MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff63061183b17b0ab5ddba48be394e5b37d1b41fba6810b3ba186a4c036eb210. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhantomStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 28 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff63061183b17b0ab5ddba48be394e5b37d1b41fba6810b3ba186a4c036eb210
SHA3-384 hash: b084a0f488b47408d175f9912d64e43f9eb08283115dfc44f4b55fd578bf046cb3a24cd240546b899431ea3f080c1add
SHA1 hash: 2e828222d11118117fe929e79d5c8c5db1ccc124
MD5 hash: 2d4836d923e9231affbc7bfb4e7494f0
humanhash: six-arizona-eighteen-football
File name:IMPORTES 347.exe
Download: download sample
Signature PhantomStealer
Create hunting rule
File size:1'768'960 bytes
First seen:2026-02-10 10:09:44 UTC
Last seen:2026-02-10 10:27:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'818 x AgentTesla, 19'741 x Formbook, 12'286 x SnakeKeylogger)
ssdeep 24576:V/kfd1HK6/XZfS1qHaqsjU6UsHMIrEMJv3oqMXYg9pGdl0xm3GD:2fd1H7JEaaFxUsHdJv32A6
Threatray 350 similar samples on MalwareBazaar
TLSH T15E85012527C44F68F8BF9738A579511047F1B80E9B22DB2EBF9850DA0861F4EC662773
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:exe PhantomStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
132
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
ff63061183b17b0ab5ddba48be394e5b37d1b41fba6810b3ba186a4c036eb210.7z
Verdict:
No threats detected
Analysis date:
2026-02-10 08:35:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7a7e4203-d506-4c25-90af-f4ebc515c7f6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/52893/
Detection(s):
SecuriteInfo.com.Trojan.Remcos.730.11111.11830.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=698b04144c8b031249cdf991
Tags:
redline emotet
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt obfuscated obfuscated vbnet
Link:
https://www.filescan.io/uploads/698b040e2ffccda0976c1e62/reports/02cabb28-3d22-41ae-9a07-035a9a63f026/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ff63061183b17b0ab5ddba48be394e5b37d1b41fba6810b3ba186a4c036eb210
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-02-10T00:55:00Z UTC
Last seen:
2026-02-12T08:43:00Z UTC
Hits:
~1000
Detections:
VHO:Backdoor.Win32.Androm.gen Trojan-PSW.Win32.Stealer.sb Trojan-PSW.MSIL.Agent.sb Trojan.MSIL.Agent.sba Trojan-Spy.Stealer.HTTP.C&C Trojan-PSW.Win32.Disco.sb Trojan-PSW.Win32.Coins.sb Trojan-PSW.Win32.Stelega.sb Trojan-PSW.MSIL.Stealerium.sb Trojan-PSW.MSIL.Discord.sb Trojan.Win32.Agent.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Inject.b Trojan-PSW.Stealer.HTTP.C&C PDM:Trojan.Win32.Generic HEUR:Trojan-PSW.MSIL.Stealerium.gen Trojan-PSW.MSIL.Stealer.sb
Link:
https://opentip.kaspersky.com/ff63061183b17b0ab5ddba48be394e5b37d1b41fba6810b3ba186a4c036eb210/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a2e40c94-1f84-4bf6-95d0-073587a859b2
Result
Threat name:
DarkTortilla, KeyLogger, Phantom stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1866585
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Monitors registry run keys for changes
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected DarkTortilla Crypter
Yara detected Keylogger Generic
Yara detected Phantom stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1866585 Sample: IMPORTES  347.exe Startdate: 10/02/2026 Architecture: WINDOWS Score: 100 56 api.telegram.org 2->56 58 telemetry-incoming.r53-2.services.mozilla.com 2->58 60 12 other IPs or domains 2->60 82 Suricata IDS alerts for network traffic 2->82 84 Found malware configuration 2->84 86 Antivirus / Scanner detection for submitted sample 2->86 90 17 other signatures 2->90 9 IMPORTES  347.exe 3 2->9         started        13 msedge.exe 2->13         started        16 firefox.exe 1 2->16         started        signatures3 88 Uses the Telegram API (likely for C&C communication) 56->88 process4 dnsIp5 50 C:\Users\user\...