MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 71149e56febb1f0b96518016f33dcfae141c8d8e1dcca5de5b97519214ec6de5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DeerStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 71149e56febb1f0b96518016f33dcfae141c8d8e1dcca5de5b97519214ec6de5
SHA3-384 hash: 3a3072bc3f42ef5bb1057696efdca5562eddc6d63a9e08ebc6cb72d88dfbe331be966d58a8b63f773f0e3fb742fbb83e
SHA1 hash: 9c1c4722829d679908d2e30db833a3fba8af2f9f
MD5 hash: 3c8f0f9dd8f230bf8485b3ab512fa7c7
humanhash: yankee-zebra-october-magazine
File name:BFVNDLDC.msi
Download: download sample
Signature DeerStealer
Create hunting rule
File size:8'286'208 bytes
First seen:2025-04-25 08:34:13 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:0vlEe99CRYhPTLy/pms4hp7lpga0RpUR9m:uKeKRiQ0sEplGdURQ
Threatray 9 similar samples on MalwareBazaar
TLSH T1898633B7FA462BCBD88685B50C63C6505364ADA9CFFEC6E623DD3A00663265330E5D0D
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter abuse_ch
Tags:DeerStealer msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/4016/
Verdict:
Clean
Score:
89.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=680b4bb23d067f8483992fc1
Tags:
n/a
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
installer packed wix
Link:
https://www.filescan.io/uploads/680b493a218c4a98ade19586/reports/9ff690cf-ce18-4808-961c-dd6767a3e740/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/71149e56febb1f0b96518016f33dcfae141c8d8e1dcca5de5b97519214ec6de5
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/71149e56febb1f0b96518016f33dcfae141c8d8e1dcca5de5b97519214ec6de5
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1673925
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to register a low level keyboard hook
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Connection Initiated Via Certutil.EXE
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1673925 Sample: BFVNDLDC.msi Startdate: 25/04/2025 Architecture: WINDOWS Score: 100 113 ncloud-servers.shop 2->113 115 sonorous-horizon-cfd.cfd 2->115 117 3 other IPs or domains 2->117 143 Suricata IDS alerts for network traffic 2->143 145 Antivirus detection for URL or domain 2->145 147 Multi AV Scanner detection for dropped file 2->147 149 3 other signatures 2->149 11 msiexec.exe 166 78 2->11         started        14 MatriTransponder.exe 2->14         started        17 Gene_Bin.exe 2->17         started        19 4 other processes 2->19 signatures3 process4 dnsIp5 95 C:\Users\user\AppData\Local\...\xprt6.dll, PE32 11->95 dropped 97 C:\Users\user\AppData\Local\...\msvcr71.dll, PE32 11->97 dropped 99 C:\Users\user\AppData\Local\...\msvcp71.dll, PE32 11->99 dropped 105 12 other malicious files 11->105 dropped 22 MatriTransponder.exe 7 11->22         started        26 Gene_Bin.exe 14 11->26         started        101 C:\Users\user\AppData\Local\...\4A0FB55.tmp, PE32+ 14->101 dropped 179 Modifies the context of a thread in another process (thread injection) 14->179 181 Maps a DLL or memory area into another process 14->181 28 cmd.exe 14->28         started        30 Tgz_Helpv1.exe 14->30         started        103 C:\Users\user\AppData\Local\...\5A56654.tmp, PE32+ 17->103 dropped 32 cmd.exe 17->32         started        34 certutil.exe 17->34         started        119 239.255.255.250 unknown Reserved 19->119 36 msedge.exe 19->36         started        39 msedge.exe 19->39         started        41 6 other processes 19->41 file6 signatures7 process8 dnsIp9 79 C:\ProgramData\...\vcl280.bpl, PE32 22->79 dropped 81 C:\ProgramData\...\rtl280.bpl, PE32 22->81 dropped 83 C:\ProgramData\...\RecordHook.dll, PE32 22->83 dropped 85 C:\ProgramData\...\MatriTransponder.exe, PE32 22->85 dropped 163 Contains functionality to register a low level keyboard hook 22->163 165 Switches to a custom stack to bypass stack traces 22->165 167 Found direct / indirect Syscall (likely to bypass EDR) 22->167 43 MatriTransponder.exe 5 22->43         started        87 C:\ProgramData\uninstallCheck_4\xprt6.dll, PE32 26->87 dropped 89 C:\ProgramData\uninstallCheck_4\msvcr71.dll, PE32 26->89 dropped 91 C:\ProgramData\uninstallCheck_4\msvcp71.dll, PE32 26->91 dropped 93 8 other malicious files 26->93 dropped 47 Gene_Bin.exe 26->47         started        49 conhost.exe 28->49         started        51 conhost.exe 32->51         started        121 c-msn-pme.trafficmanager.net 20.125.62.241, 443, 49769, 49817 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 36->121 123 a-0003.a-msedge.net 204.79.197.203, 443, 49747, 49755 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 36->123 125 27 other IPs or domains 36->125 file10 signatures11 process12 file13 107 C:\Users\user\AppData\...