File name:	87aaa5cacdb412c8a461d519803913215d4d1afe69803ee5bdc9768d9f097677.exe
Full analysis:	https://app.any.run/tasks/596039d7-7297-4481-b63a-f164905c2e47
Verdict:	Malicious activity
Threats:	Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This stealer has been terrorizing the internet since 2018. Malware Trends Tracker >>>
Analysis date:	October 03, 2025, 17:10:48
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	vidar stealer stealc golang
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 9 sections
MD5:	D5A635EDB78BBDA4F2AE360763074D5C
SHA1:	1F8E451A7CE4C5EFCEF91FECF88EDA165B1418C7
SHA256:	87AAA5CACDB412C8A461D519803913215D4D1AFE69803EE5BDC9768D9F097677
SSDEEP:	49152:8E950vA1jRp4Ukhf/wwwzxPbe0YYQvpwn+jANfBjsOImN0xy3bznUzc0sXfRUcFC:5hRrWQP60W7Ubx6xO3

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, Large address aware, No debug
PEType:	PE32+
LinkerVersion:	2.36
CodeSize:	1051648
InitializedDataSize:	2917888
UninitializedDataSize:	-
EntryPoint:	0x73420
OSVersion:	6.1
ImageVersion:	1
SubsystemVersion:	6.1
Subsystem:	Windows GUI
FileVersionNumber:	5.2.4.8581
ProductVersionNumber:	5.2.4.8581
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
Comments:	ideaMaker 5.2.4 - www.raise3d.com
CompanyName:	Raise3D
FileDescription:	ideaMaker 5.2.4 - www.raise3d.com
FileVersion:	5.2.4.8581
InternalName:	ideaMaker_5.2.4.8581.exe
LegalCopyright:	Copyright (C) 2023 Raise3D Technologies Inc. All rights reserved.
OriginalFileName:	ideaMaker_5.2.4.8581.exe
ProductName:	ideaMaker Installer
ProductVersion:	5.2.4.8581


(PID) Process:	(2364) 87aaa5cacdb412c8a461d519803913215d4d1afe69803ee5bdc9768d9f097677.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(2364) 87aaa5cacdb412c8a461d519803913215d4d1afe69803ee5bdc9768d9f097677.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2364) 87aaa5cacdb412c8a461d519803913215d4d1afe69803ee5bdc9768d9f097677.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

PID	Process	Filename		Type
2364	87aaa5cacdb412c8a461d519803913215d4d1afe69803ee5bdc9768d9f097677.exe	C:\ProgramData\1vsri\89zcba		text
		MD5:DC6628321C3435AA0F90DF4C0195E43B	SHA256:287A1C5A56E967AAAFAC0102CCCD4764CCE47F2F6591E7FFD0112150D507B0C2

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	POST	204	2.19.122.42:443	https://www.bing.com/web/xlsc.aspx?t=5&dl=1&wsbc=1	unknown	—	—	unknown
—	—	POST	200	40.126.31.130:443	https://login.live.com/RST2.srf	US	xml	11.2 Kb	unknown
—	—	POST	200	40.126.31.1:443	https://login.live.com/RST2.srf	US	xml	11.3 Kb	unknown
—	—	POST	200	40.126.31.71:443	https://login.live.com/RST2.srf	US	xml	11.3 Kb	unknown
—	—	POST	200	20.190.159.64:443	https://login.live.com/RST2.srf	US	xml	11.3 Kb	unknown
—	—	POST	200	20.190.159.129:443	https://login.live.com/RST2.srf	US	xml	11.0 Kb	unknown
—	—	GET	200	2.19.122.31:443	https://www.bing.com/th?id=ODSWG.8229b0e5-fa8c-4e4a-af74-69717698b903&pid=dsb	unknown	image	4.62 Kb	unknown
—	—	GET	200	2.19.122.39:443	https://www.bing.com/client/config?cc=US&setlang=en-US	unknown	binary	2.15 Kb	unknown
—	—	GET	200	20.223.35.26:443	https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=280815&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20251003T171106Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=29bcd35b416e4131bf168a50cba2fcaf&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&currsel=137271744000000000&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1360&dispsize=16.3&dispvertres=768&fosver=16299&isu=0&lo=4245670&metered=false&nettype=ethernet&npid=sc-280815&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&smBiosDm=DELL&stabedgever=133.0.3065.92&tl=2&tsu=1636200&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2	US	binary	3.20 Kb	unknown
—	—	GET	200	20.223.35.26:443	https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=88000045&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20251003T171106Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=31a451fcfc5d463391bc9b566cc095e8&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&currsel=137271744000000000&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1360&dispsize=16.3&dispvertres=768&fosver=16299&isu=0&lo=4245670&metered=false&nettype=ethernet&npid=sc-88000045&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&smBiosDm=DELL&stabedgever=133.0.3065.92&tl=2&tsu=1636200&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2	US	binary	3.21 Kb	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4472	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6016	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6016	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5948	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5224	SearchApp.exe	2.19.122.26:443	www.bing.com	Akamai International B.V.	DE	whitelisted
6916	svchost.exe	20.190.159.64:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1588	backgroundTaskHost.exe	2.19.122.26:443	www.bing.com	Akamai International B.V.	DE	whitelisted
7468	backgroundTaskHost.exe	20.223.35.26:443	arc.msn.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 51.124.78.146	whitelisted
google.com	172.217.16.206	whitelisted
www.bing.com	2.19.122.26 2.19.122.35 2.19.122.45 2.19.122.46 2.19.122.28 2.19.122.39 2.19.122.34 2.19.122.31 2.19.122.42	whitelisted
login.live.com	20.190.159.64 20.190.159.73 40.126.31.130 20.190.159.71 20.190.159.2 20.190.159.129 40.126.31.1 40.126.31.71	whitelisted
arc.msn.com	20.223.35.26	whitelisted
client.wns.windows.com	172.211.123.248 172.211.123.249	whitelisted
telegram.me	149.154.167.99	whitelisted
pp.jullianacalhau.com.br	49.13.36.184	malicious
slscr.update.microsoft.com	74.179.77.204 20.165.94.63	whitelisted
www.microsoft.com	2.18.174.85	whitelisted

PID	Process	Class	Message
—	—	A Network Trojan was detected	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1
—	—	A Network Trojan was detected	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1
—	—	Malware Command and Control Activity Detected	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
—	—	Malware Command and Control Activity Detected	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
—	—	Malware Command and Control Activity Detected	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
—	—	Malware Command and Control Activity Detected	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
—	—	Misc activity	ET HUNTING EXE Base64 Encoded potential malware
—	—	Misc activity	ET HUNTING EXE Base64 Encoded potential malware
—	—	Malware Command and Control Activity Detected	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
—	—	Malware Command and Control Activity Detected	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2

General Info

87aaa5cacdb412c8a461d519803913215d4d1afe69803ee5bdc9768d9f097677.exe

D5A635EDB78BBDA4F2AE360763074D5C

1F8E451A7CE4C5EFCEF91FECF88EDA165B1418C7

87AAA5CACDB412C8A461D519803913215D4D1AFE69803EE5BDC9768D9F097677

49152:8E950vA1jRp4Ukhf/wwwzxPbe0YYQvpwn+jANfBjsOImN0xy3bznUzc0sXfRUcFC:5hRrWQP60W7Ubx6xO3

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

VIDAR has been detected (YARA)

Steals credentials from Web Browsers

Actions looks like stealing of personal data

SUSPICIOUS

Reads security settings of Internet Explorer

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Searches for installed software

INFO

Checks supported languages

The sample compiled with english language support

Reads the computer name

Application based on Golang

Creates files in the program directory

Reads the machine GUID from the registry

Checks proxy server information

Reads the software policy settings

Reads Environment values

Reads product name

Reads CPU info

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings