File name:

S0FTWARE.exe

Full analysis: https://app.any.run/tasks/ceb18205-881e-4d49-99d7-adf97bfdae23
Verdict: Malicious activity
Threats:

Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.

Malware Trends Tracker     >>>
Analysis date: September 06, 2024, 18:53:31
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
vidar
telegram
stealer
stealc
ddr
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

9A51B79560DC84BE322FCEBE54186925

SHA1:

2B06CD3DF81F436E987014F6AFCB38500D5CAA08

SHA256:

941CE328F91E86A1EF74EC9C0B61B622FA98003AA7F49787B59E1F59BB7C5C0A

SSDEEP:

98304:Ed5x9R7gevcGzrh9o0FqgmD3K4lxiHOUvPJ0A+a8Qv+LlnKj:O

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • VIDAR has been detected (YARA)

      • S0FTWARE.exe (PID: 7040)
      • BitLockerToGo.exe (PID: 6664)

    • Stealers network behavior

      • BitLockerToGo.exe (PID: 6664)

    • Starts CMD.EXE for self-deleting

      • BitLockerToGo.exe (PID: 6664)

    • Steals credentials from Web Browsers

      • BitLockerToGo.exe (PID: 6664)

    • VIDAR has been detected (SURICATA)

      • BitLockerToGo.exe (PID: 6664)

    • Connects to the CnC server

      • BitLockerToGo.exe (PID: 6664)

  • SUSPICIOUS

    • There is functionality for communication over UDP network (YARA)

      • S0FTWARE.exe (PID: 7040)

    • Checks Windows Trust Settings

      • BitLockerToGo.exe (PID: 6664)

    • Reads security settings of Internet Explorer

      • BitLockerToGo.exe (PID: 6664)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • BitLockerToGo.exe (PID: 6664)

    • Searches for installed software

      • BitLockerToGo.exe (PID: 6664)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 6420)

    • Starts CMD.EXE for commands execution

      • BitLockerToGo.exe (PID: 6664)

  • INFO

    • Checks supported languages

      • BitLockerToGo.exe (PID: 6664)
      • S0FTWARE.exe (PID: 7040)

    • Reads the computer name

      • BitLockerToGo.exe (PID: 6664)

    • Create files in a temporary directory

      • BitLockerToGo.exe (PID: 6664)

    • Creates files in the program directory

      • BitLockerToGo.exe (PID: 6664)

    • Checks proxy server information

      • BitLockerToGo.exe (PID: 6664)

    • Reads the software policy settings

      • BitLockerToGo.exe (PID: 6664)

    • Reads the machine GUID from the registry

      • BitLockerToGo.exe (PID: 6664)

    • Creates files or folders in the user directory

      • BitLockerToGo.exe (PID: 6664)

    • Reads CPU info

      • BitLockerToGo.exe (PID: 6664)

    • Reads product name

      • BitLockerToGo.exe (PID: 6664)

    • Attempting to use instant messaging service

      • BitLockerToGo.exe (PID: 6664)

    • Reads Environment values

      • BitLockerToGo.exe (PID: 6664)

    • The process uses the downloaded file

      • BitLockerToGo.exe (PID: 6664)

    • Process checks computer location settings

      • BitLockerToGo.exe (PID: 6664)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Vidar

(PID) Process(7040) S0FTWARE.exe
C2https://t.me/edm0d
URLhttps://steamcommunity.com/profiles/
RC40123456789ABCDEF
(PID) Process(6664) BitLockerToGo.exe
C2https://t.me/edm0d
URLhttps://steamcommunity.com/profiles/
RC40123456789ABCDEF
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 3
CodeSize: 5286912
InitializedDataSize: 453632
UninitializedDataSize: -
EntryPoint: 0x73630
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 2.1.5.0
ProductVersionNumber: 2.1.5.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with S0FTWARE Setup.
CompanyName: S0FTWARE Software Limited
FileDescription: S0FTWARE Setup
FileVersion: 2.1.005.0
LegalCopyright:
ProductName: S0FTWARE
ProductVersion: 2.1.005.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #VIDAR s0ftware.exe no specs #VIDAR bitlockertogo.exe svchost.exe cmd.exe no specs conhost.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2144timeout /t 10 C:\Windows\SysWOW64\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
5644\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6420"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" & rd /s /q "C:\ProgramData\GDAAKKEHDHCA" & exitC:\Windows\SysWOW64\cmd.exeBitLockerToGo.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6664"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
S0FTWARE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BitLocker To Go Reader
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\bitlockerdiscoveryvolumecontents\bitlockertogo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Vidar
(PID) Process(6664) BitLockerToGo.exe
C2https://t.me/edm0d
URLhttps://steamcommunity.com/profiles/
RC40123456789ABCDEF
7040"C:\Users\admin\Desktop\S0FTWARE.exe" C:\Users\admin\Desktop\S0FTWARE.exe
explorer.exe
User:
admin
Company:
S0FTWARE Software Limited
Integrity Level:
MEDIUM
Description:
S0FTWARE Setup
Exit code:
666
Version:
2.1.005.0
Modules
Images
c:\users\admin\desktop\s0ftware.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\bcryptprimitives.dll
Vidar
(PID) Process(7040) S0FTWARE.exe
C2https://t.me/edm0d
URLhttps://steamcommunity.com/profiles/
RC40123456789ABCDEF
Total events
5 222
Read events
5 218
Write events
4
Delete events
0

Modification events

(PID) Process:(6664) BitLockerToGo.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6664) BitLockerToGo.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6664) BitLockerToGo.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6664) BitLockerToGo.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214EF-0000-0000-C000-000000000046} 0xFFFF
Value:
010000000000000037CD6F488E00DB01
Executable files
0
Suspicious files
14
Text files
97
Unknown types
0

Dropped files

PID
Process
Filename
Type
6664BitLockerToGo.exeC:\Users\admin\AppData\Local\Temp\delays.tmptext
MD5:E01FA1B788386D6B1B9AC1FE31958942
SHA256:1EF085E2888272F5D3D54CC785227E32E02797FDE1757920D3CA01D4FDD5B937
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
26
DNS requests
6
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2120
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7008
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4276
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6664
BitLockerToGo.exe
POST
200
45.132.206.251:80
http://gacan.zapto.org/
unknown
unknown
GET
200
149.154.167.99:443
https://t.me/edm0d
unknown
html
11.9 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4276
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7008
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
7008
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4276
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
7008
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 142.250.184.206
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
t.me
  • 149.154.167.99
whitelisted
gacan.zapto.org
  • 45.132.206.251
unknown

Threats

PID
Process
Class
Message
6664
BitLockerToGo.exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
A Network Trojan was detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2256
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.zapto .org
6664
BitLockerToGo.exe
Potentially Bad Traffic
ET INFO HTTP Connection To DDNS Domain Zapto.org
6664
BitLockerToGo.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.zapto .org Domain
6664
BitLockerToGo.exe
A Network Trojan was detected
STEALER [ANY.RUN] Win32/Stealc/Vidar Stealer Check-in & Exfil (POST)
6664
BitLockerToGo.exe
A Network Trojan was detected
ET MALWARE Vidar Stealer Form Exfil
Malware Command and Control Activity Detected
SUSPICIOUS [ANY.RUN] Dead Drop Resolver (DDR) inside Telegram Contact
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
S0FTWARE.exe