File name:

SamFw_Tool_4.9_Crack.zip

Full analysis: https://app.any.run/tasks/1ffae706-4438-40c5-84b0-c13e32a654c6
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: February 26, 2024, 12:03:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
vidar
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

A085BB6AE878CC266B836A08FD5B1953

SHA1:

CE6F02C67B7AAAA8565F0120CC58EF1D132F7F66

SHA256:

7D2562EC69301E8948629B9E37E0A3B1D64BB980C343689FE2A4B7077CBCE160

SSDEEP:

98304:3vPk9cBIgyLhhBrvgGaP/HzxUxYwFvOSHbDabQKS6fkrL5Q1YMV0Qt2z4eA4dBCV:sMiOzNsIxR0+SQN5sFo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • VIDAR has been detected (SURICATA)

      • SamFw Tool 4.9 (Crack).exe (PID: 3972)

    • VIDAR has been detected (YARA)

      • SamFw Tool 4.9 (Crack).exe (PID: 3972)

  • SUSPICIOUS

    • Reads the BIOS version

      • SamFw Tool 4.9 (Crack).exe (PID: 3972)

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3672)

    • Reads security settings of Internet Explorer

      • SamFw Tool 4.9 (Crack).exe (PID: 3972)
      • WinRAR.exe (PID: 3672)

    • Reads the Internet Settings

      • SamFw Tool 4.9 (Crack).exe (PID: 3972)

    • Checks Windows Trust Settings

      • SamFw Tool 4.9 (Crack).exe (PID: 3972)

    • Reads settings of System Certificates

      • SamFw Tool 4.9 (Crack).exe (PID: 3972)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • SamFw Tool 4.9 (Crack).exe (PID: 3972)

    • Connects to unusual port

      • SamFw Tool 4.9 (Crack).exe (PID: 3972)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3672)

    • Checks supported languages

      • SamFw Tool 4.9 (Crack).exe (PID: 3972)

    • Checks proxy server information

      • SamFw Tool 4.9 (Crack).exe (PID: 3972)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3672)

    • Reads the machine GUID from the registry

      • SamFw Tool 4.9 (Crack).exe (PID: 3972)

    • Reads the computer name

      • SamFw Tool 4.9 (Crack).exe (PID: 3972)

    • Reads the software policy settings

      • SamFw Tool 4.9 (Crack).exe (PID: 3972)

    • Creates files or folders in the user directory

      • SamFw Tool 4.9 (Crack).exe (PID: 3972)

    • Create files in a temporary directory

      • SamFw Tool 4.9 (Crack).exe (PID: 3972)

    • Reads product name

      • SamFw Tool 4.9 (Crack).exe (PID: 3972)

    • Reads Environment values

      • SamFw Tool 4.9 (Crack).exe (PID: 3972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:02:19 12:23:18
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: mui/
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe #VIDAR samfw tool 4.9 (crack).exe

Process information

PID
CMD
Path
Indicators
Parent process
3672"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SamFw_Tool_4.9_Crack.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3972"C:\Users\admin\AppData\Local\Temp\Rar$EXa3672.1288\SamFw Tool 4.9 (Crack).exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3672.1288\SamFw Tool 4.9 (Crack).exe
WinRAR.exe
User:
admin
Company:
Samsung
Integrity Level:
MEDIUM
Description:
SmartViewer
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3672.1288\samfw tool 4.9 (crack).exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
Total events
8 597
Read events
8 538
Write events
53
Delete events
6

Modification events

(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3672) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\SamFw_Tool_4.9_Crack.zip
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
1
Suspicious files
16
Text files
1
Unknown types
5

Dropped files

PID
Process
Filename
Type
3672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3672.1288\SamFw Tool 4.9 (Crack).exe
MD5:
SHA256:
3672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3672.1288\mui\0409\mmc.CHMchm
MD5:39E49FA8791F1D7F57FFF6FF0BC5A1E7
SHA256:1C7E497CE881005248F97542DEEFF2BCB3AD05F7F8443F4AD37FE62A6F64D85E
3672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3672.1288\mui\0409\cliconf.chmchm
MD5:C15C2D987AC0936962CFFC215ED54318
SHA256:FB17F6BD188428EC7E445E493309EFD128FA625529A3166B058A5F53331C0A39
3672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3672.1288\mui\0419\odbcinst.chmchm
MD5:764039FC7C1C21A8095BE1D912E917B7
SHA256:184CBA455E9B234AF57C2C50CB7CC2321E59F17EE607B63A7BF2A3E4F3C8DE58
3672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3672.1288\mui\0419\sqlsodbc.chmchm
MD5:935512B9467C05174D596DACB82D5A59
SHA256:DD09B2BBAB35BC2563DBB3E6ECEBFA4BCE2C049B0E263C2692E76D7F60C4D783
3672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3672.1288\mui\0419\msorcl32.chmchm
MD5:FB79DC5E0D2086F8E77ECD02298E23D9
SHA256:BF3D32385067B09FC942429BE65A0F96746101ADC929C26EF18A822FA6CBF072
3672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3672.1288\mui\0419\odbcjet.chmbinary
MD5:16A12239626D918884BC24B9D63D2A62
SHA256:4CA60A0D9AABBDB62681B00618A3B3257FC3A29354B69C1110DF261449B6BEBE
3672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3672.1288\mui\0419\msdasc.chmchm
MD5:D6BD530834E65D678888EB0FD224DCBF
SHA256:4ABD31DBFFFEBA6F88411F120537F483F8B5026D552B58F66426C2E5E6BB5BC3
3672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3672.1288\mui\0419\cliconf.chmchm
MD5:EABB7098F222DF521E465D3D41CD4C05
SHA256:C65AF6DD5F55D4B8CF925B776DA6F38D3190A5B0BBFD5D0177601EFDA76827C7
3672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3672.1288\mui\0409\sqlsoldb.chmchm
MD5:3F3D9AB55FB11F31466413AA692D4159
SHA256:2F9355F5DB80F86272F091B138F8B48A253DAD7609ED696E4B7E3379CBF28917
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
10
DNS requests
2
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3972
SamFw Tool 4.9 (Crack).exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9fe56580133331f1
unknown
compressed
65.2 Kb
unknown
3972
SamFw Tool 4.9 (Crack).exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9f073e77455bfaf9
unknown
compressed
65.2 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3972
SamFw Tool 4.9 (Crack).exe
149.154.167.99:443
t.me
Telegram Messenger Inc
GB
unknown
3972
SamFw Tool 4.9 (Crack).exe
142.132.224.223:9001
Hetzner Online GmbH
DE
unknown
3972
SamFw Tool 4.9 (Crack).exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted

DNS requests

Domain
IP
Reputation
t.me
  • 149.154.167.99
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted

Threats

PID
Process
Class
Message
3972
SamFw Tool 4.9 (Crack).exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
3972
SamFw Tool 4.9 (Crack).exe
A Network Trojan was detected
STEALER [ANY.RUN] Vidar TLS Connection Attempt
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SamFw_Tool_4.9_Crack.zip