File name:	9d79fa9eb281db34a0bcbdb9b7025a9c.exe
Full analysis:	https://app.any.run/tasks/333dac92-c789-4e60-910c-46fdc92d85fe
Verdict:	Malicious activity
Threats:	Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This stealer has been terrorizing the internet since 2018. Malware Trends Tracker >>>
Analysis date:	March 24, 2025, 16:53:40
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	telegram stealer stealc vidar themida
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:	9D79FA9EB281DB34A0BCBDB9B7025A9C
SHA1:	1618E6C9AD3EEFEC3814DDCCCCF79CCE66E65C78
SHA256:	EE5E631FB44E9E3ABCEA9E0C4EE192475DF976D0A049375AEFD79A3513FA8F43
SSDEEP:	49152:Ll8ByHkyQAavX16zSRKxXtR45xrpIAiNTgmGbU3QecPX+/lrIFOhnmjfSoe1kEXC:LoyHwAaf16zSEXtkKCbBecPO/lrIFYxz

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:02:24 04:48:01+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14
CodeSize:	115200
InitializedDataSize:	25600
UninitializedDataSize:	-
EntryPoint:	0x457000
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI


(PID) Process:	(5800) 9d79fa9eb281db34a0bcbdb9b7025a9c.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(5800) 9d79fa9eb281db34a0bcbdb9b7025a9c.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(5800) 9d79fa9eb281db34a0bcbdb9b7025a9c.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

PID	Process	Filename		Type
5800	9d79fa9eb281db34a0bcbdb9b7025a9c.exe	C:\ProgramData\d2dba\mohlx4		text
		MD5:2C99A16AED3906D92FFE3EF1808E2753	SHA256:08412578CC3BB4922388F8FF8C23962F616B69A1588DA720ADE429129C73C452

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	167.235.59.196:443	https://x.p.formaxprime.co.uk/	unknown	—	—	—
2104	svchost.exe	GET	200	23.48.23.164:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	POST	200	167.235.59.196:443	https://x.p.formaxprime.co.uk/	unknown	text	58 b	malicious
—	—	POST	200	20.190.160.20:443	https://login.live.com/RST2.srf	unknown	xml	10.3 Kb	whitelisted
—	—	GET	200	149.154.167.99:443	https://t.me/g_etcontent	unknown	html	12.1 Kb	whitelisted
—	—	POST	400	40.126.31.0:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	—	—	whitelisted
—	—	POST	200	167.235.59.196:443	https://x.p.formaxprime.co.uk/	unknown	text	2 b	malicious
—	—	POST	200	167.235.59.196:443	https://x.p.formaxprime.co.uk/	unknown	text	2.13 Kb	malicious
—	—	POST	200	20.190.160.22:443	https://login.live.com/RST2.srf	unknown	xml	1.35 Kb	whitelisted
—	—	POST	400	40.126.31.69:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
2104	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5800	9d79fa9eb281db34a0bcbdb9b7025a9c.exe	149.154.167.99:443	t.me	Telegram Messenger Inc	GB	whitelisted
2104	svchost.exe	23.48.23.164:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
3216	svchost.exe	40.113.103.199:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5800	9d79fa9eb281db34a0bcbdb9b7025a9c.exe	167.235.59.196:443	x.p.formaxprime.co.uk	Hetzner Online GmbH	DE	unknown
6544	svchost.exe	20.190.160.2:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2104	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

Domain	IP	Reputation
google.com	216.58.212.174	whitelisted
t.me	149.154.167.99	whitelisted
crl.microsoft.com	23.48.23.164 23.48.23.156 23.48.23.155 23.48.23.163 23.48.23.153 23.48.23.160 23.48.23.151 23.48.23.159 23.48.23.162 23.48.23.191 23.48.23.190 23.48.23.181 23.48.23.134 23.48.23.137 23.48.23.193 23.48.23.194 23.48.23.185 23.48.23.192	whitelisted
client.wns.windows.com	40.113.103.199 40.115.3.253	whitelisted
x.p.formaxprime.co.uk	167.235.59.196	malicious
login.live.com	20.190.160.2 40.126.32.133 20.190.160.131 40.126.32.72 40.126.32.134 20.190.160.67 20.190.160.20 40.126.32.140	whitelisted
settings-win.data.microsoft.com	51.124.78.146 40.127.240.158	whitelisted
arc.msn.com	20.223.35.26	whitelisted
slscr.update.microsoft.com	4.245.163.56	whitelisted
www.microsoft.com	184.30.21.171	whitelisted

PID	Process	Class	Message
5800	9d79fa9eb281db34a0bcbdb9b7025a9c.exe	Misc activity	ET INFO Observed Telegram Domain (t .me in TLS SNI)
—	—	A Network Trojan was detected	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1
—	—	Malware Command and Control Activity Detected	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
—	—	Malware Command and Control Activity Detected	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2

General Info

9d79fa9eb281db34a0bcbdb9b7025a9c.exe

9D79FA9EB281DB34A0BCBDB9B7025A9C

1618E6C9AD3EEFEC3814DDCCCCF79CCE66E65C78

EE5E631FB44E9E3ABCEA9E0C4EE192475DF976D0A049375AEFD79A3513FA8F43

49152:Ll8ByHkyQAavX16zSRKxXtR45xrpIAiNTgmGbU3QecPX+/lrIFOhnmjfSoe1kEXC:LoyHwAaf16zSEXtkKCbBecPO/lrIFYxz

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

VIDAR mutex has been found

Actions looks like stealing of personal data

VIDAR has been detected (YARA)

Steals credentials from Web Browsers

SUSPICIOUS

Reads the BIOS version

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Reads security settings of Internet Explorer

Multiple wallet extension IDs have been found

Searches for installed software

INFO

Creates files in the program directory

Creates files or folders in the user directory

Reads the computer name

Checks proxy server information

Checks supported languages

Reads the software policy settings

Reads Environment values

Reads the machine GUID from the registry

Reads CPU info

Reads product name

Themida protector has been detected

Malware configuration

Vidar

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Malware configuration

Vidar

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings