Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

DeerStealer

109
Global rank
98 infographic chevron month
Month rank
97 infographic chevron week
Week rank
0
IOCs

DeerStealer is an information-stealing malware discovered in 2024 by ANY.RUN, primarily targeting sensitive data such as login credentials, browser history, and cryptocurrency wallet details. It is often distributed through phishing campaigns and fake Google ads that mimic legitimate platforms like Google Authenticator. Once installed, it exfiltrates the stolen data to a remote command and control (C2) server. DeerStealer’s ability to disguise itself as legitimate downloads makes it particularly dangerous for unsuspecting users.

Stealer
Type
Unknown
Origin
1 June, 2024
First seen
4 February, 2025
Last seen

How to analyze DeerStealer with ANY.RUN

Type
Unknown
Origin
1 June, 2024
First seen
4 February, 2025
Last seen

IOCs

IP addresses
154.216.17.4
Domains
weiggheticulop.shop
interactiedovspm.shop
cagedwifedsozm.shop
charecteristicdxp.shop
consciousourwi.shop
deicedosmzj.shop
southedhiscuso.shop
potentioallykeos.shop
updateb.site
authetificator-gogle.com
gg2024.com
gg2024.info
authenticcator-descktop.com
updater-pro.com
Last Seen at

Recent blog posts

post image
Instant URL Analysis: Use Safebrowsing via AN...
watchers 538
comments 0
post image
Cyber Attacks on DeepSeek AI: What Really Hap...
watchers 1407
comments 0
post image
Release Notes: System Updates, New YARA and S...
watchers 4983
comments 0

What is DeerStealer malware?

DeerStealer is a relatively new info-stealing malware that emerged in 2024, targeting sensitive data like login credentials, browser history, and cryptocurrency wallet details.

Unlike more established stealers, DeerStealer has quickly gained attention due to its innovative distribution methods, including fake websites mimicking legitimate services like Google Authenticator. These sites trick users into downloading malware under the guise of security software.

The malware has been linked to malicious campaigns that target individual users as well as organizations, and it’s speculated to share similarities with other stealer malware like XFiles.

In addition to exfiltrating data, DeerStealer persists on infected systems by modifying registry keys, enabling it to survive reboots and remain active.

This persistence, combined with its focus on browser exploitation and cryptocurrency theft, makes DeerStealer a significant risk, particularly to users managing sensitive online accounts and assets.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

DeerStealer malware technical details

The primary functionality and features of DeerStealer malware include:

  • Extraction of credentials from web browsers, email clients, and cryptocurrency wallets.
  • Modification of registry keys to reinfect the system after reboot, ensuring long-term access.
  • Obfuscation techniques to avoid detection by security tools, making it harder to analyze.
  • Delivery via phishing emails, malicious Google ads, and fake websites mimicking legitimate services, including Google Authenticator sites.
  • Communication with a command-and-control server via POST requests to send stolen data, often using encrypted communication through simple XOR encryption.

In some DeerStealer campaigns, attackers use a Telegram bot to send information about infected systems, such as IP addresses and country.

When victims land on a fake website (like a Google Authenticator download page), their IP address and country are sent to a Telegram bot. This bot, named "Tuc-tuc," helps attackers track the locations of infected users and coordinate further actions.

Telegram serves as a secure and anonymous medium for logging victim data, making it easier for the attackers to monitor their phishing campaigns without detection.

DeerStealer execution process

To see how DeerStealer operates, let’s upload its sample to the ANY.RUN sandbox.

DeerStealer is commonly distributed via fake websites that mimic legitimate services, such as Google Authenticator. When users attempt to download the application from these sites, their information, such as IP address and country, is sent to a Telegram bot.

The malware itself is hosted on platforms like GitHub and is designed to run directly in memory without leaving traces on disk.

DeerStealer fake website Fake website mimicking Google Authenticator analyzed inside ANY.RUN’s sandbox

Upon execution, it launches a Delphi-based application that serves as a launcher for the final payload.

To evade detection, the payload employs obfuscation techniques and runs entirely in memory, making it difficult for traditional antivirus solutions to identify.

Before initiating its malicious activities, DeerStealer performs checks to confirm it's not operating in a sandbox or virtual environment. It collects hardware identifiers (HWID) and transmits them to its command and control (C2) server. If the checks are passed, the malware retrieves a list of target applications and keywords from the server.

