SemanticsAV Intelligence Report

Generated on 2025-10-24T15:57:07.778798

Detection Summary

File Hashes
MD5
7d278d1b762954f8e7f365694adea615
SHA1
3fc122fc78a3da161dc68d917777c1adf581024c
SHA256
9de72bbf7efdb9b528351ec7ad706d6197e860a78b2846adf700cbc10d0760fa
Verdict (Confidence)
malicious (100.0%)
File Type
pe
Signature
DeerStealer
Tags
dropped-by-Amadey exe

Intelligence Statistics

Label Distribution

Total Samples
5
Malicious
4
Max: 99.8% | Avg: 99.8%
Suspicious
1
Max: 99.8% | Avg: 99.8%
Clean
0
Unknown
0

Top Signatures

1
Samples
RemcosRAT
Max Similarity
99.8%
Avg Similarity
99.8%
1
Samples
DonutLoader
Max Similarity
99.8%
Avg Similarity
99.8%
1
Samples
Arechclient2
Max Similarity
99.8%
Avg Similarity
99.8%
1
Samples
AsyncRAT
Max Similarity
99.8%
Avg Similarity
99.8%
1
Samples
AZORult
Max Similarity
99.8%
Avg Similarity
99.8%

Attribute Comparison Matrix

Compare static attributes between the target file and 5 similar samples from our threat intelligence database.

Legend:
† = Confirmed label (verified malicious/clean from intelligence)
Attribute
Target
Baseline
MALICIOUS†
DeerStealer
dropped-by-Amadey exe
Sample #1
99.8%
MALICIOUS
RemcosRAT
exe hijackloader rat remcos
Sample #2
99.8%
MALICIOUS
DonutLoader
exe
Sample #3
99.8%
MALICIOUS
Arechclient2
5-10-250-239 exe GhostPulse HijackLoader SectopRAT ShadowLadder
Sample #4
99.8%
SUSPICIOUS
AsyncRAT
cachepeak-cfd exe
Sample #5
99.8%
MALICIOUS
AZORult
exe
compilation_datetime 2010-06-27 2010-06-27 2010-06-27 2010-06-27 2010-06-27 2010-06-27
Target Sample #1 (99.8%) Sample #2 (99.8%) Sample #3 (99.8%) Sample #4 (99.8%) Sample #5 (99.8%) 
[
  "IMPORT_TABLE",
  "RESOURCE_TABLE",
  "IAT"
]
 
[
  "IMPORT_TABLE",
  "RESOURCE_TABLE",
  "IAT"
]
 
[
  "IMPORT_TABLE",
  "RESOURCE_TABLE",
  "IAT"
]
 
[
  "IMPORT_TABLE",
  "RESOURCE_TABLE",
  "IAT"
]
 
[
  "IMPORT_TABLE",
  "RESOURCE_TABLE",
  "IAT"
]
 
[
  "IMPORT_TABLE",
  "RESOURCE_TABLE",
  "IAT"
]
debug.entries_count 0 0 0 0 0 0
delay_imports.dll_count 0 0 0 0 0 0
delay_imports.total_functions 0 0 0 0 0 0
dll_characteristics N/A N/A N/A N/A N/A N/A
entry_point 73199 73199 73199 73199 73199 73199
exports N/A N/A N/A N/A N/A N/A
file_size 9797974 10091257 10145067 10178656 9198648 9118184
image_size 208896 208896 208896 208896 208896 208896
Target Sample #1 (99.8%) Sample #2 (99.8%) Sample #3 (99.8%) Sample #4 (99.8%) Sample #5 (99.8%) 
[
  {
    "name": "COMCTL32.dll",
    "number_of_functions": 1
  },
  {
    "name": "KERNEL32.dll",
    "number_of_functions": 82
  },
  {
    "name": "USER32.dll",
    "number_of_functions": 50
  },
  {
    "name": "GDI32.dll",
    "number_of_functions": 11
  },
  {
    "name": "SHELL32.dll",
    "number_of_functions": 7
  },
  {
    "name": "ole32.dll",
    "number_of_functions": 3
  },
  {
    "name": "OLEAUT32.dll",
    "number_of_functions": 3
  },
  {
    "name": "MSVCRT.dll",
    "number_of_functions": 31
  }
]
 
[
  {
    "name": "COMCTL32.dll",
    "number_of_functions": 1
  },
  {
    "name": "KERNEL32.dll",
    "number_of_functions": 82
  },
  {
    "name": "USER32.dll",
    "number_of_functions": 50
  },
  {
    "name": "GDI32.dll",
    "number_of_functions": 11
  },
  {
    "name": "SHELL32.dll",
    "number_of_functions": 7
  },
  {
    "name": "ole32.dll",
    "number_of_functions": 3
  },
  {
    "name": "OLEAUT32.dll",
    "number_of_functions": 3
  },
  {
    "name": "MSVCRT.dll",
    "number_of_functions": 31
  }
]
 
[
  {
    "name": "COMCTL32.dll",
    "number_of_functions": 1
  },
  {
    "name": "KERNEL32.dll",
    "number_of_functions": 82
  },
  {
    "name": "USER32.dll",
    "number_of_functions": 50
  },
  {
    "name": "GDI32.dll",
    "number_of_functions": 11
  },
  {
    "name": "SHELL32.dll",
    "number_of_functions": 7
  },
  {
    "name": "ole32.dll",
    "number_of_functions": 3
  },
  {
    "name": "OLEAUT32.dll",
    "number_of_functions": 3
  },
  {
    "name": "MSVCRT.dll",
    "number_of_functions": 31
  }
]
 
[
  {
    "name": "COMCTL32.dll",
    "number_of_functions": 1
  },
  {
    "name": "KERNEL32.dll",
    "number_of_functions": 82
  },
  {
    "name": "USER32.dll",
    "number_of_functions": 50
  },
  {
    "name": "GDI32.dll",
    "number_of_functions": 11
  },
  {
    "name": "SHELL32.dll",
    "number_of_functions": 7
  },
  {
    "name": "ole32.dll",
    "number_of_functions": 3
  },
  {
    "name": "OLEAUT32.dll",
    "number_of_functions": 3
  },
  {
    "name": "MSVCRT.dll",
    "number_of_functions": 31
  }
]
 
[
  {
    "name": "COMCTL32.dll",
    "number_of_functions": 1
  },
  {
    "name": "KERNEL32.dll",
    "number_of_functions": 82
  },
  {
    "name": "USER32.dll",
    "number_of_functions": 50
  },
  {
    "name": "GDI32.dll",
    "number_of_functions": 11
  },
  {
    "name": "SHELL32.dll",
    "number_of_functions": 7
  },
  {
    "name": "ole32.dll",
    "number_of_functions": 3
  },
  {
    "name": "OLEAUT32.dll",
    "number_of_functions": 3
  },
  {
    "name": "MSVCRT.dll",
    "number_of_functions": 31
  }
]
 
[
  {
    "name": "COMCTL32.dll",
    "number_of_functions": 1
  },
  {
    "name": "KERNEL32.dll",
    "number_of_functions": 82
  },
  {
    "name": "USER32.dll",
    "number_of_functions": 50
  },
  {
    "name": "GDI32.dll",
    "number_of_functions": 11
  },
  {
    "name": "SHELL32.dll",
    "number_of_functions": 7
  },
  {
    "name": "ole32.dll",
    "number_of_functions": 3
  },
  {
    "name": "OLEAUT32.dll",
    "number_of_functions": 3
  },
  {
    "name": "MSVCRT.dll",
    "number_of_functions": 31
  }
]
is_dll No No No No No No
linker_version 8.0 8.0 8.0 8.0 8.0 8.0
load_configuration.present No No No No No No
machine I386 I386 I386 I386 I386 I386
relocations.total_blocks 0 0 0 0 0 0
relocations.total_entries 0 0 0 0 0 0
resources.has_manifest Yes Yes Yes Yes Yes Yes
resources.has_version_info Yes Yes Yes Yes Yes Yes
resources.number_of_dialogs 0 0 0 0 0 0
resources.number_of_icons 5 5 5 5 5 5
resources.number_of_string_tables 0 0 0 0 0 0
rich_header_present No No No No No No
Target Sample #1 (99.8%) Sample #2 (99.8%) Sample #3 (99.8%) Sample #4 (99.8%) Sample #5 (99.8%) 
[
  ".text",
  ".rdata",
  ".data",
  ".rsrc"
]
 
