File name:	Setup.exe
Full analysis:	https://app.any.run/tasks/a032380d-6663-4979-8813-3061a303fef1
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This stealer has been terrorizing the internet since 2018. Malware Trends Tracker >>>
Analysis date:	July 01, 2024, 07:49:51
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	telegram stealer vidar ddr
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	293548F3E64884605ED1454F86CEDCD5
SHA1:	3D49595AFBFA528D9B28C24E35CDD8AF1576C4B3
SHA256:	2CF95C5C462900A24D21C26B5BCBECEEE9B10F40F2F2DB91980D9B3C5FC013A4
SSDEEP:	98304:ZZJlEgK5Yw5TYfBEdqm9XG9a9+7goWXTTbg4QRyJ6R6mGlE17BgbAZqLr8SyFxLS:fEal0E1uNqID

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2012:02:24 19:20:04+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	10
CodeSize:	29696
InitializedDataSize:	491008
UninitializedDataSize:	16896
EntryPoint:	0x38af
OSVersion:	5
ImageVersion:	6
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	22405.508.1.0
ProductVersionNumber:	22405.508.1.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Store Installer
FileVersion:	22405.508.1.0
InternalName:	StoreInstaller.exe
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	StoreInstaller.exe
ProductName:	Store Installer
ProductVersion:	22405.0508.01.0+f98836716b902fe22b947f518e4ebea66a0834b3
AssemblyVersion:	22405.508.1.0


(PID) Process:	(2660) Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2660) Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2660) Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2660) Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(4372) Millennium.pif	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(4372) Millennium.pif	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(4372) Millennium.pif	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(4372) Millennium.pif	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(6020) Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6020) Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1

PID	Process	Filename		Type
2660	Setup.exe	C:\Users\admin\AppData\Local\Temp\Hoped		—
		MD5:—	SHA256:—
2660	Setup.exe	C:\Users\admin\AppData\Local\Temp\Profit		binary
		MD5:4776C2BEE8CA55BC591329B046138F8A	SHA256:99CC6C535E13CC83DD0E1936990FFC68160A1BB64F772007F9C9F7D1E1A42D92
2660	Setup.exe	C:\Users\admin\AppData\Local\Temp\Ours		binary
		MD5:3015FB45E0B46702823F45F314B08094	SHA256:D4F1F6D99D7445F03805A745A0764AA902C6DC38DC9B4CB138406C81DF284779
2660	Setup.exe	C:\Users\admin\AppData\Local\Temp\Determination		binary
		MD5:0CB470FD10D1B4EA8ED73E3CC42DF82A	SHA256:C644DBBF6342708D21D8200E66CA9AB4F857387462B0B467B5C93F975E28779E
2660	Setup.exe	C:\Users\admin\AppData\Local\Temp\Since		binary
		MD5:0B2A1D15B058FAD67575B12F3A7DB9E0	SHA256:02FF12320E72311153DE4ED513A6B4E09F2BD73B40A474E2BB50CF26051BE4B1
2660	Setup.exe	C:\Users\admin\AppData\Local\Temp\Rest		binary
		MD5:B94F03795F57D82A1744B16B9861D981	SHA256:03BC1CBF22E92066B4B33A11B8BD9ED0BAA48FDA69F072DB0075F1081DB6E0F7
2196	cmd.exe	C:\Users\admin\AppData\Local\Temp\671268\r		—
		MD5:—	SHA256:—
3836	Millennium.pif	C:\Users\admin\AppData\Local\UrbanEco Maps\B		—
		MD5:—	SHA256:—
2660	Setup.exe	C:\Users\admin\AppData\Local\Temp\Granny		binary
		MD5:F11FB3C835D3348CD446B5D1C8DD1006	SHA256:E6B56A5963C3959CB6AD5050CD3D4722E7F612252E0B2814F544ACF42AE6FE6A
2660	Setup.exe	C:\Users\admin\AppData\Local\Temp\Spas		binary
		MD5:D7B2334AD20DCA89DA69ED09F580CB12	SHA256:D7F9582BB30262A77A7DC1792B6C989C7CBB1E848CD1B0C5897DF6D0F7F6B1C0

