File name:

ibackupbot_setup.exe

Full analysis: https://app.any.run/tasks/1b0ae434-3723-4b2a-acee-2e8865521b8d
Verdict: Malicious activity
Analysis date: November 20, 2023, 18:38:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

71E30C62EBF73026F691FC13E6EFEF3F

SHA1:

BA6BEA548604EFF29B6B561EDC94BD82B5F60D01

SHA256:

8502916B646CF1D60DB2B418A01D9CBFA2FCD2DE66A31AD4B1BAB32D2F1807F7

SSDEEP:

98304:PjhHYfVUI0ViXju17CYweWfXHxouxKoRqmotd2nwmC6YamNtHK7XJ+Z3pcg1AlSD:GSeFeQ2kgh5b8wR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • ibackupbot_setup.exe (PID: 2932)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • ibackupbot_setup.exe (PID: 2932)

    • Creates a software uninstall entry

      • ibackupbot_setup.exe (PID: 2932)

    • The process creates files with name similar to system file names

      • ibackupbot_setup.exe (PID: 2932)

  • INFO

    • Create files in a temporary directory

      • ibackupbot_setup.exe (PID: 2932)

    • Checks supported languages

      • ibackupbot_setup.exe (PID: 2932)
      • iBackupBot.exe (PID: 3480)

    • Reads the computer name

      • ibackupbot_setup.exe (PID: 2932)

    • Creates files in the program directory

      • ibackupbot_setup.exe (PID: 2932)

    • Creates files or folders in the user directory

      • iBackupBot.exe (PID: 3480)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:08:01 02:33:55+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 25088
InitializedDataSize: 118784
UninitializedDataSize: 1024
EntryPoint: 0x330d
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ibackupbot_setup.exe ibackupbot.exe no specs ibackupbot_setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2932"C:\Users\admin\AppData\Local\Temp\ibackupbot_setup.exe" C:\Users\admin\AppData\Local\Temp\ibackupbot_setup.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ibackupbot_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
3436"C:\Users\admin\AppData\Local\Temp\ibackupbot_setup.exe" C:\Users\admin\AppData\Local\Temp\ibackupbot_setup.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\ibackupbot_setup.exe
c:\windows\system32\ntdll.dll
3480"C:\Program Files\VOW Software\iBackupBot for iPad iPhone\iBackupBot.exe"C:\Program Files\VOW Software\iBackupBot for iPad iPhone\iBackupBot.exeibackupbot_setup.exe
User:
admin
Company:
VOW Software
Integrity Level:
HIGH
Description:
iBackupBot for iPad iPhone
Exit code:
0
Version:
5, 6, 1, 0
Modules
Images
c:\program files\vow software\ibackupbot for ipad iphone\ibackupbot.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
Total events
874
Read events
873
Write events
1
Delete events
0

Modification events

(PID) Process:(2932) ibackupbot_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\iBackupBot for Windows
Operation:writeName:NSIS:StartMenuDir
Value:
VOW Software
Executable files
8
Suspicious files
5
Text files
137
Unknown types
0

Dropped files

PID
Process
Filename
Type
2932ibackupbot_setup.exeC:\Users\admin\AppData\Local\Temp\nss7E5E.tmp\InstallOptions.dllexecutable
MD5:20F3184EFE7EDDDFEF3325EFC25D12A5
SHA256:0E014352B64ABC431D97460D79757CBAFBF6BA997C08B608C294E1F582AF269A
2932ibackupbot_setup.exeC:\Program Files\VOW Software\iBackupBot for iPad iPhone\iBackupBot-32.exeexecutable
MD5:39E031EC60253B0F7AAA3EB5ACE57DB3
SHA256:C70BFF562B8A232A5CE63CAC183E21AD6DAC624C6DA3AAA71843D041E8E73533
2932ibackupbot_setup.exeC:\Users\admin\AppData\Local\Temp\nss7E5E.tmp\ioSpecial.initext
MD5:E2D5070BC28DB1AC745613689FF86067
SHA256:D95AED234F932A1C48A2B1B0D98C60CA31F962310C03158E2884AB4DDD3EA1E0
2932ibackupbot_setup.exeC:\Users\admin\AppData\Local\Temp\nss7E5E.tmp\StartMenu.dllexecutable
MD5:A09BCF528D02F89F9BEFA78937CA7D7B
SHA256:5A31ABF36C0ED5E74295B7D7DB5A2B09D8AA308483612B7B0BC04771000AC8AD
2932ibackupbot_setup.exeC:\Program Files\VOW Software\iBackupBot for iPad iPhone\iBackupBot.exeexecutable
MD5:39E031EC60253B0F7AAA3EB5ACE57DB3
SHA256:C70BFF562B8A232A5CE63CAC183E21AD6DAC624C6DA3AAA71843D041E8E73533
2932ibackupbot_setup.exeC:\Program Files\VOW Software\iBackupBot for iPad iPhone\iBackupBot.app\Contents\Resources\images\Document.bmpimage
MD5:2D80A7C8A90C3B885A3291A1D6E42E36
SHA256:D33C690864E07543D88C6F03796E7116AD5DEA6F04D9FC0BEF2E91374481AA26
2932ibackupbot_setup.exeC:\Users\admin\AppData\Local\Temp\nss7E5E.tmp\LangDLL.dllexecutable
MD5:EA60C7BD5EDD6048601729BD31362C16
SHA256:4E72C8B4D36F128B25281440E59E39AF7EC2080D02E024F35AC413D769D91F39
2932ibackupbot_setup.exeC:\Users\admin\AppData\Local\Temp\nss7E5E.tmp\System.dllexecutable
MD5:55A26D7800446F1373056064C64C3CE8
SHA256:904FD5481D72F4E03B01A455F848DEDD095D0FB17E33608E0D849F5196FB6FF8
2932ibackupbot_setup.exeC:\Program Files\VOW Software\iBackupBot for iPad iPhone\iBackupBot.app\Contents\Resources\images\Check.bmpimage
MD5:C4273C29E3078ACD3E8311BBB2214F86
SHA256:4111DF19C6107C0EA7528ED0F34D62F3E099C0FA35235FA1FE4C9AF2138CD1FE
2932ibackupbot_setup.exeC:\Program Files\VOW Software\iBackupBot for iPad iPhone\iBackupBot.app\Contents\Resources\images\CheckD.BMPimage
MD5:FA707862BB9EBD6C79B83A7A8C1BDC16
SHA256:21A9065FC07C4656A5110766B3DF7F063AA6AE458318613EBD0C2E2FC89B991B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ibackupbot_setup.exe