MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc3d9f89cc5a6b2824022593ed3ab4d94a72f71ef5f34953acc952141ad110f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhantomStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc3d9f89cc5a6b2824022593ed3ab4d94a72f71ef5f34953acc952141ad110f0
SHA3-384 hash: 53bac4a3583c8a92c441b2fb4a80bac7fba68aa4ee2439b58a614fd79a45b46400986af0fe7a4d8ca945a40d29c44136
SHA1 hash: a91b5ddca78598e1e85bf7f1fbc855be879cf726
MD5 hash: 9223eb807c88aab14d028e791fd88fc6
humanhash: alanine-colorado-sodium-arizona
File name:Invoice.bat
Download: download sample
Signature PhantomStealer
Create hunting rule
File size:3'585'978 bytes
First seen:2026-01-30 03:56:34 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 24576:P7R4YwGv9N5+mJpYpq1LbxM93lcw/RWrz5UfGB/lOEoyFLQ1ANiFzbV65xKrIayd:jmzweITeHZMtumxHD
Threatray 2'748 similar samples on MalwareBazaar
TLSH T1CFF5AEF33496B994CDEEE65F865F8728732E1182B713118C179F0E948B2394F7B8458A
Magika batch
Reporter alxiden
Tags:bat PhantomStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
35
Origin country :
GB GB
Vendor Threat Intelligence
Malware configuration found for:
BatchScript
Details
Link:
https://research.acce.ciphertechsolutions.com/results/9131fced-6ada-4d2f-961d-36fddeb6e091/
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
ConfilmInvoice.zip
Verdict:
Malicious activity
Analysis date:
2026-01-30 03:45:17 UTC
Tags:
arch-exec keylogger agenttesla susp-powershell phantom stealer evasion
Link:
https://app.any.run/tasks/20f3a3e9-ca5b-4847-9e3f-1b230032726d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/50772/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=697c2c2cbec9764f45300138
Tags:
emotet spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching cmd.exe command interpreter
Launching a process
Creating a file in the %AppData% subdirectories
Creating a file
Creating a process from a recently created file
Сreating synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process with a hidden window
DNS request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Running batch commands
Launching the process to change network settings
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
attrib base64 cobalt masquerade obfuscated powershell
Link:
https://www.filescan.io/uploads/697c2c26930564ff3c7db6cb/reports/cdfbc28c-b00c-420d-958a-b97799489b99/overview
Verdict:
Malicious
Labled as:
BAT/Runner.PL trojan
Link:
https://www.hybrid-analysis.com/sample/fc3d9f89cc5a6b2824022593ed3ab4d94a72f71ef5f34953acc952141ad110f0
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-01-26T05:21:00Z UTC
Last seen:
2026-01-31T16:50:00Z UTC
Hits:
~10000
Detections:
Trojan-Spy.Agent.SMTP.C&C Trojan-PSW.Win32.Stealer.sb Trojan-PSW.MSIL.Stealerium.sb Trojan-Dropper.Win32.Injector.sb Trojan.PowerShell.Cobalt.sb Trojan.Win32.HTA.a Trojan-PSW.Win32.Disco.sb Trojan-PSW.MSIL.Stealer.sb Trojan.Win32.Vimditator.sb HEUR:Trojan.Script.Generic Trojan-PSW.MSIL.Agent.sb Trojan.Win32.Agent.sb Backdoor.Win32.Androm Backdoor.MSIL.Agent.sb PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Coins.sb Trojan-PSW.MSIL.Discord.sb Trojan.Win32.Shellcode.sb HEUR:Trojan.BAT.Cobalt.gen
Link:
https://opentip.kaspersky.com/fc3d9f89cc5a6b2824022593ed3ab4d94a72f71ef5f34953acc952141ad110f0/results?tab=lookup
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/fc3d9f89cc5a6b2824022593ed3ab4d94a72f71ef5f34953acc952141ad110f0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fc3d9f89cc5a6b2824022593ed3ab4d94a72f71ef5f34953acc952141ad110f0/
Verdict:
Malicious
Threat:
Family.AGENTTESLA
Link:
https://tip.neiki.dev/file/fc3d9f89cc5a6b2824022593ed3ab4d94a72f71ef5f34953acc952141ad110f0
Threat name:
Script-BAT.Trojan.Runner
Create hunting rule
Status:
Malicious
First seen:
2026-01-26 14:10:14 UTC
File Type:
Text (Batch)
AV detection:
8 of 36 (22.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7q6z7comljvsqjacewj62ovu3ffhf5y66xzusu5mzfjbigwrcdya._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
phantomstealer
Create hunting rule
Similar samples:
0462d2a890595de741f9a29fb99102e43ce72cfe000aff7afbc749771c8bd819
PhantomStealer
0cf3d7eaea22681caa5425bca164468cf7a13f0848e12ad2fe0115b93e0c9f9c
PhantomStealer
0daa3fc7e8c657b4e98fbd3be6b56c2c8950224945c5d0d3c10c2e4967637dce
PhantomStealer
0dbab5ca9c9079ca6099b4f036f7c403e0b61fdcb77dea147ff25d8c349ed1d3
PhantomStealer
31d5415b69274dbdcca1e80d57d649b9c643b6fc028d0af383f5040375a45870
PhantomStealer
815b1ccf52d1f815f76b46b5a23f203dc80debafb39e1b6c95d9d19863a69828
PhantomStealer
8965d3f8da67f5dfb489fc9491240becb0293a1a8bdb56f26e6c4240ab3c76b0
PhantomStealer
c0e7dcf3dc7f8585cca9ebc201b47eed57a71b296a6ef9b6631920fa8db2216e
PhantomStealer
c5ac054b0470e6b792c9064c1fa7eb8ddd5867d69752637330cad3294c4b875b
PhantomStealer
d673062540cfb3bde3f837a40223cb95658f93501c680be1a21fce0bf7d49032
PhantomStealer
error
PhantomStealer
+ 2'738 additional samples on MalwareBazaar
Result
Malware family:
phantom_stealer
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:phantom_stealer collection defense_evasion discovery execution loader persistence privilege_escalation stealer
Link:
https://tria.ge/reports/260130-eh545sf19c/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
outlook_office_path
outlook_win_path
Event Triggered Execution: Netsh Helper DLL
System Network Configuration Discovery: Wi-Fi Discovery
System Time Discovery
Drops file in Windows directory
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Command and Scripting Interpreter: PowerShell
Detects DonutLoader
Detects PhantomStealer payload
DonutLoader
Donutloader family
PhantomStealer
Phantom_stealer family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fc3d9f89cc5a6b2824022593ed3ab4d94a72f71ef5f34953acc952141ad110f0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:SUSP_Base64
Create hunting rule
Author:Eslam Hassan
Description:Detects hex encoded code that has been base64 encoded
Reference:Internal Research
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:WIN_FileFix_Detection
Create hunting rule
Author:dogsafetyforeverone
Description:Detects FileFix social engineering technique that launches chained PowerShell and PHP commands from file explorer typed paths
Reference:FileFix social engineering with PowerShell and PHP commands

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PhantomStealer

Batch (bat) bat fc3d9f89cc5a6b2824022593ed3ab4d94a72f71ef5f34953acc952141ad110f0

(this sample)

anyrun
any.run
https://app.any.run/tasks/5cbd8604-e207-4143-9ab5-29731327d859
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/50772/

Comments