 Multi AV Scanner detection for submitted file 2->104 106 7 other signatures 2->106 11 wscript.exe 16 2->11         started        16 aspnet_compiler.exe 2->16         started        18 aspnet_compiler.exe 2->18         started        signatures3 process4 dnsIp5 94 files.catbox.moe 108.181.20.35, 443, 49716 ASN852CA Canada 11->94 66 C:\Users\user\AppData\Local\...\50vjd0[1].ps1, ASCII 11->66 dropped 68 C:\Temp\KTCOQGMZ.ps1, ASCII 11->68 dropped 118 System process connects to network (likely due to code injection or exploit) 11->118 120 Wscript starts Powershell (via cmd or directly) 11->120 122 Bypasses PowerShell execution policy 11->122 124 2 other signatures 11->124 20 powershell.exe 16 11->20         started        23 conhost.exe 16->23         started        25 conhost.exe 18->25         started        file6 signatures7 process8 signatures9 108 Writes to foreign memory regions 20->108 110 Injects a PE file into a foreign processes 20->110 27 aspnet_compiler.exe 16 135 20->27         started        32 aspnet_compiler.exe 20->32         started        34 conhost.exe 20->34         started        36 4 other processes 20->36 process10 dnsIp11 96 ftp.mzgold.ir 217.144.107.148, 21, 49783, 49784 NETMIHANIR Iran (ISLAMIC Republic Of) 27->96 98 icanhazip.com 104.16.185.241, 49795, 80 CLOUDFLARENETUS United States 27->98 70 C:\Users\user\AppData\...\aspnet_compiler.exe, PE32 27->70 dropped 126 Tries to steal Mail credentials (via file / registry access) 27->126 128 Tries to harvest and steal browser information (history, passwords, etc) 27->128 130 Writes to foreign memory regions 27->130 136 4 other signatures 27->136 38 msedge.exe 152 868 27->38         started        42 firefox.exe 1 27->42         started        44 chrome.exe 27->44 injected 46 8 other processes 27->46 132 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 32->132 134 Switches to a custom stack to bypass stack traces 32->134 file12 signatures13 process14 dnsIp15 88 192.168.2.4, 138, 21, 443 unknown unknown 38->88 90 192.168.2.7 unknown unknown 38->90 92 239.255.255.250 unknown Reserved 38->92 112 Maps a DLL or memory area into another process 38->112 48 msedge.exe 38->48         started        51 setup.exe 38->51         started        53 msedge.exe 38->53         started        58 3 other processes 38->58 55 firefox.exe 3 45 42->55         started        signatures16 process17 dnsIp18 72 a1666.dscr.akamai.net 23.213.40.154, 443, 49735, 49736 NTT-COMMUNICATIONS-2914US United States 48->72 74 13.107.213.41, 443, 49760, 49761 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 48->74 80 34 other IPs or domains 48->80 60 setup.exe 51->60         started        76 prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216, 443, 49725 GOOGLEUS United States 55->76 78 127.0.0.1 unknown unknown 55->78 114 Monitors registry run keys for changes 55->114 116 Installs a global keyboard hook 55->116 62 firefox.exe 1 55->62         started        64 firefox.exe 1 55->64         started        signatures19 process20
Score:
95%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/f6f964f37b721d5d06a11562a46facdcfc70900b48361143472e097af00b1d33
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f6f964f37b721d5d06a11562a46facdcfc70900b48361143472e097af00b1d33/
Verdict:
Malicious
Threat:
Family.PHANTOMSTEALER
Link:
https://tip.neiki.dev/file/f6f964f37b721d5d06a11562a46facdcfc70900b48361143472e097af00b1d33
Threat name:
Script-WScript.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-10-10 13:11:19 UTC
File Type:
Text (VBS)
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=634wj433oiov2bvbcvrki35m3t6hbealja3bcq2hfyexv4alduzq._file
Verdict:
malicious
Label(s):
xenostealer
Create hunting rule
Similar samples:
04ffa9922db8b82f8716ac984b03d50c0277618816048beb68d2b56ab60efee3
PhantomStealer
059120da7621c358f48e67e3c904ace377a79f1802f93c008fb3774b3b3b5cbc
PhantomStealer
0b1f60bb2fc193c0e8908451a95c811dfac00fbcbfd3591c04d05c07e1c812d3
PhantomStealer
0cf3d7eaea22681caa5425bca164468cf7a13f0848e12ad2fe0115b93e0c9f9c
PhantomStealer
274087c706f2a113778a7c7110dca7aab3ec9e0f1a6621a7038634c71ccc0860
PhantomStealer
289a2fc01518fad002bb9330c081201fe04f877ffd04e9e3a3a348096cf8b8c7
PhantomStealer
56014a5ec7d4be83b5fbe439b9142654a267619981184bb757fb325edd4f3b08
PhantomStealer
9ab0fa2d7bde7644dc01292a6b803aba355f87f89af2f73ea18e5973bf12dcc9
PhantomStealer
d81e76f9c47d6d88bea5188b5a37a1119013e2da52d1cb03f169fb80e0159111
PhantomStealer
decbf46ae8adb969f6ef4f94037d448cc9cbd91a1698ca806d2d67cae25cf392
PhantomStealer
error
PhantomStealer
+ 95 additional samples on MalwareBazaar
Result
Malware family:
phantomstealer
Create hunting rule
Score:
  10/10
Tags:
family:phantomstealer collection discovery execution persistence
Link:
https://tria.ge/reports/251010-qsz7eszybz/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Badlisted process makes network request
Phantomstealer family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/f6f964f37b721d5d06a11562a46facdcfc70900b48361143472e097af00b1d33

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:OBFUS_PowerShell_Common_Replace
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the common usage of replace for obfuscation
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments