File name:

IB2405 (13).exe

Full analysis: https://app.any.run/tasks/8244095d-4e76-40c2-9804-3f8b1a9f03ed
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: March 25, 2025, 06:51:24
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
stealer
delphi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

1158D5FDF98D6F138B70D2270E1ECC63

SHA1:

5FA281DFA34BD3D3E54AFF2643B6F00BAFC113A1

SHA256:

A0BFBB40F4B6E6FA275B693205C67E338657C7589AF5415716500A0B2F588473

SSDEEP:

98304:GGdEHCKPei/tZoO6rXrOP0aJFa0PGMv+Qa3UaxBvy258n5Ff4:46rqy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • IB2405 (13).exe (PID: 1012)

  • SUSPICIOUS

    • Connects to unusual port

      • IB2405 (13).exe (PID: 1012)

    • There is functionality for communication over UDP network (YARA)

      • IB2405 (13).exe (PID: 1012)

    • There is functionality for taking screenshot (YARA)

      • IB2405 (13).exe (PID: 1012)

    • Checks for external IP

      • IB2405 (13).exe (PID: 1012)
      • svchost.exe (PID: 2196)

    • Reads security settings of Internet Explorer

      • ShellExperienceHost.exe (PID: 2384)

  • INFO

    • Checks proxy server information

      • IB2405 (13).exe (PID: 1012)
      • slui.exe (PID: 4380)

    • Checks supported languages

      • IB2405 (13).exe (PID: 1012)
      • ShellExperienceHost.exe (PID: 2384)

    • Reads the computer name

      • IB2405 (13).exe (PID: 1012)
      • ShellExperienceHost.exe (PID: 2384)

    • Reads the software policy settings

      • IB2405 (13).exe (PID: 1012)
      • slui.exe (PID: 4380)

    • Compiled with Borland Delphi (YARA)

      • IB2405 (13).exe (PID: 1012)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (generic) (83)
.exe | Win32 Executable (generic) (9)
.exe | Generic Win/DOS Executable (3.9)
.exe | DOS Executable Generic (3.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:03:24 04:01:28+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 3604992
InitializedDataSize: 91605504
UninitializedDataSize: -
EntryPoint: 0x371148
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 52734.3462.25666.8849
ProductVersionNumber: 52734.3462.25666.8849
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: CloudBridge Solutions 1174461 Inc.
FileDescription: Advanced Data Protection Management 1174461, 52734.3462.25666.8849, D270.
FileVersion: 52734.3462.25666.8849
InternalName: Secacess256458861174461.exe
LegalCopyright: Copyright (C) CloudBridge Solutions 1174461 Inc. 2005. All rights reserved.
OriginalFileName: Secacess256458861174461.exe
ProgramID: Advanced Data Protection Management 1174461, 52734.3462.25666.8849, D270.
ProductName: SmartSync Hub, 52734.3462.25666.8849, D270.
ProductVersion: 52734.3462.25666.8849
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ib2405 (13).exe svchost.exe shellexperiencehost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1012"C:\Users\admin\AppData\Local\Temp\IB2405 (13).exe" C:\Users\admin\AppData\Local\Temp\IB2405 (13).exe
explorer.exe
User:
admin
Company:
CloudBridge Solutions 1174461 Inc.
Integrity Level:
MEDIUM
Description:
Advanced Data Protection Management 1174461, 52734.3462.25666.8849, D270.
Exit code:
0
Version:
52734.3462.25666.8849
Modules
Images
c:\users\admin\appdata\local\temp\ib2405 (13).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2384"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shell Experience Host
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\dxgi.dll
4380C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 141
Read events
3 139
Write events
2
Delete events
0

Modification events

(PID) Process:(2384) ShellExperienceHost.exeKey:\REGISTRY\A\{319933b8-a4a3-bf2c-98c4-df388685d49e}\LocalState
Operation:writeName:PeekBadges
Value:
5B005D00000022661885529DDB01
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
34
DNS requests
18
Threats
16

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1012
IB2405 (13).exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
1012
IB2405 (13).exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
1012
IB2405 (13).exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
1012
IB2405 (13).exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
1012
IB2405 (13).exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
1012
IB2405 (13).exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
20.190.160.20:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.199.58.43:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
104.126.37.155:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
1012
IB2405 (13).exe
208.95.112.1:80
ip-api.com
TUT-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.78
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
login.live.com
  • 20.190.160.20
  • 20.190.160.67
  • 20.190.160.4
  • 40.126.32.140
  • 40.126.32.133
  • 40.126.32.138
  • 20.190.160.5
  • 20.190.160.128
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
www.bing.com
  • 104.126.37.155
  • 104.126.37.179
  • 104.126.37.163
  • 104.126.37.177
  • 104.126.37.162
  • 104.126.37.160
  • 104.126.37.161
  • 104.126.37.178
  • 104.126.37.171
whitelisted
ip-api.com
  • 208.95.112.1
whitelisted
dns.google
  • 8.8.4.4
  • 8.8.8.8
whitelisted

Threats

PID
Process
Class
Message
1012
IB2405 (13).exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
1012
IB2405 (13).exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User-Agent (Clever Internet Suite)
1012
IB2405 (13).exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User-Agent (Clever Internet Suite)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
1012
IB2405 (13).exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
1012
IB2405 (13).exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User-Agent (Clever Internet Suite)
1012
IB2405 (13).exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
1012
IB2405 (13).exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User-Agent (Clever Internet Suite)
1012
IB2405 (13).exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User-Agent (Clever Internet Suite)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
IB2405 (13).exe