File name:	Setup_20.1_win64.exe
Full analysis:	https://app.any.run/tasks/79c9cb20-7f1e-4cbf-8317-37f2056c7cbb
Verdict:	Malicious activity
Threats:	Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This stealer has been terrorizing the internet since 2018. Malware Trends Tracker >>>
Analysis date:	August 04, 2024, 19:06:47
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	stealer stealc vidar
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64, for MS Windows
MD5:	1A1C728FC6D1EB46D64DFF3858488B42
SHA1:	008194EB6A429096A745D205CC6EFF2D05D709CF
SHA256:	3C67DDEB2426BFD91144DD8CA4EC06EE20578105514AD629C830E194BFD65893
SSDEEP:	98304:OwuIe8g+rOfcgC/KwV9ick2gaphy+6S2ymM+2Ime:Ekq

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	AMD AMD64
TimeStamp:	2023:02:03 19:53:27+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.34
CodeSize:	3031040
InitializedDataSize:	1583616
UninitializedDataSize:	-
EntryPoint:	0x28d8b4
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	6.23.203.2
ProductVersionNumber:	6.23.203.2
FileFlagsMask:	0x003f
FileFlags:	Patched
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
Comments:	Notepad3
FileDescription:	Notepad3
InternalName:	Notepad3
ProductName:	Notepad3
CompanyName:	© Rizonesoft
FileVersion:	6.23.203.2
ProductVersion:	6.23.203.2
LegalCopyright:	Copyright © 2008-2023 Rizonesoft
OriginalFileName:	Notepad3.exe


(PID) Process:	(6940) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6940) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6940) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(6940) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6940) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(6940) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(6940) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0

PID	Process	Filename		Type
6848	cmd.exe	C:\Users\admin\AppData\Local\Temp\pgtikfhkbwylo		—
		MD5:—	SHA256:—
6260	Setup_20.1_win64.exe	C:\Users\admin\AppData\Local\Temp\cbe94146		image
		MD5:7325E2012A6CF941A6EA14F0061FF764	SHA256:63E3696C5E5E8B037E28E8FBEF871184B0D1D60A7314C965B1426D9CCE84DD69
6260	Setup_20.1_win64.exe	C:\Users\admin\AppData\Local\Temp\cc8866c9		image
		MD5:723E815ED9442D052BA9A8A1DDFFE0D0	SHA256:E3D67BEAA94AF15C7EFDB4ED9F9D714FA1C07A1B56BA9A58124905C3400CFA7F
6260	Setup_20.1_win64.exe	C:\Users\admin\AppData\Local\Temp\cca17859		binary
		MD5:94A8368C3802E04EF6F5EA62458F69D1	SHA256:F6C9A74CF4C6D5C634D82918648D25A0D8BD5D37ADCA687A1FBA11EC09D4DAB6
6940	explorer.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\sql[1].htm		html
		MD5:E89F75F918DBDCEE28604D4E09DD71D7	SHA256:6DC9C7FC93BB488BB0520A6C780A8D3C0FB5486A4711ACA49B4C53FAC7393023
6940	explorer.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\0K0TIF1G.htm		html
		MD5:E89F75F918DBDCEE28604D4E09DD71D7	SHA256:6DC9C7FC93BB488BB0520A6C780A8D3C0FB5486A4711ACA49B4C53FAC7393023

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	302	216.58.206.67:443	https://www.google.ca/amp/s/gcdnb.pbrd.co/images/bxQ1eEHSJpyO.png?o=1	US	html	242 b	unknown
—	—	GET	302	216.58.206.67:443	https://www.google.ca/amp/s/i.ibb.co/yWNP3nQ/cf.png	US	html	228 b	unknown
—	—	GET	302	216.58.206.67:443	https://www.google.ca/amp/s/iili.io/Jv3ilDJ.png	US	html	224 b	unknown
—	—	POST	405	13.248.213.45:443	https://ndearn.xyz/	US	—	—	unknown
—	—	POST	405	76.223.67.189:443	https://ndearn.xyz/	US	—	—	unknown
—	—	POST	405	13.248.213.45:443	https://ndearn.xyz/	US	—	—	unknown
—	—	POST	405	76.223.67.189:443	https://ndearn.xyz/	US	—	—	unknown
—	—	GET	200	76.223.67.189:443	https://ndearn.xyz/sql.dll	US	—	—	unknown
—	—	GET	404	172.67.198.249:443	https://gcdnb.pbrd.co/images/bxQ1eEHSJpyO.png	US	xml	127 b	unknown
—	—	POST	405	13.248.213.45:443	https://ndearn.xyz/	US	—	—	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
3268	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1420	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2120	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6260	Setup_20.1_win64.exe	142.250.185.131:443	www.google.ca	GOOGLE	US	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
2120	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4324	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
3268	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 40.127.240.158	whitelisted
google.com	142.250.184.206	whitelisted
www.google.ca	142.250.185.131	whitelisted
gcdnb.pbrd.co	104.21.68.220 172.67.198.249	whitelisted
i.ibb.co	162.19.58.156 162.19.58.158 162.19.58.157 162.19.58.161 162.19.58.160 162.19.58.159	shared
iili.io	104.21.235.69 104.21.235.70	unknown
ndearn.xyz	76.223.67.189 13.248.213.45	unknown

PID	Process	Class	Message
6260	Setup_20.1_win64.exe	Not Suspicious Traffic	INFO [ANY.RUN] Image hosting service ImgBB
—	—	A Network Trojan was detected	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST

General Info

Setup_20.1_win64.exe

1A1C728FC6D1EB46D64DFF3858488B42

008194EB6A429096A745D205CC6EFF2D05D709CF

3C67DDEB2426BFD91144DD8CA4EC06EE20578105514AD629C830E194BFD65893

98304:OwuIe8g+rOfcgC/KwV9ick2gaphy+6S2ymM+2Ime:Ekq

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Starts CMD.EXE for self-deleting

Steals credentials from Web Browsers

SUSPICIOUS

Uses TIMEOUT.EXE to delay execution

Searches for installed software

Starts CMD.EXE for commands execution

INFO

Checks supported languages

Reads the computer name

Creates files or folders in the user directory

Reads the software policy settings

Reads the machine GUID from the registry

Create files in a temporary directory

Checks proxy server information

Reads security settings of Internet Explorer

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings