File name:	capcut
Full analysis:	https://app.any.run/tasks/a1731f67-4476-4ef0-bbef-ed1dabf48909
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This stealer has been terrorizing the internet since 2018. Malware Trends Tracker >>>
Analysis date:	April 10, 2025, 23:22:03
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	loader telegram vidar stealer stealc
Indicators:
MIME:	text/plain
File info:	ASCII text, with CRLF line terminators
MD5:	5E9250C77F4E3E9C0707A3D932C8ABDF
SHA1:	180BFAD601C3588662DCA44A7D9B401A0437E400
SHA256:	A19F4208549BD5143CA6FBC8A7049B5FE86D971784B7A7963B36D91368F80C27
SSDEEP:	96:AOgp3PsPuPuPgsPkQPoPdPgPZPZLkh+FWJmRq8WjQw:AOgp3PsPuPuPgsPkQPoPdPgPZPZLkh+Q


(PID) Process:	(1164) MSBuild.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(1164) MSBuild.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(1164) MSBuild.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(1072) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(1072) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(1072) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(1072) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:	write	Name:	user_experience_metrics.stability.exited_cleanly
Value: 0
(PID) Process:	(1072) chrome.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:	write	Name:	usagestats
Value: 0
(PID) Process:	(1072) chrome.exe	Key:	HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry
Operation:	write	Name:	TraceTimeLast
Value: FD8D8C856FAADB01
(PID) Process:	(8088) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 0

PID	Process	Filename		Type
1072	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old~RF1192f6.TMP		—
		MD5:—	SHA256:—
1072	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old		—
		MD5:—	SHA256:—
1072	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF119306.TMP		—
		MD5:—	SHA256:—
1072	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
1072	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old~RF119306.TMP		—
		MD5:—	SHA256:—
1072	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old~RF119306.TMP		—
		MD5:—	SHA256:—
1072	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old		—
		MD5:—	SHA256:—
1072	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old~RF119306.TMP		—
		MD5:—	SHA256:—
1072	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old		—
		MD5:—	SHA256:—
1072	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old		—
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	304	4.175.87.197:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
7928	SIHClient.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
7928	SIHClient.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
7928	SIHClient.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
7928	SIHClient.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
7928	SIHClient.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
—	—	GET	304	4.175.87.197:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
—	—	GET	200	4.175.87.197:443	https://slscr.update.microsoft.com/sls/ping	unknown	—	—	—
—	—	GET	200	104.219.248.46:443	https://ravenfootballclub.com/wp-content/crypted.exe	unknown	executable	799 Kb	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5256	RUXIMICS.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2104	svchost.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2104	svchost.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
3216	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6544	svchost.exe	20.190.160.5:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
7380	powershell.exe	104.219.248.46:443	ravenfootballclub.com	NAMECHEAP-NET	US	unknown
3216	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted

Domain	IP	Reputation
google.com	142.250.186.174	whitelisted
crl.microsoft.com	23.48.23.143 23.48.23.156	whitelisted
client.wns.windows.com	172.211.123.250 172.211.123.248	whitelisted
login.live.com	20.190.160.5 20.190.160.14 40.126.32.74 20.190.160.130 20.190.160.20 20.190.160.2 20.190.160.67 20.190.160.132	whitelisted
ravenfootballclub.com	104.219.248.46	malicious
settings-win.data.microsoft.com	51.124.78.146 4.231.128.59	whitelisted
slscr.update.microsoft.com	4.175.87.197	whitelisted
www.microsoft.com	23.52.120.96	whitelisted
fe3cr.delivery.mp.microsoft.com	20.3.187.198	whitelisted
t.me	149.154.167.99	whitelisted

PID	Process	Class	Message
—	—	A Network Trojan was detected	ET HUNTING Download Request Containing Suspicious Filename - Crypted
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
—	—	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
—	—	Misc activity	ET INFO Request for EXE via Powershell
—	—	A Network Trojan was detected	ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
—	—	Misc activity	ET INFO Packed Executable Download
1164	MSBuild.exe	Misc activity	ET INFO Observed Telegram Domain (t .me in TLS SNI)
—	—	A Network Trojan was detected	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1
—	—	Malware Command and Control Activity Detected	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
—	—	Malware Command and Control Activity Detected	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

General Info

capcut

5E9250C77F4E3E9C0707A3D932C8ABDF

180BFAD601C3588662DCA44A7D9B401A0437E400

A19F4208549BD5143CA6FBC8A7049B5FE86D971784B7A7963B36D91368F80C27

96:AOgp3PsPuPuPgsPkQPoPdPgPZPZLkh+FWJmRq8WjQw:AOgp3PsPuPuPgsPkQPoPdPgPZPZLkh+Q

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

VIDAR mutex has been found

VIDAR has been detected (YARA)

Actions looks like stealing of personal data

Steals credentials from Web Browsers

Bypass execution policy to execute commands

SUSPICIOUS

Uses base64 encoding (POWERSHELL)

Reads security settings of Internet Explorer

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Process drops legitimate windows executable

Executable content was dropped or overwritten

Creates new GUID (POWERSHELL)

Multiple wallet extension IDs have been found

There is functionality for taking screenshot (YARA)

Searches for installed software

INFO

Checks supported languages

The executable file from the user directory is run by the Powershell process

Checks proxy server information

Reads the computer name

Reads the machine GUID from the registry

The sample compiled with english language support

Creates files in the program directory

Reads the software policy settings

Creates files or folders in the user directory

Checks if a key exists in the options dictionary (POWERSHELL)

Disables trace logs

Reads product name

Reads Environment values

Reads CPU info

Application launched itself

Manual execution by a user

Malware configuration

Vidar

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

Vidar

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests