File name:

SamFw_Tool_4.9_Crack.zip

Full analysis: https://app.any.run/tasks/1ffae706-4438-40c5-84b0-c13e32a654c6
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: February 26, 2024, 12:03:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
vidar
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

A085BB6AE878CC266B836A08FD5B1953

SHA1:

CE6F02C67B7AAAA8565F0120CC58EF1D132F7F66

SHA256:

7D2562EC69301E8948629B9E37E0A3B1D64BB980C343689FE2A4B7077CBCE160

SSDEEP:

98304:3vPk9cBIgyLhhBrvgGaP/HzxUxYwFvOSHbDabQKS6fkrL5Q1YMV0Qt2z4eA4dBCV:sMiOzNsIxR0+SQN5sFo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • VIDAR has been detected (YARA)

      • SamFw Tool 4.9 (Crack).exe (PID: 3972)

    • VIDAR has been detected (SURICATA)

      • SamFw Tool 4.9 (Crack).exe (PID: 3972)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3672)

    • Reads the BIOS version

      • SamFw Tool 4.9 (Crack).exe (PID: 3972)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3672)
      • SamFw Tool 4.9 (Crack).exe (PID: 3972)

    • Reads the Internet Settings

      • SamFw Tool 4.9 (Crack).exe (PID: 3972)

    • Reads settings of System Certificates

      • SamFw Tool 4.9 (Crack).exe (PID: 3972)

    • Checks Windows Trust Settings

      • SamFw Tool 4.9 (Crack).exe (PID: 3972)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • SamFw Tool 4.9 (Crack).exe (PID: 3972)

    • Connects to unusual port

      • SamFw Tool 4.9 (Crack).exe (PID: 3972)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3672)

    • Checks supported languages

      • SamFw Tool 4.9 (Crack).exe (PID: 3972)

    • Reads the computer name

      • SamFw Tool 4.9 (Crack).exe (PID: 3972)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3672)

    • Checks proxy server information

      • SamFw Tool 4.9 (Crack).exe (PID: 3972)

    • Reads the machine GUID from the registry

      • SamFw Tool 4.9 (Crack).exe (PID: 3972)

    • Reads the software policy settings

      • SamFw Tool 4.9 (Crack).exe (PID: 3972)

    • Creates files or folders in the user directory

      • SamFw Tool 4.9 (Crack).exe (PID: 3972)

    • Reads product name

      • SamFw Tool 4.9 (Crack).exe (PID: 3972)

    • Reads Environment values

      • SamFw Tool 4.9 (Crack).exe (PID: 3972)

    • Create files in a temporary directory

      • SamFw Tool 4.9 (Crack).exe (PID: 3972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:02:19 12:23:18
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: mui/
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe #VIDAR samfw tool 4.9 (crack).exe

Process information

PID
CMD
Path
Indicators
Parent process
3672"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SamFw_Tool_4.9_Crack.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3972"C:\Users\admin\AppData\Local\Temp\Rar$EXa3672.1288\SamFw Tool 4.9 (Crack).exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3672.1288\SamFw Tool 4.9 (Crack).exe
WinRAR.exe
User:
admin
Company:
Samsung
Integrity Level:
MEDIUM
Description:
SmartViewer
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3672.1288\samfw tool 4.9 (crack).exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
Total events
8 597
Read events
8 538
Write events
53
Delete events
6

Modification events

(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3672) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\SamFw_Tool_4.9_Crack.zip
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
1
Suspicious files
16
Text files
1
Unknown types
5

Dropped files

PID
Process
Filename
Type
3672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3672.1288\SamFw Tool 4.9 (Crack).exe
MD5:
SHA256:
3672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3672.1288\mui\0409\msdasc.chmchm
MD5:86165CF3D62317770FCE58F3CB1D4DD4
SHA256:AAAA1D54087D10801231B4BFF492BEAC227C8B713DDA39BFBBFD0972ADB0129A
3672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3672.1288\mui\0409\cliconf.chmchm
MD5:C15C2D987AC0936962CFFC215ED54318
SHA256:FB17F6BD188428EC7E445E493309EFD128FA625529A3166B058A5F53331C0A39
3672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3672.1288\HelpPanel.dllexecutable
MD5:57D8806C58D69B6A1B6A0298520E67C3
SHA256:3EC966736524695C7499B63D46A8482BE8E127CE9E18C3D48D58BC1A70FC173A
3672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3672.1288\mui\0419\cliconf.chmchm
MD5:EABB7098F222DF521E465D3D41CD4C05
SHA256:C65AF6DD5F55D4B8CF925B776DA6F38D3190A5B0BBFD5D0177601EFDA76827C7
3672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3672.1288\mui\0419\sqlsodbc.chmchm
MD5:935512B9467C05174D596DACB82D5A59
SHA256:DD09B2BBAB35BC2563DBB3E6ECEBFA4BCE2C049B0E263C2692E76D7F60C4D783
3672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3672.1288\mui\0419\odbcjet.chmbinary
MD5:16A12239626D918884BC24B9D63D2A62
SHA256:4CA60A0D9AABBDB62681B00618A3B3257FC3A29354B69C1110DF261449B6BEBE
3672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3672.1288\mui\0409\odbcinst.chmchm
MD5:BF0942377F014C00B6E8520822A6C07C
SHA256:350F3E7CDC45B99BB3448D10C724D5BA6AC532CC51EF3EC4513F4D218B947D7A
3672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3672.1288\mui\0419\msdasc.chmchm
MD5:D6BD530834E65D678888EB0FD224DCBF
SHA256:4ABD31DBFFFEBA6F88411F120537F483F8B5026D552B58F66426C2E5E6BB5BC3
3972SamFw Tool 4.9 (Crack).exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\MRB2XEJP.txttext
MD5:2BA83FB073850BF79F15B2E66646F690
SHA256:EA0FB22863DC3CA9BFD2775ADC727D4361DD3F6D96B2F2EE0DFA520DD515BA2A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
10
DNS requests
2
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3972
SamFw Tool 4.9 (Crack).exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9fe56580133331f1
unknown
compressed
65.2 Kb
unknown
3972
SamFw Tool 4.9 (Crack).exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9f073e77455bfaf9
unknown
compressed
65.2 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3972
SamFw Tool 4.9 (Crack).exe
149.154.167.99:443
t.me
Telegram Messenger Inc
GB
unknown
3972
SamFw Tool 4.9 (Crack).exe
142.132.224.223:9001
Hetzner Online GmbH
DE
unknown
3972
SamFw Tool 4.9 (Crack).exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted

DNS requests

Domain
IP
Reputation
t.me
  • 149.154.167.99
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted

Threats

PID
Process
Class
Message
3972
SamFw Tool 4.9 (Crack).exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
3972
SamFw Tool 4.9 (Crack).exe
A Network Trojan was detected
STEALER [ANY.RUN] Vidar TLS Connection Attempt
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SamFw_Tool_4.9_Crack.zip