File name:

Transaction .exe

Full analysis: https://app.any.run/tasks/5f6e1460-3e0e-42d7-b0d1-7a1ba074efb5
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: October 05, 2023, 15:28:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
formbook
xloader
stealer
spyware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

5760C3D839F1444175BDD379C2CF7495

SHA1:

D365BC5D708A69D0992E16209EBE0533B41FF4C2

SHA256:

7DA9294BA554D4C17ED9E4CAAC9836E303980814C7898B422CCDE7A246AC26A5

SSDEEP:

12288:qqzzTE1CHNQgnDjC+brd+lzx38Qh6BvNQt0kx:hzzTE1CHNQgnDjC+brd+r3zh6BvNQtrx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • rqaij.exe (PID: 572)
      • rqaij.exe (PID: 416)

    • Drops the executable file immediately after the start

      • Transaction .exe (PID: 2964)

    • Connects to the CnC server

      • explorer.exe (PID: 1944)

    • FORMBOOK has been detected (YARA)

      • wlanext.exe (PID: 1452)

    • FORMBOOK was detected

      • explorer.exe (PID: 1944)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • wlanext.exe (PID: 1452)

    • Application launched itself

      • rqaij.exe (PID: 572)

  • INFO

    • Checks supported languages

      • Transaction .exe (PID: 2964)
      • rqaij.exe (PID: 572)
      • rqaij.exe (PID: 416)

    • Reads the computer name

      • Transaction .exe (PID: 2964)
      • rqaij.exe (PID: 416)

    • Create files in a temporary directory

      • Transaction .exe (PID: 2964)

    • Manual execution by a user

      • wlanext.exe (PID: 1452)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Formbook

(PID) Process(1452) wlanext.exe
C2www.zachmahl.com/sn26/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
Decoy C2 (64)resenha10.bet
gulshan-rajput.com
xbus.tech
z813my.cfd
wlxzjlny.cfd
auntengotiempo.com
canada-reservation.com
thegiftcompany.shop
esthersilveirapropiedades.com
1wapws.top
ymjblnvo.cfd
termokimik.net
kushiro-artist-school.com
bmmboo.com
caceresconstructionservices.com
kentuckywalkabout.com
bringyourcart.com
miamiwinetour.com
bobcatsocial.site
thirdmind.network
4tbbwa.com
rhinosecurellc.net
rdparadise.com
radpm.xyz
thewhiteorchidspa.com
clhynfco.cfd
ngohcvja.cfd
woodennickelcandles.com
gg18rb.cfd
qcdrxwr.cfd
974dp.com
lagardere-vivendi-corp.net
chestnutmaretraining.com
seosjekk.online
ahevrlh.xyz
uedam.xyz
natrada.love
yoywvfw.top
unifiedtradingjapan.com
chinakaldi.com
agenciacolmeiadigital.com
wdlzzfkc.cfd
097850.com
xingcansy.com
uahrbqtj.cfd
charliehaywood.com
witheres.shop
sqiyvdrx.cfd
biopfizer.com
tiktokviewer.com
prftwgmw.cfd
sfsdnwpf.cfd
linkboladewahub.xyz
orvados.com
goodshepherdopcesva.com
christianlovewv.com
cdicontrols.com
hawskio26.click
ownlegalhelp.com
tiydmdzp.cfd
ppirr.biz
stonyatrick.com
itsamazingbarley.com
msjbaddf.cfd
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:07:02 04:09:39+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26112
InitializedDataSize: 139776
UninitializedDataSize: 2048
EntryPoint: 0x34fc
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
6
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start transaction .exe no specs rqaij.exe no specs rqaij.exe no specs #FORMBOOK wlanext.exe no specs cmd.exe no specs #FORMBOOK explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
416"C:\Users\admin\AppData\Local\Temp\rqaij.exe"C:\Users\admin\AppData\Local\Temp\rqaij.exerqaij.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rqaij.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
572"C:\Users\admin\AppData\Local\Temp\rqaij.exe" C:\Users\admin\AppData\Local\Temp\rqaij.exeTransaction .exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rqaij.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1452"C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Wireless LAN 802.11 Extensibility Framework
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\wlanext.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
Formbook
(PID) Process(1452) wlanext.exe
C2www.zachmahl.com/sn26/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
Decoy C2 (64)resenha10.bet
gulshan-rajput.com
xbus.tech
z813my.cfd
wlxzjlny.cfd
auntengotiempo.com
canada-reservation.com
thegiftcompany.shop
esthersilveirapropiedades.com
1wapws.top
ymjblnvo.cfd
termokimik.net
kushiro-artist-school.com
bmmboo.com
caceresconstructionservices.com
kentuckywalkabout.com
bringyourcart.com
miamiwinetour.com
bobcatsocial.site
thirdmind.network
4tbbwa.com
rhinosecurellc.net
rdparadise.com
radpm.xyz
thewhiteorchidspa.com
clhynfco.cfd
ngohcvja.cfd
woodennickelcandles.com
gg18rb.cfd
qcdrxwr.cfd
974dp.com
lagardere-vivendi-corp.net
chestnutmaretraining.com
seosjekk.online
ahevrlh.xyz
uedam.xyz
natrada.love
yoywvfw.top
unifiedtradingjapan.com
chinakaldi.com
agenciacolmeiadigital.com
wdlzzfkc.cfd
097850.com
xingcansy.com
uahrbqtj.cfd
charliehaywood.com
witheres.shop
sqiyvdrx.cfd
biopfizer.com
tiktokviewer.com
prftwgmw.cfd
sfsdnwpf.cfd
linkboladewahub.xyz
orvados.com
goodshepherdopcesva.com
christianlovewv.com
cdicontrols.com
hawskio26.click
ownlegalhelp.com
tiydmdzp.cfd
ppirr.biz
stonyatrick.com
itsamazingbarley.com
msjbaddf.cfd
1944C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2764/c del "C:\Users\admin\AppData\Local\Temp\rqaij.exe"C:\Windows\SysWOW64\cmd.exewlanext.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\syswow64\ntdll.dll
c:\windows\syswow64\cmd.exe
c:\windows\system32\wow64win.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64.dll
c:\windows\syswow64\kernelbase.dll
2964"C:\Users\admin\AppData\Local\Temp\Transaction .exe" C:\Users\admin\AppData\Local\Temp\Transaction .exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\transaction .exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\rpcrt4.dll
Total events
741
Read events
736
Write events
5
Delete events
0

