The detection identifies potential Phantom Stealer malware activity through known IOCs, indicating an adversary may be establishing persistence or exfiltrating data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced threats before significant damage occurs.
IOC Summary
Malware Family: Phantom Stealer Total IOCs: 3 IOC Types: sha1_hash, sha256_hash, md5_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| md5_hash | 629f961741fbee0beced217eef514bd9 | payload | 2026-06-17 | 95% |
| sha256_hash | 1da002b8fdbb45b2b95125e88c0a4421e55c9ec3df08572a28a09a66b71450fc | payload | 2026-06-17 | 95% |
| sha1_hash | ef72d52efff59f3c8e3e032db081a11f0b164e18 | payload | 2026-06-17 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - Phantom Stealer
let malicious_hashes = dynamic(["629f961741fbee0beced217eef514bd9", "1da002b8fdbb45b2b95125e88c0a4421e55c9ec3df08572a28a09a66b71450fc", "ef72d52efff59f3c8e3e032db081a11f0b164e18"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using crontab for system maintenance
Description: A system administrator schedules a legitimate maintenance task using crontab that coincidentally matches the IOC pattern used in the Phantom Stealer detection.
Filter/Exclusion: Exclude entries where the command includes /usr/bin/crontab or where the process is initiated by a user with sudo or root privileges.
Scenario: Use of tar for legitimate archive extraction
Description: A user or automated process uses the tar command to extract a legitimate archive file, which may include paths or filenames that match the IOC pattern.
Filter/Exclusion: Exclude processes where the command includes -xvf or where the file being extracted is located in a known user home directory or temporary directory.
Scenario: System update using apt or yum with temporary files
Description: During a system update, temporary files or logs generated by apt or yum may contain strings that match the IOC pattern.
Filter/Exclusion: Exclude processes where the command includes apt update, apt upgrade, or yum clean all, or where the file path is within /var/log/apt/ or /var/log/yum/.
Scenario: Legitimate use of wget or curl for software downloads
Description: A user or automated process uses wget or curl to download a legitimate software package, which may have a filename or URL that matches the IOC pattern.
Filter/Exclusion: Exclude entries where the URL or filename is known to be from a trusted repository or where the download is initiated by a user with administrative privileges.
Scenario: Use of rsync for legitimate data synchronization
Description: A system administrator uses rsync to synchronize data