MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc32b0350ebb6e5c0a57567bca7ad78e5f030629ffa514a4aef5e02b412edd0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhantomStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc32b0350ebb6e5c0a57567bca7ad78e5f030629ffa514a4aef5e02b412edd0d
SHA3-384 hash: f2260d2cb074c71520e16ffd88d65826e3c7bed1dee0d606f4c682425ac3823489d361a0f94ba3f3150867536df111a7
SHA1 hash: 1be5a59b56a60581e6ee6546a5954f0520545761
MD5 hash: a5b35f95d742d8b5f5459aa814b56614
humanhash: social-network-network-dakota
File name:Request for Quotation – ABILL GROUP.exe
Download: download sample
Signature PhantomStealer
Create hunting rule
File size:451'288 bytes
First seen:2026-06-11 14:44:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e9c0657252137ac61c1eeeba4c021000 (55 x GuLoader, 26 x RedLineStealer, 17 x AgentTesla)
ssdeep 6144:AtZVzFXh4c6gJe1Qsq4iXqeWjhqFdJLoWQBH63wGrf+vVsmOfyVB5ZZ47:CRxh3sYhdvQBZGCdA44
Threatray 757 similar samples on MalwareBazaar
TLSH T1D2A401712E1BE8E5C3E31EB10072A305E2F095791A554A93B7C8BF7DAF38DC26C49694
TrID 50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win64 Executable (generic) (6522/11/2)
8.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 70c11c302c2829a8 (1 x PhantomStealer)
Reporter lowmal3
Tags:exe PhantomStealer signed