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2416	SIHClient.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
—	—	GET	304	40.68.123.157:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
—	—	GET	200	149.154.167.99:443	https://t.me/g067n	unknown	—	12.0 Kb	—
—	—	POST	204	104.126.37.144:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	—
—	—	GET	200	20.3.187.198:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	—
—	—	POST	200	20.190.160.17:443	https://login.live.com/RST2.srf	unknown	—	—	—
—	—	POST	200	40.126.32.72:443	https://login.live.com/RST2.srf	unknown	—	—	—
—	—	POST	400	40.126.32.72:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	—	210 b	—
—	—	POST	—	52.182.143.213:443	https://self.events.data.microsoft.com/OneCollector/1.0/	unknown	—	—	—
—	—	POST	200	13.89.179.8:443	https://self.events.data.microsoft.com/OneCollector/1.0/	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
4032	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
4656	SearchApp.exe	104.126.37.145:443	—	Akamai International B.V.	DE	unknown
3868	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6004	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3868	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3040	OfficeClickToRun.exe	20.44.10.122:443	self.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3824	Millennium.pif	149.154.167.99:443	t.me	Telegram Messenger Inc	GB	unknown
3824	Millennium.pif	195.201.251.214:9000	—	Hetzner Online GmbH	DE	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 20.73.194.208	whitelisted
zUKUkeBazzbMLmM.zUKUkeBazzbMLmM	49.13.77.253	unknown
self.events.data.microsoft.com	20.44.10.122	whitelisted
t.me	149.154.167.99	whitelisted
login.live.com	40.126.32.134 40.126.32.74 40.126.32.68 20.190.160.17 20.190.160.14 40.126.32.133 40.126.32.76 40.126.32.136	whitelisted
go.microsoft.com	23.35.238.131	whitelisted
slscr.update.microsoft.com	52.165.165.26	whitelisted
crl.microsoft.com	23.48.23.156 23.48.23.143	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
fe3cr.delivery.mp.microsoft.com	52.165.164.15	whitelisted

PID	Process	Class	Message
3824	Millennium.pif	Misc activity	ET INFO Observed Telegram Domain (t .me in TLS SNI)
3824	Millennium.pif	A Network Trojan was detected	STEALER [ANY.RUN] Vidar TLS Connection Attempt
—	—	Malware Command and Control Activity Detected	SUSPICIOUS [ANY.RUN] Used Telegram website as a dead drop resolver (DDR)
3824	Millennium.pif	A suspicious string was detected	SUSPICIOUS [ANY.RUN] Sending an HTTP request body with a Base64 encoded ZIP file

General Info

Setup.exe

293548F3E64884605ED1454F86CEDCD5

3D49595AFBFA528D9B28C24E35CDD8AF1576C4B3

2CF95C5C462900A24D21C26B5BCBECEEE9B10F40F2F2DB91980D9B3C5FC013A4

98304:ZZJlEgK5Yw5TYfBEdqm9XG9a9+7goWXTTbg4QRyJ6R6mGlE17BgbAZqLr8SyFxLS:fEal0E1uNqID

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Antivirus name has been found in the command line (generic signature)

Uses Task Scheduler to autorun other applications

VIDAR has been detected (SURICATA)

Steals credentials from Web Browsers

Starts CMD.EXE for self-deleting

Actions looks like stealing of personal data

SUSPICIOUS

Reads security settings of Internet Explorer

Get information on the list of running processes

Using 'findstr.exe' to search for text patterns in files and output

Executing commands from ".cmd" file

Reads the date of Windows installation

Starts CMD.EXE for commands execution

Application launched itself

Drops a file with a rarely used extension (PIF)

The executable file from the user directory is run by the CMD process

Executable content was dropped or overwritten

Starts application with an unusual extension

Uses TIMEOUT.EXE to delay execution

Creates file in the systems drive root

Checks Windows Trust Settings

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Connects to unusual port

Searches for installed software

The process drops Mozilla's DLL files

Process drops legitimate windows executable

The process drops C-runtime libraries

INFO

Checks supported languages

Create files in a temporary directory

Reads the computer name

Process checks computer location settings

Reads mouse settings

Creates files or folders in the user directory

Creates files in the program directory

Checks proxy server information

Reads the software policy settings

Reads the machine GUID from the registry

Reads product name

Reads Environment values

Reads CPU info

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules