MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8b805089d2e3a320747f39785258f9db4fffc4e69f3f6b614b411f68b0d8745. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DeerStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 10 File information Comments 1

SHA256 hash:	d8b805089d2e3a320747f39785258f9db4fffc4e69f3f6b614b411f68b0d8745
SHA3-384 hash:	86a117bf7d770a6c32330ba386400126fad3a1cd3e2076e6900914dd8029ec0e4f8f4113a792393eeb79c2bf7a37a6ef
SHA1 hash:	14001cbabc9faacd9961441787419bafbfa00210
MD5 hash:	1579e6dafdc1c614c17d0a570bcd3abd
humanhash:	summer-music-cat-alaska
File name:	Phantom Forces Script.exe
Download:	download sample
Signature	DeerStealer Create hunting rule
File size:	17'392'951 bytes
First seen:	2025-09-10 18:32:59 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	efd455830ba918de67076b7c65d86586 (55 x Gh0stRAT, 19 x ValleyRAT, 6 x OffLoader)
ssdeep	393216:NOjIzUbZNXNvFUCgx4q1G93oj6nGsoIJxzGNlLo:8jIEUT4Omo+YInsLo
TLSH	T1B8073317B2CB613FF07E8A360977E212993B7A61A6128C5793E4489CDF250E51E3F706
TrID	60.0% (.EXE) Inno Setup installer (107240/4/30) 23.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 5.8% (.EXE) Win64 Executable (generic) (10522/11/4) 3.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 2.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	AntiSkidding
Tags:	DeerStealer exe fake-cheat trojan

Intelligence

File Origin

# of uploads :

# of downloads :

133

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Phantom Forces Script.exe

Verdict:

Malicious activity

Analysis date:

2025-09-10 18:35:54 UTC

Tags:

auto generic hijackloader loader stealer ultravnc rmm-tool

Link:

https://app.any.run/tasks/9ad42dd6-c949-49a0-8acc-4a3af8644bd1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/26777/

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68c1c492b200525988798c3a

Tags:

shellcode dropper smtp

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file

Creating a file in the %AppData% subdirectories

Sending a custom TCP request

DNS request

Connection attempt

Sending an HTTP GET request

Unauthorized injection to a recently created process by context flags manipulation

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

adaptive-context anti-debug anti-vm crypto embarcadero_delphi fingerprint innosetup installer overlay packed zero

Link:

https://www.filescan.io/uploads/68c1c48b732879482925dc60/reports/58f8d0b3-6444-4459-acb4-479278dfee9e/overview

Verdict:

Malicious

Labled as:

Win/grayware_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/d8b805089d2e3a320747f39785258f9db4fffc4e69f3f6b614b411f68b0d8745

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-09-10T16:46:00Z UTC

Last seen:

2025-09-10T16:46:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/d8b805089d2e3a320747f39785258f9db4fffc4e69f3f6b614b411f68b0d8745/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/222ee863-4c8d-448e-93b3-8c279fbcaa22

Score:

92%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d8b805089d2e3a320747f39785258f9db4fffc4e69f3f6b614b411f68b0d8745

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d8b805089d2e3a320747f39785258f9db4fffc4e69f3f6b614b411f68b0d8745/

Threat name:

Win32.Trojan.Egairtigado

Status:

Malicious

First seen:

2025-09-10 18:34:49 UTC

File Type:

PE (Exe)

AV detection:

11 of 38 (28.95%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3c4akce5fy5deb2h6olykjmptw2p77conhz7nnquwqi7ncynq5cq._file

Verdict:

malicious

Label(s):

hijackloader

deerstealer

Similar samples:

error

DeerStealer

Result

Malware family:

hijackloader

Score:

10/10

Tags:

family:deerstealer family:hijackloader discovery loader stealer

Link:

https://tria.ge/reports/250910-w7j2mshp6y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Executes dropped EXE

Loads dropped DLL

DeerStealer

Deerstealer family

Detects DeerStealer

Detects HijackLoader (aka IDAT Loader)

HijackLoader

Hijackloader family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/83e12938-946c-484f-b612-f265e7f16c0f

Unpacked files

SH256 hash:

d8b805089d2e3a320747f39785258f9db4fffc4e69f3f6b614b411f68b0d8745

MD5 hash:

1579e6dafdc1c614c17d0a570bcd3abd

SHA1 hash:

14001cbabc9faacd9961441787419bafbfa00210

Link:

https://www.unpac.me/results/b13973b7-fabb-4a72-b478-29582f81cabd/

SH256 hash:

5752fefc41276ab81d7b49790e7cb186d02d929ae6e1a44040f55410c4edc521

MD5 hash:

2541fa7a21a33325d875060c4c017bfd

SHA1 hash:

c3595141255beb785f45c5933264b700e0d3a5b3

Link:

https://www.unpac.me/results/b13973b7-fabb-4a72-b478-29582f81cabd/

Malware family:

DeerStealer

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d8b805089d2e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d8b805089d2e3a320747f39785258f9db4fffc4e69f3f6b614b411f68b0d8745

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	botnet_plaintext_c2 Create hunting rule
Author:	cip
Description:	Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)