MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bfe06b2f18cdbc4d74b731a2fe52f66d3e4da9f9f0bbf9730b816b5418e5f12b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DeerStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bfe06b2f18cdbc4d74b731a2fe52f66d3e4da9f9f0bbf9730b816b5418e5f12b
SHA3-384 hash: ca98289477476a32fec98eec8082a66d9581a0a1059ca3fd1e703bbc9a2aeb5e7e9d6e552508840d6f3f3ba258eed6ef
SHA1 hash: 61fb134720c9b34299f4667b4f8075df5bac3dcb
MD5 hash: 6d3199fa4fe168391a99939ef5f8e560
humanhash: enemy-island-twelve-montana
File name:GIYACTWB.msi
Download: download sample
Signature DeerStealer
Create hunting rule
File size:37'784'100 bytes
First seen:2025-12-23 21:38:24 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 393216:zy8rmCkJaJs2MFWEykZX8un9WoKcjUA8Y2fLQJw:J2Ku8WUAMUJw
TLSH T146879E41F3C382B1D58709B1203BF62B96343A019728DAF3F7907E8AD575392A97771A
TrID 78.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.6% (.MSP) Windows Installer Patch (44509/10/5)
2.4% (.DB) Windows thumbnail Data Base (14519/2/1)
1.3% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter smica83
Tags:DeerStealer msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
48
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
HijackLoader MSI
Details
HijackLoader
an XOR key and XOR-decrypted/LZNT1 decompressed component
MSI
an embedded setup program or component
Link:
https://research.acce.ciphertechsolutions.com/results/b15f8cd1-2593-4e6c-b49a-22173b8c6be1/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=694b0c12038f10550b553232
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm crypto expired-cert expired-cert fingerprint installer keylogger overlay packed packed wix
Link:
https://www.filescan.io/uploads/694b0c09e8abb702f8060bb7/reports/a80fd3a4-a5a0-4c8e-8e15-22a9eab2a839/overview
Verdict:
Suspicious
Labled as:
Agent.KUY.gen
Link:
https://www.hybrid-analysis.com/sample/bfe06b2f18cdbc4d74b731a2fe52f66d3e4da9f9f0bbf9730b816b5418e5f12b
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/bfe06b2f18cdbc4d74b731a2fe52f66d3e4da9f9f0bbf9730b816b5418e5f12b
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
msi
First seen:
2025-12-23T18:59:00Z UTC
Last seen:
2025-12-23T19:14:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.OLE2.Alien.gen Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb
Link:
https://opentip.kaspersky.com/bfe06b2f18cdbc4d74b731a2fe52f66d3e4da9f9f0bbf9730b816b5418e5f12b/results?tab=lookup
Result
Threat name:
HijackLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1838524
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Drops PE files to the user root directory
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected HijackLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1838524 Sample: GIYACTWB.msi Startdate: 23/12/2025 Architecture: WINDOWS Score: 100 72 andredorethrenody.com 2->72 74 beacons.gvt2.com 2->74 76 2 other IPs or domains 2->76 92 Suricata IDS alerts for network traffic 2->92 94 Found malware configuration 2->94 96 Malicious sample detected (through community Yara rule) 2->96 98 4 other signatures 2->98 12 msiexec.exe 2->12         started        14 msiexec.exe 7 2->14         started        signatures3 process4 file5 17 msiexec.exe 65 12->17         started        62 C:\Users\user\AppData\Local\Temp\MSIFCB.tmp, PE32 14->62 dropped 64 C:\Users\user\AppData\Local\...\MSI19FE.tmp, PE32 14->64 dropped process6 file7 46 C:\Users\user\AppData\Local\...\zpsres.US.dll, PE32 17->46 dropped 48 C:\Users\user\AppData\Local\Temp\...\zcl.dll, PE32 17->48 dropped 50 C:\Users\user\AppData\...\libiomp5md.dll, PE32 17->50 dropped 52 13 other files (none is malicious) 17->52 dropped 20 DrivC97.exe 16 17->20         started        24 ISBEW64.exe 17->24         started        26 ISBEW64.exe 17->26         started        28 8 other processes 17->28 process8 file9 54 C:\ProgramData\nano_wizard\DrivC97.exe, PE32 20->54 dropped 56 C:\ProgramData\nano_wizard\zpsres.US.dll, PE32 20->56 dropped 58 C:\ProgramData\nano_wizard\zcl.dll, PE32 20->58 dropped 60 10 other files (none is malicious) 20->60 dropped 110 Switches to a custom stack to bypass stack traces 20->110 30 DrivC97.exe 7 20->30         started        signatures10 process11 file12 66 C:\Users\user\ByGateway.exe, PE32+ 30->66 dropped 68 C:\Users\user\AppData\Roaming\...