MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60a7ba37ebffb23c49f1dcb2897fbd3b58f7de2692a068866d1d68c3489789da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DeerStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60a7ba37ebffb23c49f1dcb2897fbd3b58f7de2692a068866d1d68c3489789da
SHA3-384 hash: 7ad04413d777170dc25d80ff00fc835f172cc89b64b1a22a734d0761a0ff7d46af76583359b4b1e6a812dac4dce9cc84
SHA1 hash: 0d1490d52244ac8e70b0d73b83624d98d0e29c83
MD5 hash: ccda2649a54f0ff3cf4f59fb962f5a2f
humanhash: spaghetti-oranges-minnesota-grey
File name:jzQILRF.exe
Download: download sample
Signature DeerStealer
Create hunting rule
File size:2'426'880 bytes
First seen:2025-06-22 08:32:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash cc0aad8af1cd48f63ec32755f2b0ed87 (1 x DeerStealer)
ssdeep 49152:cH0od1y4ELgo5P5s16IrnS463gCFHxHD3LI62CrjXGZLK+rzHuUujCb1mVsFpB0m:TmkrIDC6R
TLSH T152B55B2B55A9609AE3E6C07CF1165792EC30764C0E35A7B725B683923730A2C9B7D373
TrID 55.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.9% (.ICL) Windows Icons Library (generic) (2059/9)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
6.7% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:DeerStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
417
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
6acec47087ad8c33f97b7ade2253490869f83adbfa382da75d69414a27c9b9f2.bin
Verdict:
Malicious activity
Analysis date:
2025-06-21 23:04:38 UTC
Tags:
lumma stealer themida loader amadey botnet screenconnect rmm-tool rdp telegram vidar lclipper clipper evasion auto-reg stealc autoit python quasar rat stegocampaign github reverseloader ta558 apt payload smoke smokeloader
Link:
https://app.any.run/tasks/a331151f-eedc-47c0-ad66-0cc0cfad8451

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/10474/
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.1041.9722.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6857c15132ed47a3a8d67daf
Tags:
n/a
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/60a7ba37ebffb23c49f1dcb2897fbd3b58f7de2692a068866d1d68c3489789da
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/acefdce2-1806-47c4-a88f-3fcdf5327546
Result
Threat name:
Deer Stealer, HijackLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1720186
Signature
Allocates memory in foreign processes
Contains functionality to infect the boot sector
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Writes to foreign memory regions
Yara detected Deer Stealer
Yara detected HijackLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1720186 Sample: jzQILRF.exe Startdate: 22/06/2025 Architecture: WINDOWS Score: 100 73 servecore.today 2->73 75 citadelcdn.pro 2->75 77 5 other IPs or domains 2->77 91 Suricata IDS alerts for network traffic 2->91 93 Found malware configuration 2->93 95 Malicious sample detected (through community Yara rule) 2->95 97 5 other signatures 2->97 10 jzQILRF.exe 2 2->10         started        15 Termin_Neuro.exe 5 2->15         started        signatures3 process4 dnsIp5 81 citadelcdn.pro 172.67.158.196, 443, 49720 CLOUDFLARENETUS United States 10->81 83 servecore.today 172.67.174.10, 443, 49721 CLOUDFLARENETUS United States 10->83 57 C:\...\YobqqShbJCtoq38xFnHdQSej8hnRNy.exe, PE32 10->57 dropped 113 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 10->113 115 Found many strings related to Crypto-Wallets (likely being stolen) 10->115 117 Tries to harvest and steal browser information (history, passwords, etc) 10->117 123 5 other signatures 10->123 17 YobqqShbJCtoq38xFnHdQSej8hnRNy.exe 7 10->17         started        21 chrome.exe 2 10->21         started        59 C:\Users\user\AppData\Local\...\C6B2CA8.tmp, PE32+ 15->59 dropped 119 Modifies the context of a thread in another process (thread injection) 15->119 121 Maps a DLL or memory area into another process 15->121 24 XPFix.exe 15->24         started        26 TCollector.exe 15->26         started        file6 signatures7 process8 dnsIp9 45 C:\Users\user\AppData\Local\Temp\vcl120.bpl, PE32 17->45 dropped 47 C:\Users\user\AppData\Local\Temp\rtl120.bpl, PE32 17->47 dropped 49 C:\Users\user\AppData\...\Termin_Neuro.exe, PE32 17->49 dropped 87 Multi AV Scanner detection for dropped file 17->87 28 Termin_Neuro.exe 6 17->28         started        79 192.168.2.4, 138, 443, 49483 unknown unknown 21->79 89 Found many strings related to Crypto-Wallets (likely being stolen) 21->89 32 chrome.exe 21->32         started        file10 signatures11 process12 dnsIp13 61 C:\ProgramData\Checkjava_test5\vcl120.bpl, PE32 28->61 dropped 63 C:\ProgramData\...\Termin_Neuro.exe, PE32 28->63 dropped 65 C:\ProgramData\Checkjava_test5\rtl120.bpl, PE32 28->65 dropped 125 Switches to a custom stack to bypass stack traces 28->125 35 Termin_Neuro.exe 7 28->35         started        67 play.google.com 142.251.40.110, 443, 49737, 49739 GOOGLEUS United States 32->67 69 www.google.com 142.251.41.4, 443, 49728, 49729 GOOGLEUS United States 32->69 71 7 other IPs or domains 32->71 file14 signatures15 process16 file17 51 C:\Users\user\AppData\Roaming\...\XPFix.exe, PE32 35->51 dropped 53 C:\Users\user\AppData\Local\...\B48B564.tmp, PE32+ 35->53 dropped 55 C:\Users\user\AppData\Local\TCollector.exe, PE32+ 35->55 dropped 99 Modifies the context of a thread in another process (thread injection) 35->99 101 Found hidden mapped module (file has been removed from disk) 35->101 103 Maps a DLL or memory area into another process 35->103 105 2 other signatures 35->105 39 XPFix.exe 35->39         started        42 TCollector.exe 2 35->42         started        signatures18 process19 dnsIp20 107 Contains functionality to infect the boot sector 39->107 109 Switches to a custom stack to bypass stack traces 39->109 111 Found direct / indirect Syscall (likely to bypass EDR) 39->111 85 anymeshes.pro 172.67.205.173, 49740, 80 CLOUDFLARENETUS United States 42->85 signatures21
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/60a7ba37ebffb23c49f1dcb2897fbd3b58f7de2692a068866d1d68c3489789da
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/ccda2649a54f0ff3cf4f59fb962f5a2f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/60a7ba37ebffb23c49f1dcb2897fbd3b58f7de2692a068866d1d68c3489789da/
Threat name:
Win64.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2025-06-21 13:17:52 UTC
File Type:
PE+ (Exe)
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mct3un7l76zdyspr3szis755hnmppxrgskqgrbtndvumgsexrhna._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250622-kf2xlaylt2/
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6cc49cbc-ce26-4dcf-8e82-d7deeaac9575
Unpacked files
SH256 hash:
60a7ba37ebffb23c49f1dcb2897fbd3b58f7de2692a068866d1d68c3489789da
MD5 hash:
ccda2649a54f0ff3cf4f59fb962f5a2f
SHA1 hash:
0d1490d52244ac8e70b0d73b83624d98d0e29c83
Link:
https://www.unpac.me/results/6a52b5c7-e688-4403-bf5f-7b6a3b0d4a4d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/60a7ba37ebffb23c49f1dcb2897fbd3b58f7de2692a068866d1d68c3489789da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HUNTING_SUSP_TLS_SECTION
Create hunting rule
Author:chaosphere
Description:Detect PE files with .tls section that can be used for anti-debugging
Reference:Practical Malware Analysis - Chapter 16
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DeerStealer

Executable exe 60a7ba37ebffb23c49f1dcb2897fbd3b58f7de2692a068866d1d68c3489789da

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3558736/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/10474/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegSetValueExA

Comments