Modification events

(PID) Process:(1944) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000088AF72B0747534094337F63DE35C94A000000000200000000001066000000010000200000003A7AE26404D75DF41C31FF40C5EA8CE90BAF74FA9E9BD7A9ACA34C7048350C1E000000000E8000000002000020000000BD2D56D46506C12C41A6A70B10E79EE53CB79EF36FD2BA8CDD2460CB8F4BE86A300000009B5D1418CBF2EB49F3C4BD4C21D58CA55B82FA3D3ED08AF0EF59D6C7ECAFC1055FA323A80FF7C154B1C9B60253392B6640000000DED9FDCC168073324C3013F1BB125E066EB1A2F09FD2C8E7CC7A793AA992E21EF1C942BF7294D04E036428704009B863B1CB981B97312E2530E3E816780CF7C9
(PID) Process:(1944) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\156\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
1
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2964Transaction .exeC:\Users\admin\AppData\Local\Temp\qnbqnoovem.ybinary
MD5:51736AF1D953A0CAE38EF33385F45372
SHA256:14C3B5A6E99F4CF87686D7AB8770350C1794C47E6FA1EEB362CE53E9BD25773A
2964Transaction .exeC:\Users\admin\AppData\Local\Temp\rqaij.exeexecutable
MD5:9FAD3CD00C8DEE4BB877F0F1FBB8DC84
SHA256:70C0EF97DB97E10004D5B57CB0A26F02AAD81CF0BBEF8E06F8557ACABCA625EA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
10
DNS requests
5
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1944
explorer.exe
GET
301
104.18.8.146:80
http://www.natrada.love/sn26/?6l=WpWHuZZlT9/ICGf7uQUtDbzxa6wIoMhJXj/XjLXBDMejdbk9sZnmjYw4Wb7XAWEHqhB4KA==&EZW47L=2dnTgtux9Lyx
unknown
unknown
1944
explorer.exe
GET
403
3.33.130.190:80
http://www.woodennickelcandles.com/sn26/?6l=U/urBRR8La7wmInyY0cNVqEjktmtxjJ0t/arTx8id04Vq5zFezvNT1/DWb94/CxF/EI2Iw==&EZW47L=2dnTgtux9Lyx
unknown
html
291 b
unknown
1944
explorer.exe
GET
403
3.33.130.190:80
http://www.auntengotiempo.com/sn26/?6l=fGyXT8jtM7Km0N5jrAcCMXpRuh5LL99qegLjiblS4PzTsIUoRiP3N2idUB86uyqJ4bFCOA==&EZW47L=2dnTgtux9Lyx
unknown
html
150 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
324
svchost.exe
224.0.0.252:5355
unknown
1956
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
whitelisted
1944
explorer.exe
3.33.130.190:80
www.woodennickelcandles.com
AMAZON-02
US
unknown
1944
explorer.exe
104.18.8.146:80
www.natrada.love
CLOUDFLARENET
unknown
1944
explorer.exe
160.121.10.129:80
www.esthersilveirapropiedades.com
Clayer Limited
US
unknown

DNS requests

Domain
IP
Reputation
www.woodennickelcandles.com
  • 3.33.130.190
  • 15.197.148.33
unknown
www.natrada.love
  • 104.18.8.146
unknown
www.auntengotiempo.com
  • 3.33.130.190
  • 15.197.148.33
unknown
www.esthersilveirapropiedades.com
  • 160.121.10.129
unknown

Threats

PID
Process
Class
Message
1944
explorer.exe
Malware Command and Control Activity Detected
ET MALWARE FormBook CnC Checkin (GET)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Transaction .exe