\IMPORTES  347.exe.log, ASCII 9->50 dropped 100 Found many strings related to Crypto-Wallets (likely being stolen) 9->100 102 Writes to foreign memory regions 9->102 104 Allocates memory in foreign processes 9->104 106 2 other signatures 9->106 18 InstallUtil.exe 25 12 9->18         started        76 192.168.2.4, 138, 443, 49434 unknown unknown 13->76 78 239.255.255.250 unknown Reserved 13->78 22 msedge.exe 13->22         started        24 setup.exe 13->24         started        26 msedge.exe 13->26         started        31 4 other processes 13->31 28 firefox.exe 3 159 16->28         started        file6 signatures7 process8 dnsIp9 62 api.telegram.org 149.154.166.110, 443, 49782, 49791 TELEGRAMRU United Kingdom 18->62 64 icanhazip.com 104.16.185.241, 49789, 80 CLOUDFLARENETUS United States 18->64 92 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->92 94 Tries to steal Mail credentials (via file / registry access) 18->94 96 Tries to harvest and steal browser information (history, passwords, etc) 18->96 98 5 other signatures 18->98 33 msedge.exe 18->33         started        36 chrome.exe 18->36 injected 38 firefox.exe 1 18->38         started        46 3 other processes 18->46 66 mr-b01.tm-azurefd.net 150.171.109.118, 443, 49721, 49741 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->66 68 ln-0007.ln-msedge.net 150.171.22.17, 443, 49729 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->68 72 32 other IPs or domains 22->72 40 setup.exe 24->40         started        70 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 49804, 49805, 80 GOOGLEUS United States 28->70 74 6 other IPs or domains 28->74 52 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 28->52 dropped 54 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 28->54 dropped 42 firefox.exe 28->42         started        44 firefox.exe 28->44         started        file10 signatures11 process12 signatures13 80 Monitors registry run keys for changes 33->80 48 msedge.exe 33->48         started        process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ff63061183b17b0ab5ddba48be394e5b37d1b41fba6810b3ba186a4c036eb210
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.84 Win 32 Exe x86
Link:
https://app.malva.re/file/2d4836d923e9231affbc7bfb4e7494f0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff63061183b17b0ab5ddba48be394e5b37d1b41fba6810b3ba186a4c036eb210/
Verdict:
Malicious
Threat:
Family.PHANTOM
Link:
https://tip.neiki.dev/file/ff63061183b17b0ab5ddba48be394e5b37d1b41fba6810b3ba186a4c036eb210
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2026-02-10 07:23:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
69
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=75rqmemdwf5qvno5xjel4okolm35dna7xjubbm52dbveya3owiia._file
Verdict:
malicious
Label(s):
phantomstealer
Create hunting rule
Similar samples:
0cbb7f1b15b8cd50b8269b954738cbad9099994d60df5309ac5326c3886c3d10
PhantomStealer
4abd169c2e8280b1e13b34af291b91138473bafd4b996ce020363f52371d77b6
PhantomStealer
4c3ae6b27ff6c7003f1d58a9c09f69c6a877f5db5b285abe919ff41e1654c6bc
PhantomStealer
6314c3c82acb165b93aa922ff379754ea29c321d7a757a5d55d72e537072d9c7
PhantomStealer
9cbffe3435e4218fbfebedbbc72a2e587098bdd9eb4a4b3014a38d1d9869817b
PhantomStealer
+ 340 additional samples on MalwareBazaar
Result
Malware family:
phantom_stealer
Create hunting rule
Score:
  10/10
Tags:
family:phantom_stealer collection discovery stealer
Link:
https://tria.ge/reports/260210-l7h48saw8f/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
.NET Reactor proctector
Detects PhantomStealer payload
PhantomStealer
Phantom_stealer family
Malware Config
C2 Extraction:
https://api.telegram.org/bot8462087005:AAEXzjR7NvdtxxNL2ihYxpi0tpCxnUs8h0A/sendMessage?chat_id=8591926998
Unpacked files
SH256 hash:
ff63061183b17b0ab5ddba48be394e5b37d1b41fba6810b3ba186a4c036eb210
MD5 hash:
2d4836d923e9231affbc7bfb4e7494f0
SHA1 hash:
2e828222d11118117fe929e79d5c8c5db1ccc124
Link:
