MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aee7978dc8889e53d9cbd36ff78c5c26d92e52365591accc0a7ba2afbcc40dbf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DeerStealer

Vendor detections: 18

Intelligence 18 IOCs YARA File information Comments

SHA256 hash:	aee7978dc8889e53d9cbd36ff78c5c26d92e52365591accc0a7ba2afbcc40dbf
SHA3-384 hash:	a2e6e17123c077324d0428787781b55609a02c6f1ed4b132080caf07fa2f9b987e5e41cade570c0625ae7d5c38d863e0
SHA1 hash:	19340c80e820a5a40f1dd04d489d846a33702c27
MD5 hash:	a01f2e58d64fb224b448a19100828d53
humanhash:	thirteen-pip-earth-queen
File name:	file
Download:	download sample
Signature	DeerStealer Create hunting rule
File size:	4'954'458 bytes
First seen:	2025-10-14 04:02:17 UTC
Last seen:	2025-10-14 04:09:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b5a014d7eeb4c2042897567e1288a095 (19 x HijackLoader, 14 x ValleyRAT, 12 x LummaStealer)
ssdeep	98304:+pJHoLSblSMpjVj7WdUVBYBva+zDRf9DRl6R3dNx+fSOkDnlLN:+pJHBbNZB5BYBy+fRVD76R3Z+frG5
TLSH	T1ED363351B752F4F7DA364236CF0AEF629176E7B3B2406F8B52A14E053C97351A20B4CA
TrID	38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 24.6% (.EXE) Win64 Executable (generic) (10522/11/4) 11.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 10.5% (.EXE) Win32 Executable (generic) (4504/4/1) 4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	Bitsight
Tags:	DeerStealer dropped-by-amadey exe

Bitsight

url: http://178.16.55.189/files/889380751/mvlTLO6.exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

random.exe

Verdict:

Malicious activity

Analysis date:

2025-10-14 02:12:15 UTC

Tags:

amadey botnet stealer themida rdp auto generic loader anti-evasion ms-smartcard gcleaner evasion rustystealer autoit miner silentcryptominer winring0-sys vuln-driver phishing stealc rat njrat bladabindi remote backdoor hijackloader purecrypter inno installer delphi rhadamanthys xor-url upx salatstealer susp-powershell golang

Link:

https://app.any.run/tasks/ab8b7d8e-4f6c-478a-b12f-2be5ea4c20fd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/32604/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68edcb6a97a16d00a8d9b119

Tags:

shellcode dropper virus

Result

Verdict:

Malware

Maliciousness:

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context amadey fingerprint hijackloader installer microsoft_visual_cc overlay overlay redcap unsafe

Link:

https://www.filescan.io/uploads/68edcc03fe81c560ba585af3/reports/0cb9220a-22cf-4061-8fc0-e1d68d82d351/overview

Verdict:

Malicious

Labled as:

Win/grayware_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/aee7978dc8889e53d9cbd36ff78c5c26d92e52365591accc0a7ba2afbcc40dbf

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-13T16:28:00Z UTC

Last seen:

2025-10-14T10:23:00Z UTC

Hits:

~100

Detections:

Trojan.Win32.Penguish.fvc Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb

Link:

https://opentip.kaspersky.com/aee7978dc8889e53d9cbd36ff78c5c26d92e52365591accc0a7ba2afbcc40dbf/results?tab=lookup

Malware family:

Sysinternals

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/ef8fb76d-0231-409f-9297-eafb35339968

Score:

87%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/aee7978dc8889e53d9cbd36ff78c5c26d92e52365591accc0a7ba2afbcc40dbf

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout SFX 7z Win 32 Exe x86

Link:

https://app.malva.re/file/a01f2e58d64fb224b448a19100828d53

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/aee7978dc8889e53d9cbd36ff78c5c26d92e52365591accc0a7ba2afbcc40dbf/

Verdict:

Malicious

Threat:

Family.DEERSTEALER

Link:

https://tip.neiki.dev/file/aee7978dc8889e53d9cbd36ff78c5c26d92e52365591accc0a7ba2afbcc40dbf

Threat name:

Win32.Trojan.Amadey

Status:

Malicious

First seen:

2025-10-13 18:57:18 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 38 (68.42%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=v3tzpdoircpfhwol2nx7pdc4e3ms4urwkwi2ztakpork7pgebw7q._file

Verdict:

malicious

Label(s):

deerstealer

hijackloader

Similar samples:

error

DeerStealer

Result

Malware family:

hijackloader

Score:

10/10

Tags:

family:deerstealer family:donutloader family:hijackloader discovery loader spyware stealer

Link:

https://tria.ge/reports/251014-em5zyaej9y/

Behaviour

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Windows directory

Suspicious use of SetThreadContext

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

DeerStealer

Deerstealer family

Detects DeerStealer

Detects DonutLoader

Detects HijackLoader (aka IDAT Loader)

DonutLoader

Donutloader family

HijackLoader

Hijackloader family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/f668a9fc-2c84-489b-b3ab-932774815050

Unpacked files

SH256 hash:

aee7978dc8889e53d9cbd36ff78c5c26d92e52365591accc0a7ba2afbcc40dbf

MD5 hash:

a01f2e58d64fb224b448a19100828d53

SHA1 hash:

19340c80e820a5a40f1dd04d489d846a33702c27

Link:

https://www.unpac.me/results/a44f78dd-a373-4206-b720-5a49c1fd2034/

SH256 hash:

14524bb43604f015befc4077e81d10448ae834929aae733ee13b58e6a3c4e2c9

MD5 hash:

90fd92f259b3409a07d3a662edc73b71

SHA1 hash:

ccfbdbc89c4ca7382788928c5cc6e79a5227ade4

Link:

https://www.unpac.me/results/a44f78dd-a373-4206-b720-5a49c1fd2034/

SH256 hash:

9e96b90bd36376017043d418955f6211d248f6af0fb64393e131173a34e7c16a

MD5 hash:

d9cd8fddccac16d3f654c43482ec135b

SHA1 hash:

229143f991d5a0834996d85f408a083521f634a8

Link:

https://www.unpac.me/results/a44f78dd-a373-4206-b720-5a49c1fd2034/

Malware family:

IDATLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/aee7978dc888/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/aee7978dc8889e53d9cbd36ff78c5c26d92e52365591accc0a7ba2afbcc40dbf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DeerStealer

exe aee7978dc8889e53d9cbd36ff78c5c26d92e52365591accc0a7ba2afbcc40dbf

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/32604/

URLhaus

https://urlhaus.abuse.ch/url/3677338/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample