MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2754bc0876932908aaeecb3479ee8e8d42a298268e32fc096310c520b0c02ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DeerStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e2754bc0876932908aaeecb3479ee8e8d42a298268e32fc096310c520b0c02ac
SHA3-384 hash: b4b8a66a75f4ae417df5d4e2e1e04354adf9be804ea25a4fbdcd5bdec6a322b19b289e7ba701199d0610b316bdbd42d9
SHA1 hash: 957637e8bfd9ee2b788db0056bfe5afcc33ddddb
MD5 hash: 2871e247cf44fc93b799087c0df2bdf9
humanhash: friend-ohio-delaware-friend
File name:DVQQXUHT.msi
Download: download sample
Signature DeerStealer
Create hunting rule
File size:9'293'824 bytes
First seen:2025-12-14 06:49:26 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:DOnDKpwhtApcDepRtxo7mpiuHv8s0tunCqM:DvYfepRtxo7mbv8fACqM
Threatray 24 similar samples on MalwareBazaar
TLSH T1EB9633C998856B77D017933108DAF956D3553D1CBF5F24A203F03F20A27B648EA7EA29
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter abuse_ch
Tags:ClickFix DeerStealer msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
43
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
HijackLoader MSI
Details
HijackLoader
embedded components, an injection process, and filepaths
HijackLoader
an XOR key and XOR-decrypted/LZNT1 decompressed component
MSI
an embedded setup program or component
Link:
https://research.acce.ciphertechsolutions.com/results/8fd21891-d8e1-4e5f-8289-e63cf773c69f/
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/44586/
Detection(s):
SecuriteInfo.com.Program.Unwanted.5405.24023.31444.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=693e5e3ebd89d3cda546b878
Tags:
shellcode virus
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug fingerprint installer installer keylogger packed wix
Link:
https://www.filescan.io/uploads/693e5e2a1eac7b9b76a95dfe/reports/b78d4a76-d8d9-4959-b358-ba1cc9a85808/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/e2754bc0876932908aaeecb3479ee8e8d42a298268e32fc096310c520b0c02ac
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/e2754bc0876932908aaeecb3479ee8e8d42a298268e32fc096310c520b0c02ac
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
msi
First seen:
2025-12-13T03:39:00Z UTC
Last seen:
2025-12-14T12:08:00Z UTC
Hits:
~10
Detections:
UDS:DangerousObject.Multi.Generic
Link:
https://opentip.kaspersky.com/e2754bc0876932908aaeecb3479ee8e8d42a298268e32fc096310c520b0c02ac/results?tab=lookup
Result
Threat name:
HijackLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1832352
Signature
Contain functionality to detect virtual machines
Contains functionality to detect sandboxes (MAC address check)
Drops PE files to the user root directory
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Tries to steal Mail credentials (via file registry)
Unusual module load detection (module proxying)
Yara detected HijackLoader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1832352 Sample: DVQQXUHT.msi Startdate: 14/12/2025 Architecture: WINDOWS Score: 100 80 Found malware configuration 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 Multi AV Scanner detection for dropped file 2->84 86 3 other signatures 2->86 9 msiexec.exe 95 55 2->9         started        12 Blue-Port11.exe 5 2->12         started        15 Blue-Port11.exe 5 2->15         started        17 2 other processes 2->17 process3 file4 68 C:\Users\user\AppData\Local\...\vclx120.bpl, PE32 9->68 dropped 70 C:\Users\user\AppData\Local\...\vcl120.bpl, PE32 9->70 dropped 72 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 9->72 dropped 78 16 other malicious files 9->78 dropped 19 Blue-Port11.exe 22 9->19         started        74 C:\Users\user\AppData\Local\Temp\F56795.tmp, PE32+ 12->74 dropped 100 Modifies the context of a thread in another process (thread injection) 12->100 102 Maps a DLL or memory area into another process 12->102 23 PriCollector64.exe 12->23         started        25 XPFix.exe 12->25         started        76 C:\Users\user\AppData\Local\...\FA32743.tmp, PE32+ 15->76 dropped 27 PriCollector64.exe 15->27         started        29 XPFix.exe 15->29         started        104 Found direct / indirect Syscall (likely to bypass EDR) 17->104 31 XPFix.exe 17->31         started        signatures5 process6 file7 60 C:\ProgramData\...\vclx120.bpl, PE32 19->60 dropped 62 C:\ProgramData\...\vcl120.bpl, PE32 19->62 dropped 64 C:\ProgramData\...\sqlite3.dll, PE32 19->64 dropped 66 16 other files (11 malicious) 19->66 dropped 96 Tries to steal Mail credentials (via file registry) 19->96 98 Switches to a custom stack to bypass stack traces 19->98 33 Blue-Port11.exe 7 19->33         started        37 WerFault.exe 19 16 23->37         started        39 WerFault.exe 16 23->39         started        41 WerFault.exe 8 27->41         started        43 WerFault.exe 27->43         started        signatures8 process9 file10 54 C:\Users\user\PriCollector64.exe, PE32+ 33->54 dropped 56 C:\Users\user\AppData\Roaming\...\XPFix.exe, PE32 33->56 dropped 58 C:\Users\user\AppData\Local\...2E8E4E.tmp, PE32+ 33->58 dropped 88 Contain functionality to detect virtual machines 33->88 90 Drops PE files to the user root directory 33->90 92 Modifies the context of a thread in another process (thread injection) 33->92 94 5 other signatures 33->94 45 XPFix.exe 1 33->45         started        48 PriCollector64.exe 33->48         started        signatures11 process12 signatures13 106 Unusual module load detection (module proxying) 45->106 108 Switches to a custom stack to bypass stack traces 45->108 110 Found direct / indirect Syscall (likely to bypass EDR) 45->110 50 WerFault.exe 2 48->50         started        52 WerFault.exe 2 48->52         started        process14
Score:
41%
Verdict:
Susipicious
File Type:
ARCHIVE
Link:
https://malprob.io/report/e2754bc0876932908aaeecb3479ee8e8d42a298268e32fc096310c520b0c02ac
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e2754bc0876932908aaeecb3479ee8e8d42a298268e32fc096310c520b0c02ac/
Verdict:
Malicious
Threat:
DangerousObject.Multi
Link:
https://tip.neiki.dev/file/e2754bc0876932908aaeecb3479ee8e8d42a298268e32fc096310c520b0c02ac
Threat name:
Win32.Trojan.Hijackloader
Create hunting rule
Status:
Malicious
First seen:
2025-12-13 08:26:56 UTC
File Type:
Binary (Archive)
Extracted files:
303
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4j2uxqehnezjbcvo5szuphxi5dkcukmcndrs7qewgegfecymakwa._file
Verdict:
malicious
Label(s):
deerstealer
Create hunting rule
hijackloader
Create hunting rule
Similar samples:
14d140999ab5d2ab903ddf1aedda4d868be68db054424c7fad70b8927b32a145
DeerStealer
54f2ac23b773789a411dbc870422e5887ed955754e0bfeb9e0ef91f057ec46da
DeerStealer
731a72d29320e1bf43b2004ee56583c7b9c279790c01b3569141bd8849d3afca
DeerStealer
a1432c163d00964e629cbf199b69634bf44fe9d36cae4d14bfff91326018043f
DeerStealer
b87ec51a340301428ec59e2e7d130421b3064621bdbf8e81abd72cafc715b060
DeerStealer
e2754bc0876932908aaeecb3479ee8e8d42a298268e32fc096310c520b0c02ac
DeerStealer
error
DeerStealer
+ 14 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:deerstealer family:donutloader family:hijackloader discovery loader persistence privilege_escalation ransomware spyware stealer
Link:
https://tria.ge/reports/251214-hl5jkaslbp/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
DeerStealer
Deerstealer family
Detects DeerStealer
Detects DonutLoader
Detects HijackLoader (aka IDAT Loader)
DonutLoader
Donutloader family
HijackLoader, IDAT loader, Ghostulse,
Hijackloader family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/cc196716-6de0-41c7-bffd-71ab49fd6864
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e2754bc08769/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e2754bc0876932908aaeecb3479ee8e8d42a298268e32fc096310c520b0c02ac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DeerStealer

Microsoft Software Installer (MSI) msi e2754bc0876932908aaeecb3479ee8e8d42a298268e32fc096310c520b0c02ac

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/44586/
  
URLhaus
https://urlhaus.abuse.ch/url/3733381/
  
Delivery method
Distributed via web download

Comments