MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8d487fdb3efe93da96a48c48667dc82d0d95c9f6622650ceef99ef1f7a418fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DeerStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d8d487fdb3efe93da96a48c48667dc82d0d95c9f6622650ceef99ef1f7a418fc
SHA3-384 hash: b1afb9859ff975d255c7c1ed27976dc3158ae84d296be8e8d07cc5cf3c53e4d9cbb055adb2a1c017c4267a44b8861f68
SHA1 hash: 3b40be595fa94a69b182944f0e39e6f5e6890003
MD5 hash: 285764f261b4f8d1ced113e0825ccb0c
humanhash: zebra-virginia-uniform-south
File name:285764f261b4f8d1ced113e0825ccb0c.exe
Download: download sample
Signature DeerStealer
Create hunting rule
File size:2'452'480 bytes
First seen:2025-06-18 05:49:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b9dc4ed6d6f29a82b8fd3431fc3b1d8b (1 x DeerStealer)
ssdeep 49152:iuc97/dm2JFGvMb2vx7rpgfo8+oETIFcmCLPtiaaRxUN3gmzQ70bPVOaCF8Aw5E:kN989gQBn
TLSH T16BB55A2B5169609AE3E6C07CF55A57A2FC3132484E39A7B714B683923730A1C9B7D373
TrID 55.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.9% (.ICL) Windows Icons Library (generic) (2059/9)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
6.7% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:DeerStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
447
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
b608757659de99022afcba9cf7e87eeac74160fdc2b9b8cff56140d63c24a6b1.bin
Verdict:
Malicious activity
Analysis date:
2025-06-17 19:13:17 UTC
Tags:
lumma stealer themida loader amadey botnet rdp telegram stealc vidar arch-exec gcleaner auto autoit
Link:
https://app.any.run/tasks/c6bf5db8-3e89-498d-b580-99e95c51962d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/9917/
Gathering data
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/d8d487fdb3efe93da96a48c48667dc82d0d95c9f6622650ceef99ef1f7a418fc
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3d6bc382-f378-4ef8-b8af-6c7933f90e25
Result
Threat name:
Deer Stealer, HijackLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1717070
Signature
Allocates memory in foreign processes
Contains functionality to infect the boot sector
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Writes to foreign memory regions
Yara detected Deer Stealer
Yara detected HijackLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1717070 Sample: v0nEaZwFFg.exe Startdate: 18/06/2025 Architecture: WINDOWS Score: 100 69 hotroutingcdn.asia 2->69 71 servecore.today 2->71 73 4 other IPs or domains 2->73 91 Suricata IDS alerts for network traffic 2->91 93 Found malware configuration 2->93 95 Malicious sample detected (through community Yara rule) 2->95 97 5 other signatures 2->97 10 v0nEaZwFFg.exe 2 2->10         started        15 Termin_Neuro.exe 5 2->15         started        signatures3 process4 dnsIp5 83 hotroutingcdn.asia 172.67.168.92, 443, 49685 CLOUDFLARENETUS United States 10->83 85 servecore.today 104.21.88.77, 443, 49688 CLOUDFLARENETUS United States 10->85 59 C:\Users\user\AppData\...\5Xa525qwl1zzm.exe, PE32 10->59 dropped 113 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 10->113 115 Found many strings related to Crypto-Wallets (likely being stolen) 10->115 117 Tries to harvest and steal browser information (history, passwords, etc) 10->117 123 5 other signatures 10->123 17 5Xa525qwl1zzm.exe 7 10->17         started        21 chrome.exe 2 10->21         started        61 C:\Users\user\AppData\Local\...\78ABA9C.tmp, PE32+ 15->61 dropped 119 Modifies the context of a thread in another process (thread injection) 15->119 121 Maps a DLL or memory area into another process 15->121 24 TCollector.exe 15->24         started        26 XPFix.exe 15->26         started        file6 signatures7 process8 dnsIp9 47 C:\Users\user\AppData\Local\Temp\vcl120.bpl, PE32 17->47 dropped 49 C:\Users\user\AppData\Local\Temp\rtl120.bpl, PE32 17->49 dropped 51 C:\Users\user\AppData\...