\XPFix.exe, PE32 30->68 dropped 70 C:\Users\user\AppData\Local\...\2D53F58.tmp, PE32+ 30->70 dropped 112 Drops PE files to the user root directory 30->112 114 Modifies the context of a thread in another process (thread injection) 30->114 116 Found hidden mapped module (file has been removed from disk) 30->116 118 3 other signatures 30->118 34 ByGateway.exe 30->34         started        38 XPFix.exe 30->38         started        signatures13 process14 dnsIp15 78 andredorethrenody.com 172.67.159.46, 443, 49692 CLOUDFLARENETUS United States 34->78 100 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 34->100 102 Tries to harvest and steal browser information (history, passwords, etc) 34->102 104 Writes to foreign memory regions 34->104 108 5 other signatures 34->108 40 chrome.exe 34->40         started        106 Switches to a custom stack to bypass stack traces 38->106 signatures16 process17 dnsIp18 80 192.168.2.6, 138, 443, 49162 unknown unknown 40->80 82 192.168.2.14 unknown unknown 40->82 84 192.168.2.17 unknown unknown 40->84 43 chrome.exe 40->43         started        process19 dnsIp20 86 www3.l.google.com 64.233.185.102, 443, 49719 GOOGLEUS United States 43->86 88 play.google.com 64.233.185.113, 443, 49713, 49714 GOOGLEUS United States 43->88 90 11 other IPs or domains 43->90
Gathering data
Verdict:
Malicious
Threat:
Family.HIJACKLOADER
Link:
https://tip.neiki.dev/file/bfe06b2f18cdbc4d74b731a2fe52f66d3e4da9f9f0bbf9730b816b5418e5f12b
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x7qgwlyyzw6e25fxggrp4uxwnu7e3kpz6c57s4ylqfvvighf6evq._file
Verdict:
malicious
Label(s):
deerstealer
Create hunting rule
hijackloader
Create hunting rule
Similar samples:
error
DeerStealer
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:deerstealer family:hijackloader discovery loader persistence privilege_escalation stealer
Link:
https://tria.ge/reports/251225-nyj2aawkcy/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
DeerStealer
Deerstealer family
Detects DeerStealer
Detects HijackLoader (aka IDAT Loader)
HijackLoader, IDAT loader, Ghostulse,
Hijackloader family
Verdict:
Malicious
Tags:
ransomware cryptomix
YARA:
cryptomix_payload
Link:
https://app.threat.zone/submission/63f658c6-537c-42cc-8410-e95333857547
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bfe06b2f18cd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bfe06b2f18cdbc4d74b731a2fe52f66d3e4da9f9f0bbf9730b816b5418e5f12b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agent_BTZ
Create hunting rule
Rule name:ComRAT
Create hunting rule
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:Suspicious_Process
Create hunting rule
Author:Security Research Team
Description:Suspicious process creation
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:sus_pe_free_without_allocation
Create hunting rule
Author:Maxime THIEBAUT (@0xThiebaut)
Description:Detects an executable importing functions to free memory without importing allocation functions, often indicative of dynamic import resolution
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Trojan_GhostPulse_caea316b
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

ACRStealer

Microsoft Software Installer (MSI) msi bbec376bc531a18adb2d4edc8e1bd781d7936bb9df29753e033cb2d423da2655

DeerStealer

Microsoft Software Installer (MSI) msi bfe06b2f18cdbc4d74b731a2fe52f66d3e4da9f9f0bbf9730b816b5418e5f12b

(this sample)

  
Dropped by
MD5 5484c52fa632faa9370a288f06907472
  
Dropped by
SHA256 bbec376bc531a18adb2d4edc8e1bd781d7936bb9df29753e033cb2d423da2655
  
URLhaus
https://urlhaus.abuse.ch/url/3742599/
  
Delivery method
Distributed via web download

Comments