\Tgz_Helpv1.exe, PE32+ 43->107 dropped 109 C:\Users\user\AppData\Local\...\2B83352.tmp, PE32+ 43->109 dropped 169 Modifies the context of a thread in another process (thread injection) 43->169 171 Found hidden mapped module (file has been removed from disk) 43->171 173 Maps a DLL or memory area into another process 43->173 175 Found direct / indirect Syscall (likely to bypass EDR) 43->175 53 Tgz_Helpv1.exe 3 2 43->53         started        57 cmd.exe 3 43->57         started        111 C:\Users\user\AppData\Local\...\3D6A8C1.tmp, PE32+ 47->111 dropped 177 Switches to a custom stack to bypass stack traces 47->177 59 certutil.exe 47->59         started        61 cmd.exe 47->61         started        signatures14 process15 dnsIp16 127 ncloud-servers.shop 172.67.220.229, 443, 49721, 49722 CLOUDFLARENETUS United States 53->127 129 api-photos-ai.cfd 172.67.183.77, 443, 49724 CLOUDFLARENETUS United States 53->129 151 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 53->151 153 Tries to harvest and steal browser information (history, passwords, etc) 53->153 155 Writes to foreign memory regions 53->155 161 4 other signatures 53->161 63 chrome.exe 2 53->63         started        66 msedge.exe 53->66         started        68 msiexec.exe 3 53->68         started        157 Switches to a custom stack to bypass stack traces 57->157 70 conhost.exe 57->70         started        131 sonorous-horizon-cfd.cfd 104.21.48.1, 49829, 80 CLOUDFLARENETUS United States 59->131 159 System process connects to network (likely due to code injection or exploit) 59->159 72 conhost.exe 61->72         started        signatures17 process18 dnsIp19 139 192.168.2.4, 138, 443, 49210 unknown unknown 63->139 141 192.168.2.9 unknown unknown 63->141 74 chrome.exe 63->74         started        77 msedge.exe 66->77         started        process20 dnsIp21 133 www.google.com 142.250.69.4, 443, 49730, 49733 GOOGLEUS United States 74->133 135 plus.l.google.com 74->135 137 5 other IPs or domains 74->137
Score:
8%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/71149e56febb1f0b96518016f33dcfae141c8d8e1dcca5de5b97519214ec6de5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/71149e56febb1f0b96518016f33dcfae141c8d8e1dcca5de5b97519214ec6de5/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2025-04-25 08:35:14 UTC
File Type:
Binary (Archive)
Extracted files:
134
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oekj4vx6xmpqxfsrqalpgpopvykbzdmodxgklxs3s5izefhmnxsq._file
Verdict:
malicious
Label(s):
idatloader
Create hunting rule
Similar samples:
069a58a7ed424c5da0fedc7310f757d1080f5baeb731465552518c6fbb3d9d2f
DeerStealer
08941c5fa519f9dffba137a2a4844e9063ed71bc0c881fb7643e67fb3e3ddb0a
DeerStealer
1a7c72849e8a0251d3e9abfd87330d9e9c3b3ea70fea73cbfbf0e4387cb67551
DeerStealer
2bbbf9bceec4931eca22129e45c471b3221fda1cdeb5994080fb3a700750f445
DeerStealer
923efb46578f7f31a9734ec1d7e7e1b9edf1560fec54d7319179aa51cf3dd26a
DeerStealer
e949b31e10226a92ad6dab5ddda7a2da4f0c0eb9f2a2ee4de18700997af10aa1
DeerStealer
error
DeerStealer
fc56d7b5fcad1e841cbb006174b96d03f672dcd2c5d23ad0cf84adc5437607e8
DeerStealer
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/250425-kg2m8awjv2/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Event Triggered Execution: Installer Packages
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/91712d2f-d443-47ab-8e25-e0e1244b8130
Malware family:
HijackLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/71149e56febb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/71149e56febb1f0b96518016f33dcfae141c8d8e1dcca5de5b97519214ec6de5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DeerStealer

Microsoft Software Installer (MSI) msi 71149e56febb1f0b96518016f33dcfae141c8d8e1dcca5de5b97519214ec6de5

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/4016/
  
URLhaus
https://urlhaus.abuse.ch/url/3524346/
  
Delivery method
Distributed via web download

Comments