\Termin_Neuro.exe, PE32 17->51 dropped 89 Multi AV Scanner detection for dropped file 17->89 28 Termin_Neuro.exe 6 17->28         started        32 svchost.exe 17->32         started        81 192.168.2.6, 138, 443, 49685 unknown unknown 21->81 34 chrome.exe 21->34         started        file10 signatures11 process12 dnsIp13 63 C:\ProgramData\Checkjava_test5\vcl120.bpl, PE32 28->63 dropped 65 C:\ProgramData\...\Termin_Neuro.exe, PE32 28->65 dropped 67 C:\ProgramData\Checkjava_test5\rtl120.bpl, PE32 28->67 dropped 125 Switches to a custom stack to bypass stack traces 28->125 37 Termin_Neuro.exe 7 28->37         started        75 www.google.com 142.250.65.196, 443, 49693, 49697 GOOGLEUS United States 34->75 77 play.google.com 142.250.81.238, 443, 49707, 49708 GOOGLEUS United States 34->77 79 6 other IPs or domains 34->79 file14 signatures15 process16 file17 53 C:\Users\user\AppData\Roaming\...\XPFix.exe, PE32 37->53 dropped 55 C:\Users\user\AppData\Local\...\6885105.tmp, PE32+ 37->55 dropped 57 C:\Users\user\AppData\Local\TCollector.exe, PE32+ 37->57 dropped 99 Modifies the context of a thread in another process (thread injection) 37->99 101 Found hidden mapped module (file has been removed from disk) 37->101 103 Maps a DLL or memory area into another process 37->103 105 2 other signatures 37->105 41 XPFix.exe 37->41         started        44 TCollector.exe 2 37->44         started        signatures18 process19 dnsIp20 107 Contains functionality to infect the boot sector 41->107 109 Switches to a custom stack to bypass stack traces 41->109 111 Found direct / indirect Syscall (likely to bypass EDR) 41->111 87 anymeshes.pro 104.21.90.224, 49711, 80 CLOUDFLARENETUS United States 44->87 signatures21
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d8d487fdb3efe93da96a48c48667dc82d0d95c9f6622650ceef99ef1f7a418fc
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/285764f261b4f8d1ced113e0825ccb0c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d8d487fdb3efe93da96a48c48667dc82d0d95c9f6622650ceef99ef1f7a418fc/
Threat name:
Win64.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2025-06-17 13:26:22 UTC
File Type:
PE+ (Exe)
AV detection:
30 of 38 (78.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3dkip7nt57ut3klkjdcimz64qlinsxe7myrgkdho7gppd55edd6a._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250618-gjygssaj5z/
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b5aeb531-dce3-471b-9b8a-09341a7126af
Unpacked files
SH256 hash:
d8d487fdb3efe93da96a48c48667dc82d0d95c9f6622650ceef99ef1f7a418fc
MD5 hash:
285764f261b4f8d1ced113e0825ccb0c
SHA1 hash:
3b40be595fa94a69b182944f0e39e6f5e6890003
Link:
https://www.unpac.me/results/084f0705-9014-49f2-916e-aed17da27cca/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/d8d487fdb3efe93da96a48c48667dc82d0d95c9f6622650ceef99ef1f7a418fc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:sus_pe_free_without_allocation
Create hunting rule
Author:Maxime THIEBAUT (@0xThiebaut)
Description:Detects an executable importing functions to free memory without importing allocation functions, often indicative of dynamic import resolution

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DeerStealer

Executable exe d8d487fdb3efe93da96a48c48667dc82d0d95c9f6622650ceef99ef1f7a418fc

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/9917/
  
URLhaus
https://urlhaus.abuse.ch/url/3558736/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegGetValueW
ADVAPI32.dll::RegOpenKeyA

Comments