MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da690a0f459e4c2167d0d5794a385bd7707a64e0b7e934b9f7d18b43b7065a81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DeerStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: da690a0f459e4c2167d0d5794a385bd7707a64e0b7e934b9f7d18b43b7065a81
SHA3-384 hash: 79c54388938eed9557441d11e71e64731285c5f219ea9ef1c7ad78453c2849d551d451a833d2e4b59b75d1f147d166bd
SHA1 hash: c8091bf9f6a3154e7eef872fd63ecfb64724cd9c
MD5 hash: 2fe8c93bf8b99b55efbfb758ed4c8c42
humanhash: ack-uncle-high-mars
File name:SecuriteInfo.com.Other.Malware-gen.19821347
Download: download sample
Signature DeerStealer
Create hunting rule
File size:8'200'192 bytes
First seen:2025-12-23 15:28:34 UTC
Last seen:2025-12-23 19:24:50 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:X7lYSK+Kq8wdseWDp5VhvjnoPsnkpqcIeNzEc1ODTnOeOss46iUPXKgRt5AMWdoV:5WtwdWVV2sF1cITnCsVps/tlGAWqT
TLSH T1C9863368EA134B9FC9D2B6F2001F98B132617D802699D6D767E37D45EE36240C86F09F
TrID 53.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
39.2% (.MSP) Windows Installer Patch (44509/10/5)
7.0% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter SecuriteInfoCom
Tags:DeerStealer msi

Intelligence

File Origin
# of uploads :
3
# of downloads :
44
Origin country :
FR FR
Vendor Threat Intelligence
Malware configuration found for:
HijackLoader MSI
Details
HijackLoader
embedded components, an injection process, and filepaths
HijackLoader
an XOR key and XOR-decrypted/LZNT1 decompressed component
MSI
an embedded setup program or component
Link:
https://research.acce.ciphertechsolutions.com/results/36a07c56-a660-448f-aee5-bcf36b85caf6/
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/45867/
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=694ab54c038f10550b550c6f
Tags:
n/a
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug crypto expired-cert fingerprint installer installer keylogger packed wix
Link:
https://www.filescan.io/uploads/694ab549eb6298f4c85734ab/reports/cfaf0bf0-1986-49d6-858e-7cbc52d0988b/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/da690a0f459e4c2167d0d5794a385bd7707a64e0b7e934b9f7d18b43b7065a81
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/da690a0f459e4c2167d0d5794a385bd7707a64e0b7e934b9f7d18b43b7065a81
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
msi
First seen:
2025-12-23T12:12:00Z UTC
Last seen:
2025-12-23T17:00:00Z UTC
Hits:
~10
Detections:
UDS:DangerousObject.Multi.Generic HEUR:Trojan.OLE2.Delf.gen Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb Trojan.Win32.Delf.sb
Link:
https://opentip.kaspersky.com/da690a0f459e4c2167d0d5794a385bd7707a64e0b7e934b9f7d18b43b7065a81/results?tab=lookup
Score:
2%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/da690a0f459e4c2167d0d5794a385bd7707a64e0b7e934b9f7d18b43b7065a81
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
CAB:COMPRESSION:LZX Executable Office Document PE (Portable Executable) PE File Layout
Link:
https://app.malva.re/file/2fe8c93bf8b99b55efbfb758ed4c8c42
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/da690a0f459e4c2167d0d5794a385bd7707a64e0b7e934b9f7d18b43b7065a81/
Verdict:
Malicious
Threat:
Family.HIJACKLOADER
Link:
https://tip.neiki.dev/file/da690a0f459e4c2167d0d5794a385bd7707a64e0b7e934b9f7d18b43b7065a81
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3juqud2ftzgccz6q2v4uuoc325yhuzhaw7utjopx2gfuhnyglkaq._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
deerstealer
Create hunting rule
Similar samples:
error
DeerStealer
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:deerstealer family:hijackloader discovery loader persistence privilege_escalation ransomware stealer
Link:
https://tria.ge/reports/251223-trpwvawmgx/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
DeerStealer
Deerstealer family
Detects DeerStealer
Detects HijackLoader (aka IDAT Loader)
HijackLoader, IDAT loader, Ghostulse,
Hijackloader family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/30d9fc0e-d48e-451a-bc23-25b648ff6626
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/da690a0f459e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/da690a0f459e4c2167d0d5794a385bd7707a64e0b7e934b9f7d18b43b7065a81

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DeerStealer

Microsoft Software Installer (MSI) msi da690a0f459e4c2167d0d5794a385bd7707a64e0b7e934b9f7d18b43b7065a81

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3741336/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/45867/

Comments