DeerStealer process graph DeerStealer process graph displayed in the ANY.RUN sandbox

DeerStealer scans the infected system for sensitive information, such as cryptocurrency wallet credentials, browser-stored passwords, and other personal data. The stolen data is organized into a structured format, often JSON, before being exfiltrated.

The exfiltration occurs through POST requests, typically sent over encrypted channels to bypass network monitoring tools. To maintain persistence, DeerStealer may establish scheduled tasks or modify startup configurations, enabling it to execute automatically upon system reboot.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

DeerStealer malware distribution methods

DeerStealer is primarily distributed through various deceptive techniques that aim to trick users into downloading malware. Some of the key distribution methods include:

  • Phishing emails: Attackers send emails that appear legitimate, often containing malicious attachments or links. These attachments can be disguised as Word documents or compressed files (e.g., .zip or .rar), which, once opened, deploy the malware.
  • Malvertising: Cybercriminals use malicious advertisements that romote legitimate services like Google Authenticator. When users click on these ads, they are redirected to fraudulent websites that prompt them to download DeerStealer.
  • Fake websites: Attackers create websites that mimic legitimate services, particularly focusing on fake Google Authenticator sites. These websites trick users into downloading infected files disguised as legitimate software.
  • Software cracks: It has also been observed in pirated software downloads, where users download what appears to be legitimate software, only to infect their systems with DeerStealer.

Gathering threat intelligence on DeerStealer malware

To collect up-to-date intelligence on DeerStealer, you can utilize Threat Intelligence Lookup from ANY.RUN.

This tool gives access to a comprehensive database filled with insights from millions of malware analysis sessions. Using over 40 customizable search parameters, such as IPs, domains, file names, and process artifacts, it allows you to uncover important details about threats like DeerStealer.

DeerStealer TI Lookup results Search results for DeerStealer in Threat Intelligence Lookup

For instance, by searching for DeerStealer’s name or using a related indicator, such as a domain or process artifact (threatName:"DeerStealer", Threat Intelligence Lookup will display all relevant samples and sandbox results associated with the malware.

Get your 14-day free trial of Threat Intelligence Lookup along with the ANY.RUN sandbox.

Conclusion

DeerStealer is a serious threat, capable of stealing login credentials, browser data, and cryptocurrency information. Its distribution through fake websites makes it difficult to detect. It’s important to analyze suspicious files and URLs to protect against DeerStealer and similar malware.

ANY.RUN provides a real-time sandbox for analyzing malware behavior and allows its users to quickly identify threats, gathering key indicators of compromise (IOCs)

Sign up for a free ANY.RUN account today and start analyzing all the emerging threats with no limits!

HAVE A LOOK AT

DarkGate screenshot
DarkGate
darkgate
DarkGate is a loader, which possesses extensive functionality, ranging from keylogging to crypto mining. Written in Delphi, this malware is known for the use of AutoIT scripts in its infection process. Thanks to this malicious software’s versatile architecture, it is widely used by established threat actors.
Read More
Jigsaw screenshot
Jigsaw
jigsaw
The Jigsaw ransomware, initially detected in 2016, encrypts files on compromised systems and requires a ransom payment in Bitcoin. If the ransom is not paid, the malware starts deleting files, increasing the pressure on victims to comply. Its source code is publicly accessible, allowing various threat actors to customize and repurpose the malware for different objectives.
Read More
Play Ransomware screenshot
Play aka PlayCrypt ransomware group has been successfully targeting corporations, municipal entities, and infrastruction all over the world for about three years. It infiltrates networks via software vulnerabilities, phishing links and compromised websites. The ransomware abuses Windows system services to evade detection and maintain persistence. Play encrypts user files and steals sensitive data while demanding a ransom.
Read More
LokiBot screenshot
LokiBot
lokibot loader trojan
LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.
Read More
DarkTortilla screenshot
DarkTortilla
darktortilla
DarkTortilla is a crypter used by attackers to spread harmful software. It can modify system files to stay hidden and active. DarkTortilla is a multi-stage crypter that relies on several components to operate. It is often distributed through phishing sites that look like real services.
Read More
WannaCry screenshot
WannaCry
wannacry ransomware
WannaCry is a famous Ransomware that utilizes the EternalBlue exploit. This malware is known for infecting at least 200,000 computers worldwide and it continues to be an active and dangerous threat.
Read More