File name:	Setup.exe
Full analysis:	https://app.any.run/tasks/a032380d-6663-4979-8813-3061a303fef1
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This stealer has been terrorizing the internet since 2018. Malware Trends Tracker >>>
Analysis date:	July 01, 2024, 07:49:51
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	telegram stealer vidar ddr
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	293548F3E64884605ED1454F86CEDCD5
SHA1:	3D49595AFBFA528D9B28C24E35CDD8AF1576C4B3
SHA256:	2CF95C5C462900A24D21C26B5BCBECEEE9B10F40F2F2DB91980D9B3C5FC013A4
SSDEEP:	98304:ZZJlEgK5Yw5TYfBEdqm9XG9a9+7goWXTTbg4QRyJ6R6mGlE17BgbAZqLr8SyFxLS:fEal0E1uNqID

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2012:02:24 19:20:04+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	10
CodeSize:	29696
InitializedDataSize:	491008
UninitializedDataSize:	16896
EntryPoint:	0x38af
OSVersion:	5
ImageVersion:	6
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	22405.508.1.0
ProductVersionNumber:	22405.508.1.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Store Installer
FileVersion:	22405.508.1.0
InternalName:	StoreInstaller.exe
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	StoreInstaller.exe
ProductName:	Store Installer
ProductVersion:	22405.0508.01.0+f98836716b902fe22b947f518e4ebea66a0834b3
AssemblyVersion:	22405.508.1.0


(PID) Process:	(2660) Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2660) Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2660) Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2660) Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(4372) Millennium.pif	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(4372) Millennium.pif	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(4372) Millennium.pif	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(4372) Millennium.pif	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(6020) Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6020) Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1

PID	Process	Filename		Type
2660	Setup.exe	C:\Users\admin\AppData\Local\Temp\Hoped		—
		MD5:—	SHA256:—
2660	Setup.exe	C:\Users\admin\AppData\Local\Temp\Keith		text
		MD5:D069611D5475E763C89E48C47DF676DD	SHA256:65E2A87C201634B46BDF1447F4A8EE8DB0B0C966656EEF12D6B077680D9D1A00
2660	Setup.exe	C:\Users\admin\AppData\Local\Temp\Profit		binary
		MD5:4776C2BEE8CA55BC591329B046138F8A	SHA256:99CC6C535E13CC83DD0E1936990FFC68160A1BB64F772007F9C9F7D1E1A42D92
2660	Setup.exe	C:\Users\admin\AppData\Local\Temp\Bytes		mp3
		MD5:D6660E1C4E3031837D02C6A4B1FC4A9C	SHA256:CDF34F961BABA6FAD59E63DD4E7FCBF8BA075B57F0188ED008388E6A96727E4B
2660	Setup.exe	C:\Users\admin\AppData\Local\Temp\Determination		binary
		MD5:0CB470FD10D1B4EA8ED73E3CC42DF82A	SHA256:C644DBBF6342708D21D8200E66CA9AB4F857387462B0B467B5C93F975E28779E
2660	Setup.exe	C:\Users\admin\AppData\Local\Temp\Fleece		binary
		MD5:1D6C4633A5A3E68611C4B6CC0E3316F2	SHA256:042C59F246A29C85E8C29D0616A1743C8A09EE3424AF8F522D77BC4EE1175D56
2196	cmd.exe	C:\Users\admin\AppData\Local\Temp\671268\r		—
		MD5:—	SHA256:—
3836	Millennium.pif	C:\Users\admin\AppData\Local\UrbanEco Maps\B		—
		MD5:—	SHA256:—
2660	Setup.exe	C:\Users\admin\AppData\Local\Temp\Trauma		binary
		MD5:8D9BF7F34D6CE1E35C8A1A950E8B285D	SHA256:E2EBBDC0B7B84A358111E5D7ED435079281DD93B09C24D77AEFF8308EC129B5F
2660	Setup.exe	C:\Users\admin\AppData\Local\Temp\Granny		binary
		MD5:F11FB3C835D3348CD446B5D1C8DD1006	SHA256:E6B56A5963C3959CB6AD5050CD3D4722E7F612252E0B2814F544ACF42AE6FE6A

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	149.154.167.99:443	https://t.me/g067n	unknown	—	12.0 Kb	unknown
—	—	GET	200	40.68.123.157:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	23.9 Kb	unknown
—	—	GET	304	40.68.123.157:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	unknown
—	—	POST	—	52.182.143.213:443	https://self.events.data.microsoft.com/OneCollector/1.0/	unknown	—	—	unknown
2416	SIHClient.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
—	—	POST	200	20.190.160.17:443	https://login.live.com/RST2.srf	unknown	—	—	unknown
—	—	POST	204	104.126.37.144:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	unknown
—	—	POST	200	40.126.32.72:443	https://login.live.com/RST2.srf	unknown	—	—	unknown
—	—	GET	200	20.3.187.198:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	unknown
—	—	POST	400	40.126.32.72:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	—	210 b	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4032	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
4656	SearchApp.exe	104.126.37.145:443	—	Akamai International B.V.	DE	unknown
3868	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6004	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3868	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3040	OfficeClickToRun.exe	20.44.10.122:443	self.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3824	Millennium.pif	149.154.167.99:443	t.me	Telegram Messenger Inc	GB	unknown
3824	Millennium.pif	195.201.251.214:9000	—	Hetzner Online GmbH	DE	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 20.73.194.208	whitelisted
zUKUkeBazzbMLmM.zUKUkeBazzbMLmM	49.13.77.253	unknown
self.events.data.microsoft.com	20.44.10.122	whitelisted
t.me	149.154.167.99	whitelisted
login.live.com	40.126.32.134 40.126.32.74 40.126.32.68 20.190.160.17 20.190.160.14 40.126.32.133 40.126.32.76 40.126.32.136	whitelisted
go.microsoft.com	23.35.238.131	whitelisted
slscr.update.microsoft.com	52.165.165.26	whitelisted
crl.microsoft.com	23.48.23.156 23.48.23.143	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
fe3cr.delivery.mp.microsoft.com	52.165.164.15	whitelisted

PID	Process	Class	Message
3824	Millennium.pif	Misc activity	ET INFO Observed Telegram Domain (t .me in TLS SNI)
3824	Millennium.pif	A Network Trojan was detected	STEALER [ANY.RUN] Vidar TLS Connection Attempt
—	—	Malware Command and Control Activity Detected	SUSPICIOUS [ANY.RUN] Used Telegram website as a dead drop resolver (DDR)
3824	Millennium.pif	A suspicious string was detected	SUSPICIOUS [ANY.RUN] Sending an HTTP request body with a Base64 encoded ZIP file

General Info

Setup.exe

293548F3E64884605ED1454F86CEDCD5

3D49595AFBFA528D9B28C24E35CDD8AF1576C4B3

2CF95C5C462900A24D21C26B5BCBECEEE9B10F40F2F2DB91980D9B3C5FC013A4

98304:ZZJlEgK5Yw5TYfBEdqm9XG9a9+7goWXTTbg4QRyJ6R6mGlE17BgbAZqLr8SyFxLS:fEal0E1uNqID

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Antivirus name has been found in the command line (generic signature)

Uses Task Scheduler to autorun other applications

VIDAR has been detected (SURICATA)

Starts CMD.EXE for self-deleting

Steals credentials from Web Browsers

Actions looks like stealing of personal data

SUSPICIOUS

Reads security settings of Internet Explorer

Reads the date of Windows installation

Executing commands from ".cmd" file

Starts CMD.EXE for commands execution

Executable content was dropped or overwritten

Get information on the list of running processes

Using 'findstr.exe' to search for text patterns in files and output

Drops a file with a rarely used extension (PIF)

The executable file from the user directory is run by the CMD process

Starts application with an unusual extension

Application launched itself

Uses TIMEOUT.EXE to delay execution

Connects to unusual port

Searches for installed software

Process communicates with Telegram (possibly using it as an attacker's C2 server)

The process drops Mozilla's DLL files

Checks Windows Trust Settings

Process drops legitimate windows executable

The process drops C-runtime libraries

Creates file in the systems drive root

INFO

Checks supported languages

Reads the computer name

Create files in a temporary directory

Process checks computer location settings

Reads mouse settings

Creates files or folders in the user directory

Creates files in the program directory

Reads the software policy settings

Reads the machine GUID from the registry

Reads Environment values

Reads product name

Reads CPU info

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules