MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7376ff816362d73579097fc1091aabfc1d09d50d2f5a7d4805d190a1671c1ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DeerStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d7376ff816362d73579097fc1091aabfc1d09d50d2f5a7d4805d190a1671c1ef
SHA3-384 hash: 0fcc776a60d36e3d3cbbeafa40262713cf313c16f665991a0fb92a4e5c4296d188795ebddc2b5e33a40a7b8f82b1b1d6
SHA1 hash: f7379dcf74d82236eebb2de517ccdecd0f5e74b5
MD5 hash: 47d95f244153417cd25300a7d34299e6
humanhash: arkansas-east-mexico-may
File name:bQwYESr.msi
Download: download sample
Signature DeerStealer
Create hunting rule
File size:7'004'160 bytes
First seen:2025-07-17 05:42:34 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:5iGpyL48Ty53Dy5w9yhprcbCodny7A5T5iM0qjm6l:cRe53GVS4S550A
TLSH T10A6633857EDF6282DA9714FF07E796ACC828EE1023E6C61163193A2575B73141BDEC38
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter abuse_ch
Tags:DeerStealer msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
23
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/14948/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68788d802f623871a5ef22a2
Tags:
shellcode virus spawn
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
installer wix
Link:
https://www.filescan.io/uploads/68788d8019132d984881ac28/reports/adce5732-5229-4e01-bbe0-2f4a9eba67cb/overview
Verdict:
Suspicious
Labled as:
Malware.U.DeerStealer
Link:
https://www.hybrid-analysis.com/sample/d7376ff816362d73579097fc1091aabfc1d09d50d2f5a7d4805d190a1671c1ef
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/d7376ff816362d73579097fc1091aabfc1d09d50d2f5a7d4805d190a1671c1ef
Result
Threat name:
n/a
Detection:
suspicious
Classification:
evad
Score:
28 / 100
Link:
https://www.joesandbox.com/analysis/1738545
Signature
Found direct / indirect Syscall (likely to bypass EDR)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 process2 2 Behavior Graph ID: 1738545 Sample: bQwYESr.msi Startdate: 17/07/2025 Architecture: WINDOWS Score: 28 6 msiexec.exe 78 38 2->6         started        9 msiexec.exe 3 2->9         started        file3 17 C:\Users\user\AppData\...\Sy-Debug.exe, PE32+ 6->17 dropped 19 C:\Users\user\AppData\...\sdHookpp.64.dll, PE32+ 6->19 dropped 11 Sy-Debug.exe 5 6->11         started        process4 file5 21 C:\ProgramData\altAppzqh\sdHookpp.64.dll, PE32+ 11->21 dropped 23 C:\ProgramData\altAppzqh\Sy-Debug.exe, PE32+ 11->23 dropped 25 Found direct / indirect Syscall (likely to bypass EDR) 11->25 15 Sy-Debug.exe 11->15         started        signatures6 process7
Score:
19%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/d7376ff816362d73579097fc1091aabfc1d09d50d2f5a7d4805d190a1671c1ef
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d7376ff816362d73579097fc1091aabfc1d09d50d2f5a7d4805d190a1671c1ef/
Verdict:
Malicious
Threat:
trojan.loader
Link:
https://tip.neiki.dev/file/d7376ff816362d73579097fc1091aabfc1d09d50d2f5a7d4805d190a1671c1ef
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-07-16 21:55:06 UTC
File Type:
Binary (Archive)
Extracted files:
39
AV detection:
8 of 38 (21.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=243w76awgywxgv4qs76bbenkx7a5bhkq2l22pvealumquftryhxq._file
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:deerstealer family:donutloader family:hijackloader discovery loader persistence privilege_escalation ransomware spyware stealer
Link:
https://tria.ge/reports/250717-gertfsck3y/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Event Triggered Execution: Installer Packages
Reads user/profile data of web browsers
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Downloads MZ/PE file
Enumerates connected drives
Detects DeerStealer
DeerStealer
Deerstealer family
Detects DonutLoader
Detects HijackLoader (aka IDAT Loader)
DonutLoader
Donutloader family
HijackLoader
Hijackloader family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/65e60a2e-a7e0-4504-a4bd-be5b86235840
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d7376ff816362d73579097fc1091aabfc1d09d50d2f5a7d4805d190a1671c1ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Trojan_GhostPulse_caea316b
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DeerStealer

Microsoft Software Installer (MSI) msi d7376ff816362d73579097fc1091aabfc1d09d50d2f5a7d4805d190a1671c1ef

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3584801/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/14948/

Comments