[
  ".text",
  ".rdata",
  ".data",
  ".rsrc"
]
 
[
  ".text",
  ".rdata",
  ".data",
  ".rsrc"
]
 
[
  ".text",
  ".rdata",
  ".data",
  ".rsrc"
]
 
[
  ".text",
  ".rdata",
  ".data",
  ".rsrc"
]
 
[
  ".text",
  ".rdata",
  ".data",
  ".rsrc"
]
signature.number_of_signatures 0 0 0 0 0 0
signature.signed No No No No No No
Target Sample #1 (99.8%) Sample #2 (99.8%) Sample #3 (99.8%) Sample #4 (99.8%) Sample #5 (99.8%) 
[]
 
[]
 
[]
 
[]
 
[]
 
[]
subsystem WINDOWS_GUI WINDOWS_GUI WINDOWS_GUI WINDOWS_GUI WINDOWS_GUI WINDOWS_GUI
symbols.total_count 0 0 0 0 0 0
tls.callbacks_count 0 0 0 0 0 0
tls.present No No No No No No
version_info.file_type APP APP APP APP APP APP
version_info.file_version 1.4.0.1795 1.4.0.1795 1.4.0.1795 1.4.0.1795 1.4.0.1795 1.4.0.1795
version_info.product_version 1.4.0.1795 1.4.0.1795 1.4.0.1795 1.4.0.1795 1.4.0.1795 1.4.0.1795
version_info.strings.CompanyName Oleg N. Scherbakov Oleg N. Scherbakov Oleg N. Scherbakov Oleg N. Scherbakov Oleg N. Scherbakov Oleg N. Scherbakov
version_info.strings.FileDescription 7z Setup SFX (x86) 7z Setup SFX (x86) 7z Setup SFX (x86) 7z Setup SFX (x86) 7z Setup SFX (x86) 7z Setup SFX (x86)
version_info.strings.FileVersion 1.4.0.1795 1.4.0.1795 1.4.0.1795 1.4.0.1795 1.4.0.1795 1.4.0.1795
version_info.strings.InternalName 7ZSfxMod 7ZSfxMod 7ZSfxMod 7ZSfxMod 7ZSfxMod 7ZSfxMod
version_info.strings.LegalCopyright Copyright © 2005-2010 Oleg N. Scherbakov Copyright © 2005-2010 Oleg N. Scherbakov Copyright © 2005-2010 Oleg N. Scherbakov Copyright © 2005-2010 Oleg N. Scherbakov Copyright © 2005-2010 Oleg N. Scherbakov Copyright © 2005-2010 Oleg N. Scherbakov
version_info.strings.OriginalFilename 7ZSfxMod_x86.exe 7ZSfxMod_x86.exe 7ZSfxMod_x86.exe 7ZSfxMod_x86.exe 7ZSfxMod_x86.exe 7ZSfxMod_x86.exe
version_info.strings.PrivateBuild June 27, 2010 June 27, 2010 June 27, 2010 June 27, 2010 June 27, 2010 June 27, 2010
version_info.strings.ProductName 7-Zip SFX 7-Zip SFX 7-Zip SFX 7-Zip SFX 7-Zip SFX 7-Zip SFX
version_info.strings.ProductVersion 1.4.0.1795 1.4.0.1795 1.4.0.1795 1.4.0.1795 1.4.0.1795 1.4.0.1795
Natural Language Report

Executive Verdict Summary

The SemanticsAV Engine has identified this sample as MALICIOUS with 100.0% certainty. A key finding is the sample's strong structural similarity to multiple known families of information stealers and remote access trojans, suggesting its potential use in sophisticated multi-stage attack campaigns.

Technical Analysis

The target sample exhibits significant structural alignment with well-established malware families, indicated by a near-identical compilation timestamp of "2010-06-27" across all structurally similar samples. This consistency in compilation time, despite varying threat signatures, points to the use of a common or shared tooling set, likely involving a modified or templated build process. The presence of standard data directories like IMPORT_TABLE, RESOURCE_TABLE, and IAT, along with the WINDOWS_GUI subsystem, are typical of many legitimate applications but are frequently leveraged by malware to facilitate API access and resource management.

Crucially, the target sample shares an overwhelming 99.8% structural similarity with multiple distinct malware families including RemcosRAT, DonutLoader, Arechclient2, AsyncRAT, and AZORult. This high degree of geometric similarity suggests a shared genetic lineage or a common origin for the underlying code or build framework. The consistent set of imported DLLs such as COMCTL32.dll, KERNEL32.dll, USER32.dll, and MSVCRT.dll further reinforces this observation, indicating a reliance on foundational Windows API functionalities that are instrumental for both benign software and diverse malware operations. The consistent presence of version information, masquerading as a "7z Setup SFX (x86)" by "Oleg N. Scherbakov," indicates a common evasion technique where legitimate installer metadata is repurposed.

The convergence of these structural indicators towards a diverse set of threat signatures suggests a polymorphic or modular malware framework. The DeerStealer signature on the target sample, when juxtaposed with its near-identical structural twins bearing RAT and loader signatures, implies that this specific sample may be a component within a larger, multi-stage attack chain. The ability of a single underlying structure to manifest as different malware families underscores the sophistication in modern malware development, potentially allowing attackers to pivot their tools or leverage pre-packaged components for various malicious purposes.

Threat Intelligence Context

The detection of this sample as DeerStealer, alongside its high structural similarity to RemcosRAT, DonutLoader, Arechclient2 (associated with GhostPulse, HijackLoader, SectopRAT, ShadowLadder), AsyncRAT, and AZORult, paints a picture of a threat operating within a complex ecosystem of information stealing and remote access tools. DeerStealer is known for its capability to exfiltrate credentials from browsers, cryptocurrency wallets, and other sensitive applications. RemcosRAT and AsyncRAT are powerful remote access trojans that allow attackers to gain full control over victim systems, enabling data theft, surveillance, and further malware deployment.

The presence of DonutLoader and Arechclient2 (often seen with HijackLoader) suggests a loader component, implying that the DeerStealer sample is likely dropped or executed by another piece of malware, or conversely, that it might be a component designed to download and execute other payloads. The repeated structural patterns, particularly the consistent compilation timestamp and version information, indicate a high degree of reuse of underlying infrastructure or development frameworks across these diverse families. This suggests either shared development teams, a marketplace for modular malware components, or advanced obfuscation techniques designed to make attribution challenging.

The tag "dropped-by-Amadey" for the DeerStealer signature provides a crucial link to the Amadey Downloader, a known loader frequently used to distribute various malware families, including stealer-type malware. This connection further supports the hypothesis that the target sample is part of a multi-stage infection chain orchestrated by sophisticated threat actors who leverage modular tools to adapt their attack methodologies and achieve diverse objectives, from credential harvesting to persistent system compromise.

Recommendations and Response Strategy

Given the attribution to DeerStealer and its strong structural links to multiple RATs and loaders, immediate containment and eradication are paramount. Security teams should prioritize the identification and removal of all instances of this file and any associated payloads or droppers. Deploy network-wide threat hunting for indicators associated with DeerStealer, RemcosRAT, AsyncRAT, Amadey Downloader, and related loader families. Focus detection strategies on the observed structural patterns, including the specific compilation timestamp ("2010-06-27") and the repurposed "7z Setup SFX" version information, as these can serve as robust indicators of compromise. Implement strict application whitelisting and user privilege controls to mitigate the impact of subsequent payload execution. Remediation involves comprehensive endpoint and network scanning, timely patching of vulnerabilities, and user education regarding phishing and social engineering tactics that often precede such infections.

File Hashes