MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82a6ebc4ce6cc397cbcc8c7002901a83a2568beec4fa88e279a5f0512fdf5085. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DeerStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 82a6ebc4ce6cc397cbcc8c7002901a83a2568beec4fa88e279a5f0512fdf5085
SHA3-384 hash: b4afd4da20f81bb41efede23f52fa189f5734b4cf748c974b68263059aa492792adc082d7d506ba2f15a8b33299890dd
SHA1 hash: f851641c2f344437520b9114acf695496e80158e
MD5 hash: d8557f2f9f269caea679b2d58d98b7f0
humanhash: yellow-virginia-sierra-hamper
File name:SecuriteInfo.com.Other.Malware-gen.61295838
Download: download sample
Signature DeerStealer
Create hunting rule
File size:4'874'240 bytes
First seen:2025-11-22 18:53:33 UTC
Last seen:2025-11-23 16:18:56 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:ZwQ6uy5l8MgXW+3tS08FAPueFL3T+lZvPEbZd2SzV4elWZqmsfjXGs:uQtyH8MWqS9djwJPEj2u4eoZqmsi
Threatray 60 similar samples on MalwareBazaar
TLSH T14B36336B36FD893FCC17317A48FE291942599F2A0E9084E7F15CF7A60B74AE4A230355
TrID 68.9% (.MST) Windows SDK Setup Transform script (61000/1/5)
22.0% (.WPS) Kingsoft WPS Office document (alt.) (19502/3/2)
9.0% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter SecuriteInfoCom
Tags:DeerStealer msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
45
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/39058/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6922079a4917b5d23db08638
Tags:
virus spawn
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug expired-cert installer installer wix
Link:
https://www.filescan.io/uploads/692206ddf96b58f0dc80337b/reports/8671e724-1a24-49e8-8d28-5153cac1e58a/overview
Verdict:
Malicious
Labled as:
ABDownloader.KLO
Link:
https://www.hybrid-analysis.com/sample/82a6ebc4ce6cc397cbcc8c7002901a83a2568beec4fa88e279a5f0512fdf5085
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/82a6ebc4ce6cc397cbcc8c7002901a83a2568beec4fa88e279a5f0512fdf5085
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
msi
First seen:
2025-11-22T12:51:00Z UTC
Last seen:
2025-11-23T23:55:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb HEUR:Trojan.OLE2.Alien.gen
Link:
https://opentip.kaspersky.com/82a6ebc4ce6cc397cbcc8c7002901a83a2568beec4fa88e279a5f0512fdf5085/results?tab=lookup
Score:
9%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/82a6ebc4ce6cc397cbcc8c7002901a83a2568beec4fa88e279a5f0512fdf5085
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
CAB:COMPRESSION:LZX Executable Office Document PDB Path PE (Portable Executable) PE File Layout
Link:
https://app.malva.re/file/d8557f2f9f269caea679b2d58d98b7f0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/82a6ebc4ce6cc397cbcc8c7002901a83a2568beec4fa88e279a5f0512fdf5085/
Verdict:
Malicious
Threat:
Family.DEERSTEALER
Link:
https://tip.neiki.dev/file/82a6ebc4ce6cc397cbcc8c7002901a83a2568beec4fa88e279a5f0512fdf5085
Threat name:
Win32.Trojan.Hijackloader
Create hunting rule
Status:
Malicious
First seen:
2025-11-21 07:15:55 UTC
File Type:
Binary (Archive)
Extracted files:
11
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qktoxrgontbzps6mrryafea2qorfnc7oyt5irytzuxyfcl67kccq._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
deerstealer
Create hunting rule
Similar samples:
0852ae81624c390a57e57d930e86b8c1bc080813481ee5bd505f81352c7e6fe6
DeerStealer
25b34f7a1aa68458a150182a2a292ea61bc3a45a72782839fdc0be58b90bd655
DeerStealer
36ed257f720670415af0fbd4c06f9a115572d63e9183f2d142beae47b74cc5ed
DeerStealer
9705b02f24c62bc938211d125bfeb3c4fc842b2cd74f05df36cfb3a23c7bbcec
DeerStealer
ab1adb55d3c57eae4734a43e86212f367c1ac3563702c2bd0678242a726c6c23
DeerStealer
bf6e0c343ec5053da9bd0d0fa577839f017edc9a6e760bb611fb13424e621351
DeerStealer
c15948678da6fa539c4a81e4686054b51e1f99365d05eb022005fe703e93dfbd
DeerStealer
e6f4d4f68abd1d5ced36d1606d16c42b63a06c5c681d4662b00fb8683bf2a418
DeerStealer
error
DeerStealer
f2a068164ed7b173f17abe52ad95c53bccf3bb9966d75027d1e8960f7e0d43ac
DeerStealer
+ 50 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:deerstealer family:donutloader family:hijackloader discovery loader persistence privilege_escalation ransomware spyware stealer
Link:
https://tria.ge/reports/251122-xkcvgs1mft/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
DeerStealer
Deerstealer family
Detects DeerStealer
Detects DonutLoader
Detects HijackLoader (aka IDAT Loader)
DonutLoader
Donutloader family
HijackLoader, IDAT loader, Ghostulse,
Hijackloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/36a537a7-91b6-4014-8775-1bd483521e57
Malware family:
DeerStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/82a6ebc4ce6c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/82a6ebc4ce6cc397cbcc8c7002901a83a2568beec4fa88e279a5f0512fdf5085

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DeerStealer

Microsoft Software Installer (MSI) msi 82a6ebc4ce6cc397cbcc8c7002901a83a2568beec4fa88e279a5f0512fdf5085

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3714167/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/39058/

Comments