https://www.unpac.me/results/0f92f844-1dd1-4600-88f6-c8a77108b7f7/
SH256 hash:
b0ed34436b2692757531296110c0ed964e73355d781af1aaa6f6e538cc06dd23
MD5 hash:
2cb79877409a9bb86092810209de4a9f
SHA1 hash:
02113c03091b72921a5b5b22d9145ceed5580b89
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/0f92f844-1dd1-4600-88f6-c8a77108b7f7/
Parent samples :
abf4b038965806a304b371cec0afde2312895ebadc36aba7f037096ad16d66f5
6bbe903a9cac83eb79a16f05b00ab6342861811f2ceb879177f36133f9237906
430716375e71d197cfe9fe4496ec52028498eda6ad17d47005b37e55cae97b07
ff63061183b17b0ab5ddba48be394e5b37d1b41fba6810b3ba186a4c036eb210
64ccdd6f56c0c70b847fa90c20c58b3c039b39906cddc3f90122f02875760175
364e64c2f1efc897342a41c5389f83d86cbc6b56e39abcd2a5e48e1a67fa1fae
17b4b64cc0981196a5e53ef62d692b39af394ad5de609a76bb3d4dfb5efa979f
0e6ce191196d561a11d2e38053bf411d6da991bf45dc5840df3a8832bbd0f253
3a0655a9973e8d7600f228240e1c3494b0acc55f46f218f42c12138d8ab73014
8a0a1c0a305381c48d65ab4be874a4651c4446bc6067b6592db673c5664658de
2d80a9e5f2d7d40da131a8ed7ea8b67a25ff001263bec22589bfbaae4b89e963
e7227b215daa43a3c529f9d9631880b8c20b319f049f081fbfac75011c31ed2b
b17c1605a8564b9772a2a90db59803ce70a2dbaeefcb3a7aedec732b87146b2f
e3ccebebae0ce58740624ec86b74e6325e0384b3181fc493b022720c378b9a4e
e648569e99af9d140dc6f46ba47d7d9476389cdc87a484e4039151fc9d559082
SH256 hash:
e9ab55f7e25770ec2fcd0ec66fe634dedfdd7be6e74ded9064a864ec7b5b8c8e
MD5 hash:
50417cfda4b8d378013da4389f47f448
SHA1 hash:
5865291aa0ea325b05128be79b8dc6ba0ded5d23
Detections:
phantom_stealer
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
INDICATOR_EXE_Packed_Fody
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames
Create hunting rule
Link:
https://www.unpac.me/results/0f92f844-1dd1-4600-88f6-c8a77108b7f7/
SH256 hash:
ce6e97f0fceeb68aec45dc7fd84f2ac1c9daec284d52551f852ff42669d883f8
MD5 hash:
1f4a4be8df6bd4a7437b514b45ed8b80
SHA1 hash:
a2c19836919fc00f4f082a345afb6b3f9509a82e
Link:
https://www.unpac.me/results/0f92f844-1dd1-4600-88f6-c8a77108b7f7/
SH256 hash:
d477fb4f33c70b76b04f97d8142495a1ea95f56599026758c6bda3497b94f21e
MD5 hash:
10d2d421f3af641a2fa0d01b92cebf20
SHA1 hash:
aeab2fd9ce92bc6690103d984992da1609cfb5fb
Link:
https://www.unpac.me/results/0f92f844-1dd1-4600-88f6-c8a77108b7f7/
SH256 hash:
d6b2ceed508ab3117356c177e624fb97b298890c7a15d64c09409cc77d54cdf6
MD5 hash:
bd1a055ca19b8934cbb1eff05b21f321
SHA1 hash:
c1c9e3838e4397cb49d92bfdd6f94254dfd95abc
Link:
https://www.unpac.me/results/0f92f844-1dd1-4600-88f6-c8a77108b7f7/
Malware family:
PhantomStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ff63061183b1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff63061183b17b0ab5ddba48be394e5b37d1b41fba6810b3ba186a4c036eb210

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames
Create hunting rule
Author:ditekSHen
Description:Detects executables containing possible sandbox analysis VM names
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
Create hunting rule
Author:ditekSHen
Description:Detects executables containing possible sandbox analysis VM usernames
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon
Create hunting rule
Author:ditekSHen
Description:Detects executables with interest in wireless interface using netsh
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:Macos_Infostealer_Wallets_8e469ea0
Create hunting rule
Author:Elastic Security
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:Windows_Generic_Threat_f57e5e2a
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Xeno_89f9f060
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

PhantomStealer

DLL dll 64d41873376ba2ab7b69615667fd3de31038b93399e88536ea6efb8f3b1a83e6

PhantomStealer

Executable exe ff63061183b17b0ab5ddba48be394e5b37d1b41fba6810b3ba186a4c036eb210

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/52893/
  
Dropped by
SHA256 64d41873376ba2ab7b69615667fd3de31038b93399e88536ea6efb8f3b1a83e6
  
Dropped by
MD5 479b9cb3aba7f39d800cfb538c42e7d7

Comments