Code Signing Certificate

Organisation:Terminalia
Issuer:Terminalia
Algorithm:sha256WithRSAEncryption
Valid from:2026-05-03T01:37:05Z
Valid to:2027-05-03T01:37:05Z
Serial number: 576512b0359d965ea3457e5af6ad1c28ef6d3dce
Thumbprint Algorithm:SHA256
Thumbprint: 5ef6164ce7884484ac6bfdca38c6cab78fed227697a95883fc14e9ac83006de3
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
155
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
NSIS
Details
Link:
https://research.acce.ciphertechsolutions.com/results/507cbb67-5206-4c3b-9d86-c444152c4ba7/
Malware family:
n/a
ID:
1
File name:
Scan105.gz
Verdict:
Malicious activity
Analysis date:
2026-06-11 10:35:40 UTC
Tags:
arch-exec stealer ip-check evasion phantom smtp
Link:
https://app.any.run/tasks/7e98d9da-2369-4732-91f7-7b4e93a3c5b6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.42220477.4087.19311.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a2aca3234eaf30d8ce4e2a0
Tags:
injection virus nsis sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Delayed reading of the file
Connection attempt
Creating a file in the %temp% subdirectories
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Verdict:
Malicious
Labled as:
Trojan_Win32_Sonbokli_A_cl
Link:
https://www.hybrid-analysis.com/sample/fc32b0350ebb6e5c0a57567bca7ad78e5f030629ffa514a4aef5e02b412edd0d
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-10T20:34:00Z UTC
Last seen:
2026-06-13T12:26:00Z UTC
Hits:
~1000
Detections:
VHO:Trojan.Win32.GuLoader.gen Trojan.Win32.GuLoader.sb HEUR:Trojan.Win32.Makoob.gen Trojan.NSIS.Makoob.sba
Link:
https://opentip.kaspersky.com/fc32b0350ebb6e5c0a57567bca7ad78e5f030629ffa514a4aef5e02b412edd0d/results?tab=lookup
Malware family:
Unlabeled
Create hunting rule
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c4f28379-4695-4574-819b-1e694d353186
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1926689
Signature
AI detected suspicious PE digital signature
Allocates memory in foreign processes
Browser instances using unsafe startup parameters
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Mass process execution to delay analysis
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Uses the Windows Restart Manager Abuse for Browser Credential File unlocking
Writes to foreign memory regions
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1926689 Sample: Request for Quotation #U201... Startdate: 11/06/2026 Architecture: WINDOWS Score: 100 84 www.educatorsoverseas.com 2->84 86 services.addons.mozilla.org 2->86 88 11 other IPs or domains 2->88 108 Suricata IDS alerts for network traffic 2->108 110 Multi AV Scanner detection for dropped file 2->110 112 Multi AV Scanner detection for submitted file 2->112 114 10 other signatures 2->114 9 Request for Quotation #U2013 ABILL GROUP.exe 1 35 2->9         started        13 msedge.exe 2->13         started        16 firefox.exe 1 2->16         started        18 2 other processes 2->18 signatures3 process4 dnsIp5 66 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 9->66 dropped 68 C:\Users\user\AppData\Local\...\System.dll, PE32 9->68 dropped 126 Obfuscated command line found 9->126 20 Request for Quotation #U2013 ABILL GROUP.exe 11 20 9->20         started        25 cmd.exe 9->25         started        27 cmd.exe 9->27         started        39 63 other processes 9->39 104 192.168.2.7, 138, 443, 49562 unknown unknown 13->104 106 239.255.255.250 unknown ZZ 13->106 70 C:\...\the-real-index~RF31a7e.TMP (copy), COM 13->70 dropped 72 C:\Users\user\...\the-real-index (copy), COM 13->72 dropped 74 C:\Users\user\AppData\Local\...\temp-index, COM 13->74 dropped 29 msedge.exe 13->29         started        31 setup.exe 13->31         started        33 msedge.exe 13->33         started        35 msedge.exe 13->35         started        37 firefox.exe 3 80 16->37         started        76 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 18->76 dropped 78 C:\Users\user\AppData\Local\...\System.dll, PE32 18->78 dropped 80 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 18->80 dropped 82 C:\Users\user\AppData\Local\...\System.dll, PE32 18->82 dropped file6 signatures7 process8 dnsIp9 90 educatorsoverseas.com 192.185.226.177, 443, 49693 ORACLE-BMC-31898-OracleCorporationUS United States 20->90 62 Request for Quotat...013 ABILL GROUP.exe, PE32 20->62 dropped 64 Request for Quotat...exe:Zone.Identifier, ASCII 20->64 dropped 116 Tries to steal Mail credentials (via file / registry access) 20->116 118 Creates autostart registry keys with suspicious names 20->118 120 Tries to harvest and steal browser information (history, passwords, etc) 20->120 122 5 other signatures 20->122 41 msedge.exe 20->41         started        44 chrome.exe 20->44 injected 46 firefox.exe 1 20->46         started        54 3 other processes 20->54 48 Conhost.exe 25->48         started        50 Conhost.exe 27->50         started        92 104.208.16.88, 443, 49735 MICROSOFT-CORP-MSN-AS-BLOCK-MicrosoftCorporationUS United States 29->92 94 part-0013.t-0009.fb-t-msedge.net 13.107.226.41, 443, 49694, 49716 MICROSOFT-CORP-MSN-AS-BLOCK-MicrosoftCorporationUS United States 29->94 100 35 other IPs or domains 29->100 52 setup.exe 31->52         started        96 content-signature-2.cdn.mozilla.net 34.160.144.191, 443, 49769, 49772 GOOGLE-CLOUD-PLATFORM-GoogleLLCUS United States 37->96 98 mozilla.map.fastly.net 151.101.1.91, 443, 49699 FASTLY-FastlyIncUS Canada 37->98 102 3 other IPs or domains 37->102 56 2 other processes 37->56 58 62 other processes 39->58 file10 signatures11 process12 signatures13 124 Monitors registry run keys for changes 41->124 60 msedge.exe 41->60         started        process14
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fc32b0350ebb6e5c0a57567bca7ad78e5f030629ffa514a4aef5e02b412edd0d
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fc32b0350ebb6e5c0a57567bca7ad78e5f030629ffa514a4aef5e02b412edd0d/
Verdict:
Malicious
Threat:
Family.PHANTOM
Link:
https://tip.neiki.dev/file/fc32b0350ebb6e5c0a57567bca7ad78e5f030629ffa514a4aef5e02b412edd0d
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2026-06-11 03:58:30 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7qzlanioxnxfycsxkz54u6wxrzpqgbrj76srjjfo6xqcwqjo3ugq._file
Verdict:
malicious
Label(s):
packer_bxor
Create hunting rule
Similar samples:
15ebfa7d5cca98eaf5190c84e73efa53a21f8646ecb4c4cb56aea5fb0390c188
PhantomStealer
5651cc4a142270f16a9c282e4b06073e960cf3e00896115cacd890dc2531d1d5
PhantomStealer
79b23b23f117799f716d74c2d4d59263926ef13cb47078a161fe88c9a3bc1cb6
PhantomStealer
7d45f54744ff5c0cee3b3053ce2173a115251862eeba050b429ea911f7c36296
PhantomStealer
b2aedf1de53ed6e8b341efc26bfa06068a0c1dcfa04af94d998ced18546ad5d4
PhantomStealer
bf9b23735189bb58ae003a5e564b30122cf9a456af4fcff008a16fabe310697c
PhantomStealer
error
PhantomStealer
f296b101028093e2c43930229590375a8a73335d08022c28d9c1cf0f84efb5b8
PhantomStealer
+ 747 additional samples on MalwareBazaar
Result
Malware family:
phantom_stealer
Create hunting rule
Score:
  10/10
Tags:
family:phantom_stealer collection discovery installer persistence spyware stealer
Link:
https://tria.ge/reports/260611-r47w3sfx3w/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Detects PhantomStealer written in C#
Family: PhantomStealer
Unpacked files
SH256 hash:
fc32b0350ebb6e5c0a57567bca7ad78e5f030629ffa514a4aef5e02b412edd0d
MD5 hash:
a5b35f95d742d8b5f5459aa814b56614
SHA1 hash:
1be5a59b56a60581e6ee6546a5954f0520545761
Link:
https://www.unpac.me/results/4253f887-9e77-4fa3-a933-f6eb15ccb259/
SH256 hash:
a6fe62d19b2b0f608fe3367ba5612742b9ff248b91a32b13fe189c891a22a00d
MD5 hash:
729168d16501390f6b7d92edb38886c4
SHA1 hash:
d244dc2a6325b22a02372c2b8e01ef4a3e51d10c
Link:
https://www.unpac.me/results/4253f887-9e77-4fa3-a933-f6eb15ccb259/
SH256 hash:
0f9eb79addb048a060807dd54b7b5891788dc3cbb234a76dd7614f94a713ef23
MD5 hash:
368a89db37f105767415d42549fff997
SHA1 hash:
837b27acc7b10cec27d072300a6808cff12e074d
Link:
https://www.unpac.me/results/4253f887-9e77-4fa3-a933-f6eb15ccb259/
SH256 hash:
49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a
MD5 hash:
293165db1e46070410b4209519e67494
SHA1 hash:
777b96a4f74b6c34d43a4e7c7e656757d1c97f01
Link:
https://www.unpac.me/results/4253f887-9e77-4fa3-a933-f6eb15ccb259/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.58
Link:
https://yomi.yoroi.company/submissions/fc32b0350ebb6e5c0a57567bca7ad78e5f030629ffa514a4aef5e02b412edd0d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PhantomStealer

Executable exe fc32b0350ebb6e5c0a57567bca7ad78e5f030629ffa514a4aef5e02b412edd0d

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments