File name:

IB2405 (3).exe

Full analysis: https://app.any.run/tasks/2e05a7f2-a549-48ad-9553-972757489844
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: March 25, 2025, 06:45:23
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
stealer
delphi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

7EB5CB441E6651675E899077D4777B5C

SHA1:

57CD5F524DE1DAB5EF2F85F594A0C1E855D4497D

SHA256:

42EF95F21DC4EA3C610593F8CD9FC6364AA849ACF3FEF3B70D54F2BBEB7A382C

SSDEEP:

98304:KLCMZxicui7g+EIfePKrv0scbAE1/8EKUMKx1JRsBBnklFjv:Qa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • IB2405 (3).exe (PID: 7680)

  • SUSPICIOUS

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • IB2405 (3).exe (PID: 7680)

    • Connects to unusual port

      • IB2405 (3).exe (PID: 7680)

    • There is functionality for communication over UDP network (YARA)

      • IB2405 (3).exe (PID: 7680)

    • There is functionality for taking screenshot (YARA)

      • IB2405 (3).exe (PID: 7680)

    • Reads security settings of Internet Explorer

      • ShellExperienceHost.exe (PID: 7052)

  • INFO

    • Checks supported languages

      • IB2405 (3).exe (PID: 7680)
      • ShellExperienceHost.exe (PID: 7052)

    • The sample compiled with english language support

      • IB2405 (3).exe (PID: 7680)

    • Reads the computer name

      • IB2405 (3).exe (PID: 7680)
      • ShellExperienceHost.exe (PID: 7052)

    • Reads the software policy settings

      • IB2405 (3).exe (PID: 7680)
      • slui.exe (PID: 5324)

    • Compiled with Borland Delphi (YARA)

      • IB2405 (3).exe (PID: 7680)

    • Checks proxy server information

      • IB2405 (3).exe (PID: 7680)
      • slui.exe (PID: 5324)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (generic) (83)
.exe | Win32 Executable (generic) (9)
.exe | Generic Win/DOS Executable (3.9)
.exe | DOS Executable Generic (3.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:03:24 04:11:04+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 3535360
InitializedDataSize: 91626496
UninitializedDataSize: -
EntryPoint: 0x36015c
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 29350.35624.27786.46727
ProductVersionNumber: 29350.35624.27786.46727
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: CloudBridge Solutions 4772553 Inc.
FileDescription: Advanced Data Protection Management 4772553, 29350.35624.27786.46727, G703.
FileVersion: 29350.35624.27786.46727
InternalName: Secacess256458864772553.exe
LegalCopyright: Copyright (C) CloudBridge Solutions 4772553 Inc. 2014. All rights reserved.
OriginalFileName: Secacess256458864772553.exe
ProgramID: Advanced Data Protection Management 4772553, 29350.35624.27786.46727, G703.
ProductName: SmartSync Hub, 29350.35624.27786.46727, G703.
ProductVersion: 29350.35624.27786.46727
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ib2405 (3).exe svchost.exe slui.exe shellexperiencehost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
5324C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7052"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shell Experience Host
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\wincorlib.dll
7680"C:\Users\admin\AppData\Local\Temp\IB2405 (3).exe" C:\Users\admin\AppData\Local\Temp\IB2405 (3).exe
explorer.exe
User:
admin
Company:
CloudBridge Solutions 4772553 Inc.
Integrity Level:
MEDIUM
Description:
Advanced Data Protection Management 4772553, 29350.35624.27786.46727, G703.
Exit code:
0
Version:
29350.35624.27786.46727
Modules
Images
c:\users\admin\appdata\local\temp\ib2405 (3).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
Total events
3 154
Read events
3 152
Write events
2
Delete events
0

Modification events

(PID) Process:(7052) ShellExperienceHost.exeKey:\REGISTRY\A\{b92b3e5e-6501-b6ee-b6a2-952531fecc9f}\LocalState
Operation:writeName:PeekBadges
Value:
5B005D000000F4969EB6519DDB01
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
34
DNS requests
20
Threats
16

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
104.124.11.17:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7680
IB2405 (3).exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
7680
IB2405 (3).exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
7680
IB2405 (3).exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
7680
IB2405 (3).exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
7680
IB2405 (3).exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
7680
IB2405 (3).exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
104.124.11.17:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
20.190.160.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.105.99.58:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.19.122.31:443
www.bing.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 104.124.11.17
  • 104.124.11.58
whitelisted
login.live.com
  • 20.190.160.131
  • 40.126.32.134
  • 20.190.160.66
  • 20.190.160.2
  • 40.126.32.76
  • 40.126.32.72
  • 40.126.32.68
  • 40.126.32.74
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
client.wns.windows.com
  • 40.115.3.253
  • 40.113.103.199
whitelisted
arc.msn.com
  • 20.105.99.58
whitelisted
www.bing.com
  • 2.19.122.31
  • 2.19.122.33
  • 2.19.122.36
  • 2.19.122.38
  • 2.19.122.41
  • 2.19.122.42
  • 2.19.122.32
  • 2.19.122.30
  • 2.19.122.40
whitelisted
ip-api.com
  • 208.95.112.1
whitelisted
dns.google
  • 8.8.8.8
  • 8.8.4.4
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
7680
IB2405 (3).exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User-Agent (Clever Internet Suite)
7680
IB2405 (3).exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
7680
IB2405 (3).exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
7680
IB2405 (3).exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User-Agent (Clever Internet Suite)
7680
IB2405 (3).exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User-Agent (Clever Internet Suite)
7680
IB2405 (3).exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
7680
IB2405 (3).exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User-Agent (Clever Internet Suite)
7680
IB2405 (3).exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User-Agent (Clever Internet Suite)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
IB2405 (3).exe