MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ca039965c09bbfeaec88bfb409deed86c93dd980823ee686e924e42ee211e89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DeerStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ca039965c09bbfeaec88bfb409deed86c93dd980823ee686e924e42ee211e89
SHA3-384 hash: 1c90175b01a2a1466df91b730648e6695a3ca3581fffb3cc791de779a39a4cc92b61649c84addc5ac037cb3f562116a6
SHA1 hash: c76186cc5dc9f1b5c3f608c51693f6de912ef770
MD5 hash: 1f78fd12fe065e43fb74f43eb8bcf048
humanhash: india-yellow-blossom-oscar
File name:HZhaduP.exe
Download: download sample
Signature DeerStealer
Create hunting rule
File size:7'286'540 bytes
First seen:2025-07-16 07:17:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bc758c921c6e0fda5a933c5b8a3c02e9 (2 x LummaStealer, 1 x RaspberryRobin, 1 x AsyncRAT)
ssdeep 196608:ehX4P+5P51+lnYCyN3EX2zbZOWoVYlUjM1Jqg:oR+6J3EGvZOJYwM1T
TLSH T13976338AE3C954F8D123C9799C954506EE963D014FB597AF13A0B3AB6F272D06D3C322
TrID 92.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10522/11/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.7% (.EXE) OS/2 Executable (generic) (2029/13)
0.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:DeerStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
33
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
e83f22f42dd32cd7f3f01208df3177596989d150374a97ff61db4a941b8b3a08.bin.exe
Verdict:
Malicious activity
Analysis date:
2025-07-15 05:51:50 UTC
Tags:
lumma stealer themida loader amadey botnet rdp auto-reg arch-exec telegram stealc vidar websocket python
Link:
https://app.any.run/tasks/fb074a39-548c-451b-8dce-fbe2e8c362a5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/14803/
Detection(s):
SecuriteInfo.com.FileRepMalware.16692.2934.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=687752353e506f63f5a40a09
Tags:
downloader dropper emotet virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
DNS request
Connection attempt
Sending a custom TCP request
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm anti-vm base64 crossrider crypto evasive expired-cert explorer explorer fingerprint fingerprint installer keylogger lolbin lolbin microsoft_visual_cc overlay overlay packed sfx
Link:
https://www.filescan.io/uploads/6877524f8a7d628a81b1bb70/reports/34b92b43-034b-4bb5-9395-56636f774ee3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/7ca039965c09bbfeaec88bfb409deed86c93dd980823ee686e924e42ee211e89
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9780939c-024c-4746-b940-21e268a16338
Result
Threat name:
HijackLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1737858
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Drops PE files to the user root directory
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Writes to foreign memory regions
Yara detected HijackLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1737858 Sample: HZhaduP.exe Startdate: 16/07/2025 Architecture: WINDOWS Score: 100 67 archivedcnd-s1.asia 2->67 69 gce-beacons.gcp.gvt2.com 2->69 71 2 other IPs or domains 2->71 87 Suricata IDS alerts for network traffic 2->87 89 Found malware configuration 2->89 91 Malicious sample detected (through community Yara rule) 2->91 93 4 other signatures 2->93 11 HZhaduP.exe 20 2->11         started        15 UnitNa.exe 5 2->15         started        signatures3 process4 file5 57 C:\Users\user\WsBurn.dll, PE32 11->57 dropped 59 C:\Users\user\WS_Log.dll, PE32 11->59 dropped 61 C:\Users\user\WS_ImageProc.dll, PE32 11->61 dropped 65 10 other malicious files 11->65 dropped 103 Drops PE files to the user root directory 11->103 17 UnitNa.exe 17 11->17         started        63 C:\Users\user\AppData\Local\...\2BA349A.tmp, PE32+ 15->63 dropped 105 Modifies the context of a thread in another process (thread injection) 15->105 107 Maps a DLL or memory area into another process 15->107 21 TurboMi.exe 15->21         started        23 XPFix.exe 15->23         started        signatures6 process7 file8 43 C:\ProgramData\Bp_Cli_x64\WsBurn.dll, PE32 17->43 dropped 45 C:\ProgramData\Bp_Cli_x64\WS_Log.dll, PE32 17->45 dropped 47 C:\ProgramData\Bp_Cli_x64\WS_ImageProc.dll, PE32 17->47 dropped 49 10 other malicious files 17->49 dropped 83 Switches to a custom stack to bypass stack traces 17->83 85 Found direct / indirect Syscall (likely to bypass EDR) 17->85 25 UnitNa.exe 7 17->25         started        signatures9 process10 file11 51 C:\Users\user\AppData\Roaming\...\XPFix.exe, PE32 25->51 dropped 53 C:\Users\user\AppData\Local\...\194BC0F.tmp, PE32+ 25->53 dropped 55 C:\ProgramData\TurboMi.exe, PE32+ 25->55 dropped 95 Modifies the context of a thread in another process (thread injection) 25->95 97 Found hidden mapped module (file has been removed from disk) 25->97 99 Maps a DLL or memory area into another process 25->99 101 2 other signatures 25->101 29 TurboMi.exe 25->29         started        33 XPFix.exe 25->33         started        signatures12 process13 dnsIp14 81 archivedcnd-s1.asia 172.67.145.35, 443, 49695, 49721 CLOUDFLARENETUS United States 29->81 109 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 29->109 111 Tries to harvest and steal browser information (history, passwords, etc) 29->111 113 Writes to foreign memory regions 29->113 119 3 other signatures 29->119 35 chrome.exe 2 29->35         started        115 Switches to a custom stack to bypass stack traces 33->115 117 Found direct / indirect Syscall (likely to bypass EDR) 33->117 signatures15 process16 dnsIp17 73 192.168.2.5, 138, 443, 49550 unknown unknown 35->73 38 chrome.exe 35->38         started        41 chrome.exe 35->41         started        process18 dnsIp19 75 www.google.com 142.250.65.196, 443, 49701, 49704 GOOGLEUS United States 38->75 77 plus.l.google.com 142.250.72.110, 443, 49711 GOOGLEUS United States 38->77 79 7 other IPs or domains 38->79
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7ca039965c09bbfeaec88bfb409deed86c93dd980823ee686e924e42ee211e89
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/1f78fd12fe065e43fb74f43eb8bcf048
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ca039965c09bbfeaec88bfb409deed86c93dd980823ee686e924e42ee211e89/
Verdict:
Malicious
Threat:
Win64.Trojan.Rugmi
Link:
https://tip.neiki.dev/file/7ca039965c09bbfeaec88bfb409deed86c93dd980823ee686e924e42ee211e89
Threat name:
Win64.Trojan.Rugmi
Create hunting rule
Status:
Malicious
First seen:
2025-07-14 14:19:55 UTC
File Type:
PE+ (Exe)
Extracted files:
94
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=psqdtfs4bg575lwirp5ubhpo3bwjhxmybar642dosjhef3rbd2eq._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
Similar samples:
error
DeerStealer
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:deerstealer family:hijackloader discovery loader stealer
Link:
https://tria.ge/reports/250716-h419vstwb1/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detects DeerStealer
DeerStealer
Deerstealer family
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f47e1805-e6d9-4f6a-a780-3273eb40e80c
Unpacked files
SH256 hash:
7ca039965c09bbfeaec88bfb409deed86c93dd980823ee686e924e42ee211e89
MD5 hash:
1f78fd12fe065e43fb74f43eb8bcf048
SHA1 hash:
c76186cc5dc9f1b5c3f608c51693f6de912ef770
Link:
https://www.unpac.me/results/4dd806d8-fba3-4404-829a-515375b028ab/
SH256 hash:
15c4860f2e0530bc896f9b07f893b32b13cffe40c909293b6232bd5696a5f71a
MD5 hash:
77bffd6a7270bf001aaba999de8394f9
SHA1 hash:
132a1823392596f9748667b67f4aaef709b335c1
Link:
https://www.unpac.me/results/4dd806d8-fba3-4404-829a-515375b028ab/
SH256 hash:
30b9b877aa1112105069be6b4de794b7a7147a1d968e71fa63f2edc7397e126f
MD5 hash:
54b87d3271a4fa9b1e1fea51c2ef9c14
SHA1 hash:
fd79e145376a6268827ed9693f276c6bb8bca326
Detections:
win_samsam_auto
Create hunting rule
win_get2_a0
Create hunting rule
Link:
https://www.unpac.me/results/4dd806d8-fba3-4404-829a-515375b028ab/
Parent samples :
7ca039965c09bbfeaec88bfb409deed86c93dd980823ee686e924e42ee211e89
8c14a08d112b1d4ff732a8d5496dcc4296b744909e335703518f414fe5e99f6f
907f5339415509568af0e01da37534ccd36f88f563e8cbdbacc01d84bcb21045
SH256 hash:
44f009ca786bc541cda11c61bab7b272e96ce9e3d656c10bdac2e126f3a9cc35
MD5 hash:
a4b240cce6e3da6e959f33bd82394034
SHA1 hash:
ab5d51c7bc80882d9e8f20b11b41a25e775078d6
Link:
https://www.unpac.me/results/4dd806d8-fba3-4404-829a-515375b028ab/
SH256 hash:
4b33ee0e8a4153c0c8ccd945adb18d8f91b5b824746a15986bf6781f081f9968
MD5 hash:
27d48c6c48d5259a4e2ad7be369ce906
SHA1 hash:
66ea6266024a66826a9dd57a1420b8ce6fd13b0c
Link:
https://www.unpac.me/results/4dd806d8-fba3-4404-829a-515375b028ab/
SH256 hash:
58ef42507d9fc1e8a7b240ef5cddc9f600c3d9a61ee6a42a4045278bb332b86a
MD5 hash:
23b3a972dc6e25581b6fa9e01bafc375
SHA1 hash:
39b54451f58d16cc76f875c137d72c2fe93bb3af
Link:
https://www.unpac.me/results/4dd806d8-fba3-4404-829a-515375b028ab/
SH256 hash:
6036be1c9a8819998ad10879dff6c04edc787d34a142a3e0841c0fca36fb9c6e
MD5 hash:
7c76e3100bd67c47f176a0edde3ef79a
SHA1 hash:
bff22f39f3ba61cddd695b8a27b5139c5675afba
Link:
https://www.unpac.me/results/4dd806d8-fba3-4404-829a-515375b028ab/
SH256 hash:
8fcae9719a3f831cb73ef50b587a6222ff73d6c1a6ae617636cb31c6e02d5e3a
MD5 hash:
c6328e8342538b7e2502b752e5cb1e28
SHA1 hash:
fdbb116ce30ea6a0a61fd0e36084dfb26e683b22
Link:
https://www.unpac.me/results/4dd806d8-fba3-4404-829a-515375b028ab/
SH256 hash:
c1275ddf04a0942b416c1a0b2d32003a4eda732c6f97c74181c236e35d12420f
MD5 hash:
3094481f0cb0531b407d2388ecb4b85f
SHA1 hash:
b2ed7c1895e417e0620e1043a8d3fcc4598fc791
Link:
https://www.unpac.me/results/4dd806d8-fba3-4404-829a-515375b028ab/
SH256 hash:
e841fe9fa09ddc4292f22db95cb2d348d8f37594513f5848d545db92e3b07c66
MD5 hash:
c63b86e4e9290bf304e86e03c8a1f235
SHA1 hash:
6d75607cf590ae4d65b79ffab3f9f4f56700b932
Detections:
win_samsam_auto
Create hunting rule
Link:
https://www.unpac.me/results/4dd806d8-fba3-4404-829a-515375b028ab/
Parent samples :
7ca039965c09bbfeaec88bfb409deed86c93dd980823ee686e924e42ee211e89
068ceb2800e734fa81313bceb7d745fd7a238d189d084ef3a585950ed98c6b2e
8c14a08d112b1d4ff732a8d5496dcc4296b744909e335703518f414fe5e99f6f
907f5339415509568af0e01da37534ccd36f88f563e8cbdbacc01d84bcb21045
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7ca039965c09bbfeaec88bfb409deed86c93dd980823ee686e924e42ee211e89

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Trojan_GhostPulse_caea316b
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DeerStealer

Executable exe 7ca039965c09bbfeaec88bfb409deed86c93dd980823ee686e924e42ee211e89

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3579689/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/14803/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments