MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b6ceb32c834f69500fba0a1c76a2362679ee42077ebedd2fc242537c4432941. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DeerStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 2 File information Comments

SHA256 hash:	3b6ceb32c834f69500fba0a1c76a2362679ee42077ebedd2fc242537c4432941
SHA3-384 hash:	866d8c724a52dcf2a01909d76999f1613a82351229334f1a25474581911311d44584d838cee1a4ff19a2fba1a82f5810
SHA1 hash:	b345b5192ff716932be4cd2b439289da0a65f575
MD5 hash:	a616b798e873ea1feb632ca74020aaac
humanhash:	bakerloo-black-north-charlie
File name:	file
Download:	download sample
Signature	DeerStealer Create hunting rule
File size:	4'302'848 bytes
First seen:	2026-05-13 22:58:50 UTC
Last seen:	2026-05-16 08:14:03 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	dc087b6d188be1d4ce16dd51f3db1953 (1 x DeerStealer)
ssdeep	49152:NgYF9ctqp18QFMJWuiWmIv73+yEx6iQvqhCjQkfVD15W6w22PzFHMFfCyEdAJgIF:Nf0/pTVe28bOa
Threatray	1 similar samples on MalwareBazaar
TLSH	T16D162A27D26D12A6D3E6C27DB10B67A3ED3A314426B5B2B315A25351333061CAF7C3A7
TrID	45.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 18.0% (.EXE) Win64 Executable (generic) (6522/11/2) 13.9% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.6% (.ICL) Windows Icons Library (generic) (2059/9) 5.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	Bitsight
Tags:	DeerStealer dropped-by-gcleaner exe f MIX8.file

Bitsight

url: http://91.92.241.242/service

Intelligence

File Origin

# of uploads :

# of downloads :

133

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/0ec0792f-c5c4-4c36-b981-72ed5122d33b/

Malware family:

n/a

ID:

File name:

_3b6ceb32c834f69500fba0a1c76a2362679ee42077ebedd2fc242537c4432941.exe

Verdict:

Malicious activity

Analysis date:

2026-05-13 23:00:39 UTC

Tags:

deerstealer stealer

Link:

https://app.any.run/tasks/a41e486f-887c-4911-8aba-4ab497182c14

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/65834/

Detection(s):

SecuriteInfo.com.Trojan.GenericKDZ.112036.19888.25922.UNOFFICIAL

Verdict:

Malicious

Score:

91.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a050253953bbcef1c903012

Tags:

hype sage

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

DNS request

Connection attempt

Sending an HTTP GET request

Launching a service

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug crypt packed

Link:

https://www.filescan.io/uploads/6a05024e792fe2d217b25a2b/reports/a03e5a47-71f4-4dcc-9fda-0ab33d005b6c/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/3b6ceb32c834f69500fba0a1c76a2362679ee42077ebedd2fc242537c4432941

Verdict:

Malicious

File Type:

exe x64

First seen:

2026-05-13T20:11:00Z UTC

Last seen:

2026-05-14T22:10:00Z UTC

Hits:

~100

Detections:

Trojan.Win32.Penguish.hez Trojan.Penguish.HTTP.C&C

Link:

https://opentip.kaspersky.com/3b6ceb32c834f69500fba0a1c76a2362679ee42077ebedd2fc242537c4432941/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/b490c28f-72b6-4edb-8840-db75611b76f1

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3b6ceb32c834f69500fba0a1c76a2362679ee42077ebedd2fc242537c4432941

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/a616b798e873ea1feb632ca74020aaac

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3b6ceb32c834f69500fba0a1c76a2362679ee42077ebedd2fc242537c4432941/

Verdict:

Malicious

Threat:

Family.DEERSTEALER

Link:

https://tip.neiki.dev/file/3b6ceb32c834f69500fba0a1c76a2362679ee42077ebedd2fc242537c4432941

Threat name:

Win64.Spyware.Deerstealer

Status:

Malicious

First seen:

2026-05-13 22:59:31 UTC

File Type:

PE+ (Exe)

AV detection:

27 of 38 (71.05%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hnwowmwigt3jkah3ucq4o2rdmjtz5zbao7v63ux4eqstprcdffaq._file

Verdict:

malicious

Label(s):

deerstealer

Similar samples:

error

DeerStealer

Result

Malware family:

deerstealer

Score:

10/10

Tags:

family:deerstealer stealer

Link:

https://tria.ge/reports/260513-2yk58sbz2p/

Behaviour

Detects DeerStealer

Family: DeerStealer

Unpacked files

SH256 hash:

3b6ceb32c834f69500fba0a1c76a2362679ee42077ebedd2fc242537c4432941

MD5 hash:

a616b798e873ea1feb632ca74020aaac

SHA1 hash:

b345b5192ff716932be4cd2b439289da0a65f575

Detections:

triage_deer_infostealer

Link:

https://www.unpac.me/results/bab384d5-45ff-42f4-85b2-94f4608da934/

Malware family:

DeerStealer

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3b6ceb32c834/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.77

Link:

https://yomi.yoroi.company/submissions/3b6ceb32c834f69500fba0a1c76a2362679ee42077ebedd2fc242537c4432941

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DeerStealer

exe 3b6ceb32c834f69500fba0a1c76a2362679ee42077ebedd2fc242537c4432941

(this sample)

Dropped by

Gcleaner

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/65834/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample