Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

DeerStealer

105
Global rank
99 infographic chevron month
Month rank
85 infographic chevron week
Week rank
0
IOCs

DeerStealer is an information-stealing malware discovered in 2024 by ANY.RUN, primarily targeting sensitive data such as login credentials, browser history, and cryptocurrency wallet details. It is often distributed through phishing campaigns and fake Google ads that mimic legitimate platforms like Google Authenticator. Once installed, it exfiltrates the stolen data to a remote command and control (C2) server. DeerStealer’s ability to disguise itself as legitimate downloads makes it particularly dangerous for unsuspecting users.

Stealer
Type
Unknown
Origin
1 June, 2024
First seen
18 December, 2024
Last seen

How to analyze DeerStealer with ANY.RUN

Type
Unknown
Origin
1 June, 2024
First seen
18 December, 2024
Last seen

IOCs

IP addresses
193.176.190.41
154.216.17.4
Domains
deicedosmzj.shop
potentioallykeos.shop
interactiedovspm.shop
charecteristicdxp.shop
consciousourwi.shop
southedhiscuso.shop
weiggheticulop.shop
cagedwifedsozm.shop
updateb.site
authetificator-gogle.com
gg2024.com
gg2024.info
authenticcator-descktop.com
updater-pro.com
Last Seen at

Recent blog posts

post image
Well done, ANY.RUN: Our Top Cybersecurity Awa...
watchers 217
comments 0
post image
How DFIR Analysts Use ANY.RUN Sandbox
watchers 311
comments 0
post image
How to Set up a Windows 11 Malware Sandbox
watchers 1118
comments 0

What is DeerStealer malware?

DeerStealer is a relatively new info-stealing malware that emerged in 2024, targeting sensitive data like login credentials, browser history, and cryptocurrency wallet details.

Unlike more established stealers, DeerStealer has quickly gained attention due to its innovative distribution methods, including fake websites mimicking legitimate services like Google Authenticator. These sites trick users into downloading malware under the guise of security software.

The malware has been linked to malicious campaigns that target individual users as well as organizations, and it’s speculated to share similarities with other stealer malware like XFiles.

In addition to exfiltrating data, DeerStealer persists on infected systems by modifying registry keys, enabling it to survive reboots and remain active.

This persistence, combined with its focus on browser exploitation and cryptocurrency theft, makes DeerStealer a significant risk, particularly to users managing sensitive online accounts and assets.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

DeerStealer malware technical details

The primary functionality and features of DeerStealer malware include:

  • Extraction of credentials from web browsers, email clients, and cryptocurrency wallets.
  • Modification of registry keys to reinfect the system after reboot, ensuring long-term access.
  • Obfuscation techniques to avoid detection by security tools, making it harder to analyze.
  • Delivery via phishing emails, malicious Google ads, and fake websites mimicking legitimate services, including Google Authenticator sites.
  • Communication with a command-and-control server via POST requests to send stolen data, often using encrypted communication through simple XOR encryption.

In some DeerStealer campaigns, attackers use a Telegram bot to send information about infected systems, such as IP addresses and country.

When victims land on a fake website (like a Google Authenticator download page), their IP address and country are sent to a Telegram bot. This bot, named "Tuc-tuc," helps attackers track the locations of infected users and coordinate further actions.

Telegram serves as a secure and anonymous medium for logging victim data, making it easier for the attackers to monitor their phishing campaigns without detection.

DeerStealer execution process

To see how DeerStealer operates, let’s upload its sample to the ANY.RUN sandbox.

DeerStealer is commonly distributed via fake websites that mimic legitimate services, such as Google Authenticator. When users attempt to download the application from these sites, their information, such as IP address and country, is sent to a Telegram bot.

The malware itself is hosted on platforms like GitHub and is designed to run directly in memory without leaving traces on disk.

DeerStealer fake website Fake website mimicking Google Authenticator analyzed inside ANY.RUN’s sandbox

Upon execution, it launches a Delphi-based application that serves as a launcher for the final payload.

To evade detection, the payload employs obfuscation techniques and runs entirely in memory, making it difficult for traditional antivirus solutions to identify.

Before initiating its malicious activities, DeerStealer performs checks to confirm it's not operating in a sandbox or virtual environment. It collects hardware identifiers (HWID) and transmits them to its command and control (C2) server. If the checks are passed, the malware retrieves a list of target applications and keywords from the server.

DeerStealer process graph DeerStealer process graph displayed in the ANY.RUN sandbox

DeerStealer scans the infected system for sensitive information, such as cryptocurrency wallet credentials, browser-stored passwords, and other personal data. The stolen data is organized into a structured format, often JSON, before being exfiltrated.

The exfiltration occurs through POST requests, typically sent over encrypted channels to bypass network monitoring tools. To maintain persistence, DeerStealer may establish scheduled tasks or modify startup configurations, enabling it to execute automatically upon system reboot.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

DeerStealer malware distribution methods

DeerStealer is primarily distributed through various deceptive techniques that aim to trick users into downloading malware. Some of the key distribution methods include:

  • Phishing emails: Attackers send emails that appear legitimate, often containing malicious attachments or links. These attachments can be disguised as Word documents or compressed files (e.g., .zip or .rar), which, once opened, deploy the malware.
  • Malvertising: Cybercriminals use malicious advertisements that romote legitimate services like Google Authenticator. When users click on these ads, they are redirected to fraudulent websites that prompt them to download DeerStealer.
  • Fake websites: Attackers create websites that mimic legitimate services, particularly focusing on fake Google Authenticator sites. These websites trick users into downloading infected files disguised as legitimate software.
  • Software cracks: It has also been observed in pirated software downloads, where users download what appears to be legitimate software, only to infect their systems with DeerStealer.

Gathering threat intelligence on DeerStealer malware

To collect up-to-date intelligence on DeerStealer, you can utilize Threat Intelligence Lookup from ANY.RUN.

This tool gives access to a comprehensive database filled with insights from millions of malware analysis sessions. Using over 40 customizable search parameters, such as IPs, domains, file names, and process artifacts, it allows you to uncover important details about threats like DeerStealer.

DeerStealer TI Lookup results Search results for DeerStealer in Threat Intelligence Lookup

For instance, by searching for DeerStealer’s name or using a related indicator, such as a domain or process artifact (threatName:"DeerStealer", Threat Intelligence Lookup will display all relevant samples and sandbox results associated with the malware.

Get your 14-day free trial of Threat Intelligence Lookup along with the ANY.RUN sandbox.

Conclusion

DeerStealer is a serious threat, capable of stealing login credentials, browser data, and cryptocurrency information. Its distribution through fake websites makes it difficult to detect. It’s important to analyze suspicious files and URLs to protect against DeerStealer and similar malware.

ANY.RUN provides a real-time sandbox for analyzing malware behavior and allows its users to quickly identify threats, gathering key indicators of compromise (IOCs)

Sign up for a free ANY.RUN account today and start analyzing all the emerging threats with no limits!

HAVE A LOOK AT

Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Sality screenshot
Sality
sality
Sality is a highly sophisticated malware known for infecting executable files and rapidly spreading across networks. It primarily creates a peer-to-peer botnet that is used for malicious activities such as spamming, data theft, and downloading additional malware. Sality has strong persistence mechanisms, including disabling security software, making it difficult to remove. Its ability to spread quickly and silently, along with its polymorphic nature, allows it to evade detection by traditional antivirus solutions.
Read More
Balada Injector screenshot
Balada Injector is a long-running malware campaign that targets WordPress websites by exploiting vulnerabilities in plugins and themes. The attackers inject malicious code into compromised sites, leading to unauthorized redirects, data theft, and the creation of [backdoors](https://any.run/malware-trends/backdoor) for persistent access. The campaign operates in waves, with spikes in activity observed every few weeks, continually adapting to exploit newly discovered vulnerabilities.
Read More
Gh0st RAT screenshot
Gh0st RAT
gh0st
Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.
Read More
Havoc screenshot
Havoc
havoc
Havoc is an advanced post-exploitation framework used by hackers to take control of a system once they've breached it. With Havoc, attackers can run commands remotely, inject malicious processes, and access sensitive data. It's often used in targeted attacks, allowing cybercriminals to stay hidden in a network while stealing information or launching further attacks. Its flexibility and ability to bypass detection make it a serious threat, especially in environments that rely on traditional security tools.
Read More
Latrodectus screenshot
Latrodectus
latrodectus
Latrodectus is a malicious loader that is used by threat actors to gain a foothold on compromised devices and deploy additional malware. It has been associated with the IcedID trojan and has been used by APT groups in targeted attacks. The malware can gather system information, launch executables, and detect sandbox environments. It uses encryption and obfuscation to evade detection and can establish persistence on the infected device.
Read More