File name:

IB2405 (11).exe

Full analysis: https://app.any.run/tasks/00a95868-5253-42e3-91c1-e716cc9b33cf
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: March 25, 2025, 06:38:53
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
stealer
delphi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

2E5D27BF3FA55BC45693204648332725

SHA1:

7E68DB36C9F580BD518723DB88B1280CAAAA37D0

SHA256:

F4C7FB8AC578446E41722C236C3A123DCAC599A440C69E46595E01FC4F204F47

SSDEEP:

49152:I7ZE67CYDE2x8o7P6iMoGjxO/O5a26fLSa+CSa2zyiWZMLoszjTRArDkTf6NJ5pX:p67CYD9siMoD/O9zyiGMLosQ6B8WFf0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • IB2405 (11).exe (PID: 4988)

  • SUSPICIOUS

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • IB2405 (11).exe (PID: 4988)

    • There is functionality for communication over UDP network (YARA)

      • IB2405 (11).exe (PID: 4988)

    • There is functionality for taking screenshot (YARA)

      • IB2405 (11).exe (PID: 4988)

    • Connects to unusual port

      • IB2405 (11).exe (PID: 4988)

    • Reads security settings of Internet Explorer

      • ShellExperienceHost.exe (PID: 6752)

  • INFO

    • Checks supported languages

      • IB2405 (11).exe (PID: 4988)
      • ShellExperienceHost.exe (PID: 6752)

    • Checks proxy server information

      • IB2405 (11).exe (PID: 4988)
      • slui.exe (PID: 5800)

    • Reads the computer name

      • IB2405 (11).exe (PID: 4988)
      • ShellExperienceHost.exe (PID: 6752)

    • Reads the software policy settings

      • IB2405 (11).exe (PID: 4988)
      • slui.exe (PID: 5800)

    • Compiled with Borland Delphi (YARA)

      • IB2405 (11).exe (PID: 4988)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (generic) (83)
.exe | Win32 Executable (generic) (9)
.exe | Generic Win/DOS Executable (3.9)
.exe | DOS Executable Generic (3.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:03:24 04:05:23+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 3408384
InitializedDataSize: 91547136
UninitializedDataSize: -
EntryPoint: 0x341bbc
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 41957.13101.245.47892
ProductVersionNumber: 41957.13101.245.47892
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: CloudBridge Solutions 798462 Inc.
FileDescription: Advanced Data Protection Management 798462, 41957.13101.245.47892, O276.
FileVersion: 41957.13101.245.47892
InternalName: Secacess25645886798462.exe
LegalCopyright: Copyright (C) CloudBridge Solutions 798462 Inc. 2017. All rights reserved.
OriginalFileName: Secacess25645886798462.exe
ProgramID: Advanced Data Protection Management 798462, 41957.13101.245.47892, O276.
ProductName: SmartSync Hub, 41957.13101.245.47892, O276.
ProductVersion: 41957.13101.245.47892
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ib2405 (11).exe svchost.exe shellexperiencehost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4988"C:\Users\admin\AppData\Local\Temp\IB2405 (11).exe" C:\Users\admin\AppData\Local\Temp\IB2405 (11).exe
explorer.exe
User:
admin
Company:
CloudBridge Solutions 798462 Inc.
Integrity Level:
MEDIUM
Description:
Advanced Data Protection Management 798462, 41957.13101.245.47892, O276.
Exit code:
0
Version:
41957.13101.245.47892
Modules
Images
c:\users\admin\appdata\local\temp\ib2405 (11).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
5800C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6752"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shell Experience Host
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\wincorlib.dll
Total events
3 148
Read events
3 146
Write events
2
Delete events
0

Modification events

(PID) Process:(6752) ShellExperienceHost.exeKey:\REGISTRY\A\{6561ae9a-f727-2be0-7e4f-746353968850}\LocalState
Operation:writeName:PeekBadges
Value:
5B005D000000A0EF26B9509DDB01
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
33
DNS requests
19
Threats
16

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
4988
IB2405 (11).exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
4988
IB2405 (11).exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4988
IB2405 (11).exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
4988
IB2405 (11).exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
4988
IB2405 (11).exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
6048
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
20.190.160.66:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.223.36.55:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.185:443
www.bing.com
Akamai International B.V.
DE
whitelisted
6544
svchost.exe
20.190.160.66:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
  • 23.216.77.42
whitelisted
login.live.com
  • 20.190.160.66
  • 40.126.32.76
  • 40.126.32.138
  • 20.190.160.5
  • 20.190.160.130
  • 20.190.160.2
  • 20.190.160.67
  • 20.190.160.128
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
www.bing.com
  • 104.126.37.185
  • 104.126.37.178
  • 104.126.37.171
  • 104.126.37.170
  • 104.126.37.131
  • 104.126.37.128
  • 104.126.37.123
  • 104.126.37.177
  • 104.126.37.130
whitelisted
ip-api.com
  • 208.95.112.1
whitelisted
dns.google
  • 8.8.4.4
  • 8.8.8.8
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
4988
IB2405 (11).exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User-Agent (Clever Internet Suite)
4988
IB2405 (11).exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
4988
IB2405 (11).exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User-Agent (Clever Internet Suite)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
4988
IB2405 (11).exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
4988
IB2405 (11).exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User-Agent (Clever Internet Suite)
4988
IB2405 (11).exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User-Agent (Clever Internet Suite)
4988
IB2405 (11).exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
4988
IB2405 (11).exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
IB2405 (11).exe