Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

DeerStealer

deerstealer
109
Global rank
98 infographic chevron month
Month rank
97 infographic chevron week
Week rank
0
IOCs

DeerStealer is an information-stealing malware discovered in 2024 by ANY.RUN, primarily targeting sensitive data such as login credentials, browser history, and cryptocurrency wallet details. It is often distributed through phishing campaigns and fake Google ads that mimic legitimate platforms like Google Authenticator. Once installed, it exfiltrates the stolen data to a remote command and control (C2) server. DeerStealer’s ability to disguise itself as legitimate downloads makes it particularly dangerous for unsuspecting users.

Stealer
Type
Unknown
Origin
1 June, 2024
First seen
4 February, 2025
Last seen

How to analyze DeerStealer with ANY.RUN

Stealer
Type
Unknown
Origin
1 June, 2024
First seen
4 February, 2025
Last seen

IOCs

IP addresses
154.216.17.4
Domains
weiggheticulop.shop
interactiedovspm.shop
cagedwifedsozm.shop
charecteristicdxp.shop
consciousourwi.shop
deicedosmzj.shop
southedhiscuso.shop
potentioallykeos.shop
updateb.site
authetificator-gogle.com
gg2024.com
gg2024.info
authenticcator-descktop.com
updater-pro.com
Last Seen at
16 January, 2025
Malicious activity
4363463463464363463463463.zip
arch-exec
loader
github
trox
stealer
evasion
telegram
auto
quasarrat
python
hausbomber
dcrat
meterpreter
backdoor
autoit
dyndns
xred
miner
njrat
xmrig
opendir
generic
xenorat
asyncrat
phorpiex
pastebin
purelogstealer
lumma
deerstealer
exfiltration
rat
bladabindi
remote
cryptbot
possible-phishing
blankgrabber
coinminer
discord
amadey
redline
screenshot
meduza
botnet
stealc
anydesk
tool
ransomware
payload
darkcrystal
arch-scr
metasploit
stealeriumstealer
formbook
putty
antivm
quasar
11 January, 2025
Malicious activity
Authenticator.exe
deerstealer
stealer
28 December, 2024
Malicious activity
Authenticator.exe
deerstealer
stealer
23 December, 2024
Malicious activity
Authenticator.exe
deerstealer
stealer
18 December, 2024
Malicious activity
Authenticator.exe
deerstealer
stealer
18 December, 2024
Malicious activity
Authenticator.exe
deerstealer
stealer
16 November, 2024
Malicious activity
BitcoinCore.exe
deerstealer
stealer
7 November, 2024
Malicious activity
582cd56afe40a1e49d91486e40c4d5a27d1a890f451e5ba5d0d948511cde3987
deerstealer
xfiles
stealer
7 November, 2024
Malicious activity
sxqnmytm.exe
deerstealer
xfiles
stealer
6 November, 2024
Malicious activity
05ffd1835da6892f990f92b3a3a933c08038bce94e71b5750ad8e374da877552
amadey
botnet
stealer
themida
loader
deerstealer
xfiles
TRACK THEM ALL AT
Public Submissions
Last Seen at
16 January, 2025
Malicious activity
4363463463464363463463463.zip
arch-exec
loader
github
trox
stealer
evasion
telegram
auto
quasarrat
python
hausbomber
dcrat
meterpreter
backdoor
autoit
dyndns
xred
miner
njrat
xmrig
opendir
generic
xenorat
asyncrat
phorpiex
pastebin
purelogstealer
lumma
deerstealer
exfiltration
rat
bladabindi
remote
cryptbot
possible-phishing
blankgrabber
coinminer
discord
amadey
redline
screenshot
meduza
botnet
stealc
anydesk
tool
ransomware
payload
darkcrystal
arch-scr
metasploit
stealeriumstealer
formbook
putty
antivm
quasar
11 January, 2025
Malicious activity
Authenticator.exe
deerstealer
stealer
28 December, 2024
Malicious activity
Authenticator.exe
deerstealer
stealer
23 December, 2024
Malicious activity
Authenticator.exe
deerstealer
stealer
18 December, 2024
Malicious activity
Authenticator.exe
deerstealer
stealer
18 December, 2024
Malicious activity
Authenticator.exe
deerstealer
stealer
16 November, 2024
Malicious activity
BitcoinCore.exe
deerstealer
stealer
7 November, 2024
Malicious activity
582cd56afe40a1e49d91486e40c4d5a27d1a890f451e5ba5d0d948511cde3987
deerstealer
xfiles
stealer
7 November, 2024
Malicious activity
sxqnmytm.exe
deerstealer
xfiles
stealer
6 November, 2024
Malicious activity
05ffd1835da6892f990f92b3a3a933c08038bce94e71b5750ad8e374da877552
amadey
botnet
stealer
themida
loader
deerstealer
xfiles
TRACK THEM ALL AT
Public Submissions

Recent blog posts

post image
I Used a Sandbox to Strengthen Bank’s Securit...
watchers 53
comments 0
post image
Instant URL Analysis: Use Safebrowsing via AN...
watchers 559
comments 0
post image
Cyber Attacks on DeepSeek AI: What Really Hap...
watchers 1430
comments 0

Contents

  • What is DeerStealer malware?
  • DeerStealer malware technical details
  • DeerStealer execution process
  • DeerStealer malware distribution methods
  • Gathering threat intelligence on DeerStealer malware
  • Conclusion

Recent blog posts

post image
I Used a Sandbox to Strengthen Bank’s Securit...
watchers 53
comments 0
post image
Instant URL Analysis: Use Safebrowsing via AN...
watchers 559
comments 0
post image
Cyber Attacks on DeepSeek AI: What Really Hap...
watchers 1430
comments 0

What is DeerStealer malware?

DeerStealer is a relatively new info-stealing malware that emerged in 2024, targeting sensitive data like login credentials, browser history, and cryptocurrency wallet details.

Unlike more established stealers, DeerStealer has quickly gained attention due to its innovative distribution methods, including fake websites mimicking legitimate services like Google Authenticator. These sites trick users into downloading malware under the guise of security software.

The malware has been linked to malicious campaigns that target individual users as well as organizations, and it’s speculated to share similarities with other stealer malware like XFiles.

In addition to exfiltrating data, DeerStealer persists on infected systems by modifying registry keys, enabling it to survive reboots and remain active.

This persistence, combined with its focus on browser exploitation and cryptocurrency theft, makes DeerStealer a significant risk, particularly to users managing sensitive online accounts and assets.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

DeerStealer malware technical details

The primary functionality and features of DeerStealer malware include:

  • Extraction of credentials from web browsers, email clients, and cryptocurrency wallets.
  • Modification of registry keys to reinfect the system after reboot, ensuring long-term access.
  • Obfuscation techniques to avoid detection by security tools, making it harder to analyze.
  • Delivery via phishing emails, malicious Google ads, and fake websites mimicking legitimate services, including Google Authenticator sites.
  • Communication with a command-and-control server via POST requests to send stolen data, often using encrypted communication through simple XOR encryption.

In some DeerStealer campaigns, attackers use a Telegram bot to send information about infected systems, such as IP addresses and country.

When victims land on a fake website (like a Google Authenticator download page), their IP address and country are sent to a Telegram bot. This bot, named "Tuc-tuc," helps attackers track the locations of infected users and coordinate further actions.

Telegram serves as a secure and anonymous medium for logging victim data, making it easier for the attackers to monitor their phishing campaigns without detection.

DeerStealer execution process

To see how DeerStealer operates, let’s upload its sample to the ANY.RUN sandbox.

DeerStealer is commonly distributed via fake websites that mimic legitimate services, such as Google Authenticator. When users attempt to download the application from these sites, their information, such as IP address and country, is sent to a Telegram bot.

The malware itself is hosted on platforms like GitHub and is designed to run directly in memory without leaving traces on disk.

DeerStealer fake website Fake website mimicking Google Authenticator analyzed inside ANY.RUN’s sandbox

Upon execution, it launches a Delphi-based application that serves as a launcher for the final payload.

To evade detection, the payload employs obfuscation techniques and runs entirely in memory, making it difficult for traditional antivirus solutions to identify.

Before initiating its malicious activities, DeerStealer performs checks to confirm it's not operating in a sandbox or virtual environment. It collects hardware identifiers (HWID) and transmits them to its command and control (C2) server. If the checks are passed, the malware retrieves a list of target applications and keywords from the server.

DeerStealer process graph DeerStealer process graph displayed in the ANY.RUN sandbox

DeerStealer scans the infected system for sensitive information, such as cryptocurrency wallet credentials, browser-stored passwords, and other personal data. The stolen data is organized into a structured format, often JSON, before being exfiltrated.

The exfiltration occurs through POST requests, typically sent over encrypted channels to bypass network monitoring tools. To maintain persistence, DeerStealer may establish scheduled tasks or modify startup configurations, enabling it to execute automatically upon system reboot.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

DeerStealer malware distribution methods

DeerStealer is primarily distributed through various deceptive techniques that aim to trick users into downloading malware. Some of the key distribution methods include:

  • Phishing emails: Attackers send emails that appear legitimate, often containing malicious attachments or links. These attachments can be disguised as Word documents or compressed files (e.g., .zip or .rar), which, once opened, deploy the malware.
  • Malvertising: Cybercriminals use malicious advertisements that romote legitimate services like Google Authenticator. When users click on these ads, they are redirected to fraudulent websites that prompt them to download DeerStealer.
  • Fake websites: Attackers create websites that mimic legitimate services, particularly focusing on fake Google Authenticator sites. These websites trick users into downloading infected files disguised as legitimate software.
  • Software cracks: It has also been observed in pirated software downloads, where users download what appears to be legitimate software, only to infect their systems with DeerStealer.

Gathering threat intelligence on DeerStealer malware

To collect up-to-date intelligence on DeerStealer, you can utilize Threat Intelligence Lookup from ANY.RUN.

This tool gives access to a comprehensive database filled with insights from millions of malware analysis sessions. Using over 40 customizable search parameters, such as IPs, domains, file names, and process artifacts, it allows you to uncover important details about threats like DeerStealer.

DeerStealer TI Lookup results Search results for DeerStealer in Threat Intelligence Lookup

For instance, by searching for DeerStealer’s name or using a related indicator, such as a domain or process artifact (threatName:"DeerStealer", Threat Intelligence Lookup will display all relevant samples and sandbox results associated with the malware.

Get your 14-day free trial of Threat Intelligence Lookup along with the ANY.RUN sandbox.

Conclusion

DeerStealer is a serious threat, capable of stealing login credentials, browser data, and cryptocurrency information. Its distribution through fake websites makes it difficult to detect. It’s important to analyze suspicious files and URLs to protect against DeerStealer and similar malware.

ANY.RUN provides a real-time sandbox for analyzing malware behavior and allows its users to quickly identify threats, gathering key indicators of compromise (IOCs)

Sign up for a free ANY.RUN account today and start analyzing all the emerging threats with no limits!

HAVE A LOOK AT

GuLoader screenshot
GuLoader
guloader
GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.
Read More
Sliver screenshot
Sliver
sliver
Sliver is an open-source command-and-control (C2) framework that has been increasingly adopted by threat actors as an alternative to tools like Cobalt Strike. Developed by security firm Bishop Fox, Sliver was initially intended for legitimate security testing and red teaming exercises. However, its robust features and open-source nature have made it attractive to malicious actors seeking to control compromised systems.
Read More
LokiBot screenshot
LokiBot
lokibot loader trojan
LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.
Read More
WannaCry screenshot
WannaCry
wannacry ransomware
WannaCry is a famous Ransomware that utilizes the EternalBlue exploit. This malware is known for infecting at least 200,000 computers worldwide and it continues to be an active and dangerous threat.
Read More
WhiteSnake screenshot
WhiteSnake
whitesnake
WhiteSnake is a stealer with advanced remote access capabilities. The attackers using this malicious software can control infected computers and carry out different malicious activities, including stealing sensitive files and data, recording audio, and logging keystrokes. WhiteSnake is sold on underground forums and often spreads through phishing emails.
Read More
zgRAT screenshot
zgRAT
zgrat
zgRAT is a malware known for its ability to infect systems and exfiltrate sensitive data to command-and-control (C2) servers. It is primarily distributed through loader malware, as well as phishing emails. zgRAT employs various advanced techniques, including process injection and code obfuscation, to evade detection and maintain persistence on infected systems. The malware can also spread via USB drives and uses popular messaging platforms like Telegram and Discord for data exfiltration.
Read More